Sorry for the long response time, most of Cisco was closed for the winter break. In the future I’d recommend directly contacting support if you have a question you’d like a faster answer to as those get tracked through a ticketing system and they are able to see your account details.
To answer your original question, Duo SSO does not currently support OIDC but we are actively working on developing it. In the meantime, you can definitely use Cognito + SAML using Duo SSO, I’ve done this before myself. You’ll need to make sure to create a generic SAML service provider in the Duo Admin Panel.
Every time I open a support ticket it goes days and days and days and even weeks until I get some sort of initial reply. And other forum’s moderators said that it was better to ask here instead of opening support tickets or even contact you guys by phone for tech support tickets (…).
Anyway… moving on.
Yes, I know that Cognito+SAML works. But what I’m trying to achieve is AWS ALB + Cognito + SAML. I’ve found documentation for Okta about AWS ALB + OIDC, hence my OIDC question here.
Having Cognito + Duo is well documented:
but when I put that user pool behind an AWS ALB (and I have other ALB’s working perfectly with Cognito + Google IdP) it just doesn’t work.
Do you know of any implementation with AWS ALB + Cognito + SAML? Or can you or someone else assist me in this? I can provide screenshots of every single part involved. I also tried to setup the Network Gateway but that requires to triple our monlthy bill with you and, if we had to go to that point, we’d just go to Okta, because it would be cheaper ($7/user/month with Okta, $9/user/month with Duo).
Let me try to translate the documentation I have internally related to this when I tested it out. Please note this is from 2019 so some of the AWS settings might have changed. This assumes you have nothing in Cognito yet so feel free to skip over the steps you’ve already done.
Click Protect an Application and locate the entry for Generic Service Provider with a protection type of “2FA with SSO hosted by Duo (Single Sign-On)” in the applications list. Click Protect to the far-right to start configuring Generic Service Provider. See Protecting Applications for more information about protecting applications in Duo and additional application options. You’ll need the information on the Generic Service Provider page under Metadata later.
Click Download XML under the metadata section to download the XML that will be used later.
On the Attributes page under How do you want your end users to sign in? make sure that Username is checked but that none of the sub-checkboxes are checked.
Under Which standard attributes do you want to require? make sure to uncheck the attribute email . NONE OF THESE SHOULD BE CHECKED. They cannot be changed later so if you mess this up you’ll have to delete the user pool and start over.
I had kind of the same already configured, but anyway began from scratch again following the guide you shown. At first it wasn’t working, but finally now I am able to do get to use Duo + Cognito with an ALB.
Would be nice, anyway, having OIDC because makes the process way easier to be setup.
Could I ask up a follow-up question to this as we just recently set up DUO generic SSO to Cognito as well. How can we configure DUO generic SSO provider and Cognito so we can pass through what DUO groups a user is a member of? I can see “Role attributes” in DUO but not sure what to put in that section nor what to put on the Cognito side.