If AWS Cognito ALB SP supports signing requests then we don't have to add callback URLs (assertion consumer service). It doesn't mention how to provide public key to Stanford IdP.
Need to map eduPersonEntitlement (see here) and then authorize based on that
Cognito might not be able to do authz because it doesn't support challenges for federated authn. But, we can instead just return an error in post-authn lambda. Errors will cause authn to fail
Resources:
Steps: