From 375f1a6c0bd5952091b1bb4634faaabcb4ca126e Mon Sep 17 00:00:00 2001 From: kazuho cryer-shinozuka Date: Thu, 18 Apr 2024 07:06:47 +0900 Subject: [PATCH] feat(cognito): support provider details for `UserPoolIdentityProviderSaml` (#29588) ### Issue # (if applicable) Closes #29494. Closes #29598. #29598 is really close issue and I tried to resolve it in this PR. If it is not good to resolve multiple issues in 1 PR, I would separate this PR. ### Reason for this change [`UserPoolIdentityProviderSaml` can configure `ProviderDetails`](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#aws-resource-cognito-userpoolidentityprovider-properties) but there are some items that is not configurable from AWS CDK. - `EncryptedResponses` - `RequestSigningAlgorithm` - `IDPInit` ### Description of changes Add 3 properties to `UserPoolIdentityProviderSamlProps`. - `encryptedResponses` - `requestSigningAlgorithm` - `idpInitiated` ### Description of how you validated changes Added both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../cdk.out | 2 +- ...l-identity-provider-saml-stack.assets.json | 6 +- ...identity-provider-saml-stack.template.json | 92 ++++++- .../integ.json | 2 +- ...efaultTestDeployAssert97F09C26.assets.json | 2 +- .../manifest.json | 40 ++- .../tree.json | 230 +++++++++++++++--- .../test/integ.user-pool-idp.saml.ts | 24 +- packages/aws-cdk-lib/aws-cognito/README.md | 24 ++ .../aws-cognito/lib/user-pool-idps/saml.ts | 38 +++ .../test/user-pool-idps/saml.test.ts | 74 +++++- 11 files changed, 472 insertions(+), 62 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/cdk.out index 8ecc185e9dbee..1f0068d32659a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"21.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integ-user-pool-identity-provider-saml-stack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integ-user-pool-identity-provider-saml-stack.assets.json index 8e65975b437d9..02400adfcfaf4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integ-user-pool-identity-provider-saml-stack.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integ-user-pool-identity-provider-saml-stack.assets.json @@ -1,7 +1,7 @@ { - "version": "21.0.0", + "version": "36.0.0", "files": { - "6f6f07786415216f13b738979cec5ad81dbab3283fae83b99324965935cc1d60": { + "9797b1e65ff3b42f6779bb26ff6fa3e199e2d6e0f149c99ab0a95f8d51a6cf8c": { "source": { "path": "integ-user-pool-identity-provider-saml-stack.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "6f6f07786415216f13b738979cec5ad81dbab3283fae83b99324965935cc1d60.json", + "objectKey": "9797b1e65ff3b42f6779bb26ff6fa3e199e2d6e0f149c99ab0a95f8d51a6cf8c.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integ-user-pool-identity-provider-saml-stack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integ-user-pool-identity-provider-saml-stack.template.json index 56cb33a5c739f..f600a0b30e333 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integ-user-pool-identity-provider-saml-stack.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integ-user-pool-identity-provider-saml-stack.template.json @@ -34,9 +34,6 @@ "poolclient2623294C": { "Type": "AWS::Cognito::UserPoolClient", "Properties": { - "UserPoolId": { - "Ref": "pool056F3F7E" - }, "AllowedOAuthFlows": [ "implicit", "code" @@ -54,10 +51,13 @@ ], "SupportedIdentityProviders": [ { - "Ref": "cdk52888317" + "Ref": "samlProvider6C4CC492" }, "COGNITO" - ] + ], + "UserPoolId": { + "Ref": "pool056F3F7E" + } } }, "pooldomain430FA744": { @@ -69,17 +69,93 @@ } } }, - "cdk52888317": { + "samlProvider6C4CC492": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { - "ProviderName": "cdk", + "ProviderDetails": { + "IDPSignout": false, + "MetadataURL": "https://fujifish.github.io/samling/public/metadata.xml", + "EncryptedResponses": true, + "RequestSigningAlgorithm": "rsa-sha256" + }, + "ProviderName": "provider", "ProviderType": "SAML", "UserPoolId": { "Ref": "pool056F3F7E" + } + } + }, + "poolForIdpInitiatedSaml8B7CB492": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "AccountRecoverySetting": { + "RecoveryMechanisms": [ + { + "Name": "verified_phone_number", + "Priority": 1 + }, + { + "Name": "verified_email", + "Priority": 2 + } + ] }, + "AdminCreateUserConfig": { + "AllowAdminCreateUserOnly": true + }, + "EmailVerificationMessage": "The verification code to your new account is {####}", + "EmailVerificationSubject": "Verify your new account", + "SmsVerificationMessage": "The verification code to your new account is {####}", + "VerificationMessageTemplate": { + "DefaultEmailOption": "CONFIRM_WITH_CODE", + "EmailMessage": "The verification code to your new account is {####}", + "EmailSubject": "Verify your new account", + "SmsMessage": "The verification code to your new account is {####}" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "poolForIdpInitiatedSamlidpInitiatedClientACB7B7B4": { + "Type": "AWS::Cognito::UserPoolClient", + "Properties": { + "AllowedOAuthFlows": [ + "implicit", + "code" + ], + "AllowedOAuthFlowsUserPoolClient": true, + "AllowedOAuthScopes": [ + "profile", + "phone", + "email", + "openid", + "aws.cognito.signin.user.admin" + ], + "CallbackURLs": [ + "https://example.com" + ], + "SupportedIdentityProviders": [ + { + "Ref": "samlProviderIdpInitiatedA5C8CB58" + } + ], + "UserPoolId": { + "Ref": "poolForIdpInitiatedSaml8B7CB492" + } + } + }, + "samlProviderIdpInitiatedA5C8CB58": { + "Type": "AWS::Cognito::UserPoolIdentityProvider", + "Properties": { "ProviderDetails": { "IDPSignout": false, - "MetadataURL": "https://fujifish.github.io/samling/public/metadata.xml" + "MetadataURL": "https://fujifish.github.io/samling/public/metadata.xml", + "IDPInit": true + }, + "ProviderName": "IdPInitiatedProvider", + "ProviderType": "SAML", + "UserPoolId": { + "Ref": "poolForIdpInitiatedSaml8B7CB492" } } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integ.json index eb9199222282a..2cc7e84baf753 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "21.0.0", + "version": "36.0.0", "testCases": { "integ-user-pool-identity-provider-saml-test/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integuserpoolidentityprovidersamltestDefaultTestDeployAssert97F09C26.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integuserpoolidentityprovidersamltestDefaultTestDeployAssert97F09C26.assets.json index 39aac6c49fa80..c86edbc26bfa9 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integuserpoolidentityprovidersamltestDefaultTestDeployAssert97F09C26.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/integuserpoolidentityprovidersamltestDefaultTestDeployAssert97F09C26.assets.json @@ -1,5 +1,5 @@ { - "version": "21.0.0", + "version": "36.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/manifest.json index dc88fad953da5..7284ab58e78c3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/manifest.json @@ -1,12 +1,6 @@ { - "version": "21.0.0", + "version": "36.0.0", "artifacts": { - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - }, "integ-user-pool-identity-provider-saml-stack.assets": { "type": "cdk:asset-manifest", "properties": { @@ -20,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "integ-user-pool-identity-provider-saml-stack.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/6f6f07786415216f13b738979cec5ad81dbab3283fae83b99324965935cc1d60.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9797b1e65ff3b42f6779bb26ff6fa3e199e2d6e0f149c99ab0a95f8d51a6cf8c.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -57,10 +52,28 @@ "data": "pooldomain430FA744" } ], - "/integ-user-pool-identity-provider-saml-stack/cdk/Resource": [ + "/integ-user-pool-identity-provider-saml-stack/samlProvider/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "samlProvider6C4CC492" + } + ], + "/integ-user-pool-identity-provider-saml-stack/poolForIdpInitiatedSaml/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "poolForIdpInitiatedSaml8B7CB492" + } + ], + "/integ-user-pool-identity-provider-saml-stack/poolForIdpInitiatedSaml/idpInitiatedClient/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "poolForIdpInitiatedSamlidpInitiatedClientACB7B7B4" + } + ], + "/integ-user-pool-identity-provider-saml-stack/samlProviderIdpInitiated/Resource": [ { "type": "aws:cdk:logicalId", - "data": "cdk52888317" + "data": "samlProviderIdpInitiatedA5C8CB58" } ], "/integ-user-pool-identity-provider-saml-stack/SignInLink": [ @@ -97,6 +110,7 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "integuserpoolidentityprovidersamltestDefaultTestDeployAssert97F09C26.