AWS Cognito - create groups from ADFS as Cognito Groups

Question

An app is communicating via the Open ID Connect protocol with AWS Cognito, which is connected to ADFS, communicating via SAML. Cognito is e

Answer 1

I had the same issue, and I have not found a static mapping option in Cognito either.

The only way I see is to map the AD groups to custom:adgroups attribute in Cognito, and set up a Cognito "Pre Token Generation" lambda trigger. The lambda reads the value of the custom:adgroups and manually overrides the user's Cognito groups.

NB - this does not change the cognito user's group permanently, only for the current session, but from the application perspective that's exactly what I needed.

Please see a dummy static (non conditional) ADMIN group assignment example here:

def lambda_handler(event, context):
print(f'incoming event: {json.dumps(event)}')

# manual cognito group override
if event['triggerSource'] == "TokenGeneration_HostedAuth":
    event['response'] = {
            "claimsOverrideDetails": {
                "groupOverrideDetails": {
                    "groupsToOverride": [
                        "ADMIN"
                    ]
                }
            }
        }

return event

More detailed documentation here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html