Streamlined User Access: Integrating Aws Cognito With Microsoft Active Directory For Federated Login

Preface

This post explores how AWS Cognito can be integrated with Microsoft Active Directory to create a secure, federated login experience. We’ll cover real-world challenges that businesses face when juggling multiple authentication systems, then walk through a practical implementation using a fictitious organisation—Georgiou’s Gateways. Readers can expect to learn why a centralised identity management approach boosts security and efficiency, plus get a concise, step-by-step guide to achieving seamless federated login.

Introduction

To illustrate this solution in a clear, hands-on way, let’s consider a fictitious organisation called Georgiou’s Gateways. This company operates various internal tools, portals, and services for its employees. However, the problem is that each system requires separate login credentials. Password fatigue, repeated logins, and inconsistent access controls are causing headaches for both users and administrators, impacting overall security and productivity.

Centralising user identity through AWS Cognito—backed by Microsoft Active Directory—solves these problems elegantly. By giving employees a single set of credentials, the organisation ensures consistent security policies, reduces repetitive logins, and streamlines administration of user permissions.

Why

1. Enhanced Security

When each system requires separate credentials, staff tend to reuse or simplify passwords, heightening the risk of security breaches. A federated login setup enforces consistent password policies and robust access control across all systems.

2. Improved User Experience

Repeated prompts for logins sap productivity and lead to frustration. With AWS Cognito serving as a central authority, users enjoy frictionless single sign-on (SSO) across different internal tools.

3. Reduced Administrative Overheads

Managing user accounts in multiple silos is inefficient and prone to errors. By integrating with Active Directory—an existing identity management solution—administrators can swiftly grant or revoke access from one location, ensuring the right people have the right permissions at the right time.

Build Example

Below is a concise roadmap of how Georgiou’s Gateways integrated AWS Cognito with their on-premises Active Directory, without relying on traditional bullet points:

Step 1: Create an AWS Cognito User Pool

Acts as the directory that governs sign-ups, logins, and user info.

Step 2: Enable Federated Login

Connect AWS Cognito to Microsoft Active Directory (for instance, via SAML or Azure AD), allowing users to access multiple systems with one set of credentials.

Step 3: Set Up Single Sign-On (SSO)

Configure AWS Cognito to trust Active Directory as the identity provider. Users sign in once to AD and can then access various AWS-hosted applications seamlessly.

Step 4: Establish Consistent Access Control Policies

Map your Active Directory groups and attributes to AWS Cognito user attributes, ensuring uniform rules and permissions across your estate.

Step 5: Test and Iterate

Validate the login flow thoroughly: check that credentials are accepted, sessions are handled securely, and user attributes map correctly in the federated environment.

Practical Terraform Example

Below is a simplified Terraform snippet that highlights the key elements:

resource "aws_cognito_user_pool" "georgiou-user-pool" {
  name = "georgiou-user-pool"
}

resource "aws_cognito_user_pool_client" "georgiou-user-pool-client" {
  name                            = "georgiou-user-pool-client"
  user_pool_id                    = aws_cognito_user_pool.georgiou-user-pool.id
  allowed_oauth_flows_user_pool_client = true
  allowed_oauth_flows             = ["code"]
  allowed_oauth_scopes            = ["email", "openid", "profile", "phone"]
  supported_identity_providers    = ["MicrosoftAzure"]
  callback_urls                   = ["https://georgiou.website.com/callback"]
  logout_urls                     = ["https://georgiou.website.com/logout"]
  generate_secret                 = false
}

resource "aws_cognito_user_pool_domain" "georgiou_leightonlabs_domain" {
  domain       = "georgiou-leightonlabs"
  user_pool_id = aws_cognito_user_pool.georgiou-user-pool.id
}

resource "aws_cognito_identity_provider" "georgiou_identity_provider" {
  user_pool_id  = aws_cognito_user_pool.georgiou-user-pool.id
  provider_name = "MicrosoftAzure"
  provider_type = "SAML"

  provider_details = {
    "IDPInit"                = "true"
    "IDPSignout"             = "true"
    "EncryptedResponses"      = "false"
    "MetadataURL"            = var.microsoft_azure_xml_url
    "RequestSigningAlgorithm" = "rsa-sha256"
  }

  attribute_mapping = {
    "email"       = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    "given_name"  = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
    "family_name" = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
    "name"        = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  }
}

In this configuration:

• Cognito User Pool handles the user directory.
• Cognito User Pool Client sets up OAuth scopes and flow types, ensuring secure token handling.
• Cognito Domain provides a user-friendly, organisation-branded sign-in domain.
• Cognito Identity Provider references Microsoft Azure AD as a SAML provider, mapping attribute claims into Cognito attributes for a seamless user profile experience.

Conclusion

By centralising identity management with AWS Cognito and Microsoft Active Directory, Georgiou’s Gateways has eliminated the chaos of multiple logins, reduced security vulnerabilities, and significantly improved user productivity. For organisations seeking to streamline authentication while enhancing security, adopting a federated login approach delivers:

1. Strong Security Posture – Enforced corporate password policies and reduced credential sprawl.
2. Boosted Efficiency – Faster access to multiple apps via a single set of credentials.
3. Simplified Administration – Central management of user accounts and group policies.
4. Scalability – A flexible infrastructure that accommodates future growth or new applications.

By addressing both usability and security, federated login isn’t just a technical upgrade; it’s a strategic investment that pays off in productivity gains and robust data protection.