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", @@ -130,6 +144,12 @@ ] }, "displayName": "integ-user-pool-identity-provider-saml-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/tree.json index 65caa4df4b09b..2621918b3e61d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.js.snapshot/tree.json @@ -4,14 +4,6 @@ "id": "App", "path": "", "children": { - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.92" - } - }, "integ-user-pool-identity-provider-saml-stack": { "id": "integ-user-pool-identity-provider-saml-stack", "path": "integ-user-pool-identity-provider-saml-stack", @@ -53,7 +45,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.CfnUserPool", + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPool", "version": "0.0.0" } }, @@ -67,9 +59,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolClient", "aws:cdk:cloudformation:props": { - "userPoolId": { - "Ref": "pool056F3F7E" - }, "allowedOAuthFlows": [ "implicit", "code" @@ -87,20 +76,23 @@ ], "supportedIdentityProviders": [ { - "Ref": "cdk52888317" + "Ref": "samlProvider6C4CC492" }, "COGNITO" - ] + ], + "userPoolId": { + "Ref": "pool056F3F7E" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.CfnUserPoolClient", + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPoolClient", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.UserPoolClient", + "fqn": "aws-cdk-lib.aws_cognito.UserPoolClient", "version": "0.0.0" } }, @@ -121,51 +113,179 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.CfnUserPoolDomain", + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPoolDomain", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.UserPoolDomain", + "fqn": "aws-cdk-lib.aws_cognito.UserPoolDomain", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.UserPool", + "fqn": "aws-cdk-lib.aws_cognito.UserPool", "version": "0.0.0" } }, - "cdk": { - "id": "cdk", - "path": "integ-user-pool-identity-provider-saml-stack/cdk", + "samlProvider": { + "id": "samlProvider", + "path": "integ-user-pool-identity-provider-saml-stack/samlProvider", "children": { "Resource": { "id": "Resource", - "path": "integ-user-pool-identity-provider-saml-stack/cdk/Resource", + "path": "integ-user-pool-identity-provider-saml-stack/samlProvider/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolIdentityProvider", "aws:cdk:cloudformation:props": { - "providerName": "cdk", + "providerDetails": { + "IDPSignout": false, + "MetadataURL": "https://fujifish.github.io/samling/public/metadata.xml", + "EncryptedResponses": true, + "RequestSigningAlgorithm": "rsa-sha256" + }, + "providerName": "provider", "providerType": "SAML", "userPoolId": { "Ref": "pool056F3F7E" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPoolIdentityProvider", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.UserPoolIdentityProviderSaml", + "version": "0.0.0" + } + }, + "poolForIdpInitiatedSaml": { + "id": "poolForIdpInitiatedSaml", + "path": "integ-user-pool-identity-provider-saml-stack/poolForIdpInitiatedSaml", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-user-pool-identity-provider-saml-stack/poolForIdpInitiatedSaml/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPool", + "aws:cdk:cloudformation:props": { + "accountRecoverySetting": { + "recoveryMechanisms": [ + { + "name": "verified_phone_number", + "priority": 1 + }, + { + "name": "verified_email", + "priority": 2 + } + ] + }, + "adminCreateUserConfig": { + "allowAdminCreateUserOnly": true }, + "emailVerificationMessage": "The verification code to your new account is {####}", + "emailVerificationSubject": "Verify your new account", + "smsVerificationMessage": "The verification code to your new account is {####}", + "verificationMessageTemplate": { + "defaultEmailOption": "CONFIRM_WITH_CODE", + "emailMessage": "The verification code to your new account is {####}", + "emailSubject": "Verify your new account", + "smsMessage": "The verification code to your new account is {####}" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPool", + "version": "0.0.0" + } + }, + "idpInitiatedClient": { + "id": "idpInitiatedClient", + "path": "integ-user-pool-identity-provider-saml-stack/poolForIdpInitiatedSaml/idpInitiatedClient", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-user-pool-identity-provider-saml-stack/poolForIdpInitiatedSaml/idpInitiatedClient/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolClient", + "aws:cdk:cloudformation:props": { + "allowedOAuthFlows": [ + "implicit", + "code" + ], + "allowedOAuthFlowsUserPoolClient": true, + "allowedOAuthScopes": [ + "profile", + "phone", + "email", + "openid", + "aws.cognito.signin.user.admin" + ], + "callbackUrLs": [ + "https://example.com" + ], + "supportedIdentityProviders": [ + { + "Ref": "samlProviderIdpInitiatedA5C8CB58" + } + ], + "userPoolId": { + "Ref": "poolForIdpInitiatedSaml8B7CB492" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPoolClient", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.UserPoolClient", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.UserPool", + "version": "0.0.0" + } + }, + "samlProviderIdpInitiated": { + "id": "samlProviderIdpInitiated", + "path": "integ-user-pool-identity-provider-saml-stack/samlProviderIdpInitiated", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-user-pool-identity-provider-saml-stack/samlProviderIdpInitiated/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolIdentityProvider", + "aws:cdk:cloudformation:props": { "providerDetails": { "IDPSignout": false, - "MetadataURL": "https://fujifish.github.io/samling/public/metadata.xml" + "MetadataURL": "https://fujifish.github.io/samling/public/metadata.xml", + "IDPInit": true + }, + "providerName": "IdPInitiatedProvider", + "providerType": "SAML", + "userPoolId": { + "Ref": "poolForIdpInitiatedSaml8B7CB492" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.CfnUserPoolIdentityProvider", + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPoolIdentityProvider", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.UserPoolIdentityProviderSaml", + "fqn": "aws-cdk-lib.aws_cognito.UserPoolIdentityProviderSaml", "version": "0.0.0" } }, @@ -173,13 +293,29 @@ "id": "SignInLink", "path": "integ-user-pool-identity-provider-saml-stack/SignInLink", "constructInfo": { - "fqn": "@aws-cdk/core.CfnOutput", + "fqn": "aws-cdk-lib.CfnOutput", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-user-pool-identity-provider-saml-stack/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-user-pool-identity-provider-saml-stack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/core.Stack", + "fqn": "aws-cdk-lib.Stack", "version": "0.0.0" } }, @@ -196,32 +332,58 @@ "path": "integ-user-pool-identity-provider-saml-test/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.92" + "version": "10.3.0" } }, "DeployAssert": { "id": "DeployAssert", "path": "integ-user-pool-identity-provider-saml-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-user-pool-identity-provider-saml-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-user-pool-identity-provider-saml-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, "constructInfo": { - "fqn": "@aws-cdk/core.Stack", + "fqn": "aws-cdk-lib.Stack", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTestCase", + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTest", + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", "version": "0.0.0" } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } } }, "constructInfo": { - "fqn": "@aws-cdk/core.App", + "fqn": "aws-cdk-lib.App", "version": "0.0.0" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.ts