Integrating Office 365 Logon

Chapter Comments
1

Hi, I’d be interested in how I can integrate Office 365 Login - either from Cognito or somehow from the outside. I wouldn’t like to use SAML and handle the password, but rather OAuth…

Anything?

3

Figured it out after reading 20+ blog posts and wading through tons of obstacles :slight_smile:

Cognito SSO works with both SAML and OIDC (Open ID Connect).

The best description on using SAML was this one: https://www.idea11.com.au/how-to-set-up-aws-cognito-federation-office365/

It is slightly outdated though:

  • no need for powershell, the UI accepts the URLs now
  • It doesn’t say what you need to do in the frontend; more on that later

The best help for doing it with OIDC is found here: https://forums.aws.amazon.com/thread.jspa?threadID=287376&tstart=0

But I’ll restate the most important steps:

  • From Cognito / User Pool / Federation / Identity Providers add a OpenID Connect Provider
  • Provider Name can be any name
  • Client ID is the guid of the AzureAD Application
  • Client Secret you have to create from your AD applications Certificates and secrets section
  • Authorization scope should be: openid email https://graph.microsoft.com/user.read
  • The issuer in my case is https://sts.windows.net/TENANT_GUID (The Tenant or Directory GUID you can also find from your AD application overview
  • Then hit Run discovery

Now you need to enable the provider in your Cognito App Client.

When the authentication is successful, your React-App is opened on the configured call-back URL. In order to get Amplify to give you an authorized session, you need to run this code:

await Auth.federatedSignIn(
  `cognito-idp.${config.cognito.REGION}.amazonaws.com/${config.cognito.USER_POOL_ID}`,
  { token: id_token, expires_at: expires_in }
);

For now I just handle things from Login.js. Hopefully I’ll find time to refactor

useEffect(() => {
async function onLoad() {
  var {access_token, id_token, expires_in} = qs.parse(window.location.hash);
  if(access_token){
    setIsLoading(true);
    try {
      await Auth.federatedSignIn(
        `cognito-idp.${config.cognito.REGION}.amazonaws.com/${config.cognito.USER_POOL_ID}`,
        { token: id_token, expires_at: expires_in }
      );
      setIsLoading(false);
      props.userHasAuthenticated(true);
    } catch (e) {
      alert(e.message);
      setIsLoading(false);
    }
  }
}

onLoad();

}, []);

For query string parsing I use

import qs from "query-string";

which you’ll have to import using npm install query-string.

1 Like
4

Thank you for this! I know these are really hard to get working.