index 318cf387434cc..2ab515b01448f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.saml.ts @@ -1,19 +1,22 @@ import { App, CfnOutput, RemovalPolicy, Stack } from 'aws-cdk-lib'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; import { Construct } from 'constructs'; -import { UserPool, UserPoolIdentityProviderSaml, UserPoolIdentityProviderSamlMetadata } from 'aws-cdk-lib/aws-cognito'; +import { UserPoolClientIdentityProvider, UserPool, UserPoolIdentityProviderSaml, UserPoolIdentityProviderSamlMetadata, SigningAlgorithm } from 'aws-cdk-lib/aws-cognito'; class TestStack extends Stack { constructor(scope: Construct, id: string) { super(scope, id); + // For SP initiated SAML const userpool = new UserPool(this, 'pool', { removalPolicy: RemovalPolicy.DESTROY, }); - new UserPoolIdentityProviderSaml(this, 'cdk', { + new UserPoolIdentityProviderSaml(this, 'samlProvider', { userPool: userpool, - name: 'cdk', + name: 'provider', metadata: UserPoolIdentityProviderSamlMetadata.url('https://fujifish.github.io/samling/public/metadata.xml'), + encryptedResponses: true, + requestSigningAlgorithm: SigningAlgorithm.RSA_SHA256, }); const client = userpool.addClient('client'); @@ -24,6 +27,21 @@ class TestStack extends Stack { }, }); + // For IdP initiated SAML + const userpoolForIdpInitiatedSaml = new UserPool(this, 'poolForIdpInitiatedSaml', { + removalPolicy: RemovalPolicy.DESTROY, + }); + + const idpInitiatedProvider = new UserPoolIdentityProviderSaml(this, 'samlProviderIdpInitiated', { + userPool: userpoolForIdpInitiatedSaml, + name: 'IdPInitiatedProvider', + metadata: UserPoolIdentityProviderSamlMetadata.url('https://fujifish.github.io/samling/public/metadata.xml'), + idpInitiated: true, + }); + userpoolForIdpInitiatedSaml.addClient('idpInitiatedClient', { + supportedIdentityProviders: [UserPoolClientIdentityProvider.custom(idpInitiatedProvider.providerName)], + }); + new CfnOutput(this, 'SignInLink', { value: domain.signInUrl(client, { redirectUri: 'https://example.com', diff --git a/packages/aws-cdk-lib/aws-cognito/README.md b/packages/aws-cdk-lib/aws-cognito/README.md index 198648577efaf..51bb622f97798 100644 --- a/packages/aws-cdk-lib/aws-cognito/README.md +++ b/packages/aws-cdk-lib/aws-cognito/README.md @@ -598,6 +598,30 @@ const provider = new cognito.UserPoolIdentityProviderGoogle(this, 'Google', { }); ``` +Using SAML identity provider is possible to use SAML metadata file content or SAML metadata file url. + +```ts +const userpool = new cognito.UserPool(this, 'Pool'); + +// specify the metadata as a file content +new cognito.UserPoolIdentityProviderSaml(this, 'userpoolIdpFile', { + userPool: userpool, + metadata: cognito.UserPoolIdentityProviderSamlMetadata.file('my-file-contents'), + // Whether to require encrypted SAML assertions from IdP + encryptedResponses: true, + // The signing algorithm for the SAML requests + requestSigningAlgorithm: cognito.SigningAlgorithm.RSA_SHA256, + // Enable IdP initiated SAML auth flow + idpInitiated: true, +}); + +// specify the metadata as a URL +new cognito.UserPoolIdentityProviderSaml(this, 'userpoolidpUrl', { + userPool: userpool, + metadata: cognito.UserPoolIdentityProviderSamlMetadata.url('https://my-metadata-url.com'), +}); +``` + Attribute mapping allows mapping attributes provided by the third-party identity providers to [standard and custom attributes](#Attributes) of the user pool. Learn more about [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html). diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/saml.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/saml.ts index a4d5bedd1051c..bb0e1d938eb38 100644 --- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/saml.ts +++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/saml.ts @@ -35,6 +35,41 @@ export interface UserPoolIdentityProviderSamlProps extends UserPoolIdentityProvi * @default - false */ readonly idpSignout?: boolean; + + /** + * Whether to require encrypted SAML assertions from IdP. + * + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-signing-encryption.html#cognito-user-pools-SAML-encryption + * + * @default false + */ + readonly encryptedResponses?: boolean; + + /** + * The signing algorithm for SAML requests. + * + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-signing-encryption.html#cognito-user-pools-SAML-signing + * + * @default - don't sign requests + */ + readonly requestSigningAlgorithm?: SigningAlgorithm; + + /** + * Whether to enable IdP-initiated SAML auth flows. + * + * @default false + */ + readonly idpInitiated?: boolean; +} + +/** + * Signing algorithms for SAML requests. + */ +export enum SigningAlgorithm { + /** + * RSA with SHA-256. + */ + RSA_SHA256 = 'rsa-sha256', } /** @@ -99,6 +134,9 @@ export class UserPoolIdentityProviderSaml extends UserPoolIdentityProviderBase { IDPSignout: props.idpSignout ?? false, MetadataURL: metadataType === UserPoolIdentityProviderSamlMetadataType.URL ? metadataContent : undefined, MetadataFile: metadataType === UserPoolIdentityProviderSamlMetadataType.FILE ? metadataContent : undefined, + EncryptedResponses: props.encryptedResponses ?? undefined, + RequestSigningAlgorithm: props.requestSigningAlgorithm, + IDPInit: props.idpInitiated ?? undefined, }, idpIdentifiers: props.identifiers, attributeMapping: super.configureAttributeMapping(), diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/saml.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/saml.test.ts index e55fdafe45e14..c4f2d97a4c19c 100644 --- a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/saml.test.ts +++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/saml.test.ts @@ -1,6 +1,6 @@ import { Template, Match } from '../../../assertions'; import { Stack } from '../../../core'; -import { ProviderAttribute, UserPool, UserPoolIdentityProviderSaml, UserPoolIdentityProviderSamlMetadata } from '../../lib'; +import { ProviderAttribute, SigningAlgorithm, UserPool, UserPoolIdentityProviderSaml, UserPoolIdentityProviderSamlMetadata } from '../../lib'; describe('UserPoolIdentityProvider', () => { describe('saml', () => { @@ -86,6 +86,78 @@ describe('UserPoolIdentityProvider', () => { expect(pool.identityProviders).toContain(provider); }); + test('encryptedResponses', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'userpool'); + + // WHEN + new UserPoolIdentityProviderSaml(stack, 'userpoolidp', { + userPool: pool, + metadata: UserPoolIdentityProviderSamlMetadata.file('my-file-contents'), + encryptedResponses: true, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', { + ProviderName: 'userpoolidp', + ProviderType: 'SAML', + ProviderDetails: { + MetadataFile: 'my-file-contents', + IDPSignout: false, + EncryptedResponses: true, + }, + }); + }); + + test('siningRequests', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'userpool'); + + // WHEN + new UserPoolIdentityProviderSaml(stack, 'userpoolidp', { + userPool: pool, + metadata: UserPoolIdentityProviderSamlMetadata.file('my-file-contents'), + requestSigningAlgorithm: SigningAlgorithm.RSA_SHA256, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', { + ProviderName: 'userpoolidp', + ProviderType: 'SAML', + ProviderDetails: { + MetadataFile: 'my-file-contents', + IDPSignout: false, + RequestSigningAlgorithm: 'rsa-sha256', + }, + }); + }); + + test('ipdInitiated', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'userpool'); + + // WHEN + new UserPoolIdentityProviderSaml(stack, 'userpoolidp', { + userPool: pool, + metadata: UserPoolIdentityProviderSamlMetadata.file('my-file-contents'), + idpInitiated: true, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', { + ProviderName: 'userpoolidp', + ProviderType: 'SAML', + ProviderDetails: { + MetadataFile: 'my-file-contents', + IDPSignout: false, + IDPInit: true, + }, + }); + }); + test('attribute mapping', () => { // GIVEN const stack = new Stack();