Amazon Cognito will enforce SAML verification checks

[JRodriguez556]

Received an Email from AWS stating that Congnito SAML responses will need to be modified.

We use NPK with SSO for authentication. Is this a change that should:

• [A] Be made within SSO provider?

• [B] Be made within the npk-settings.json?

• [C] Be made within AWS Congnito Directly?

• [D] Be made within the NPK code?

Thank you.

Below is the full message from AWS.

In July 2023, we notified you that Amazon Cognito would begin enforcing verification checks in the SAML federation feature to enhance filtering for higher risk traffic [1]. At that time, we notified you that your application is sending traffic that does not meet the requirements for SAML federation and that you needed to make changes to avoid disruption before September 1, 2023. We are writing to inform you that this date will now be extended to January 31, 2024.

As a reminder, Amazon Cognito will begin rejecting SAML responses unless they include the following:

* An audience constraint to restrict the usage of the SAML assertion to a particular User Pool in Cognito.
* An InResponseTo element in the Response attribute that matches the ID sent in the original authentication request.
* A SubjectConfirmationData attribute with a recipient set to your User Pool.
* An InResponseTo element in the above SubjectConfirmationData attribute that matches the ID sent by Cognito in the SAML request.

We have identified that your account is using the Cognito User Pools service with SAML federation, and your SAML identity provider is sending responses that do not meet one or more of the above requirements to Cognito. To prevent disruption in your service, we strongly recommend that you perform the following steps before January 31, 2024. You do not have to wait until this date to complete them.

1. Locate the User Pools in the 'Affected resources' tab of your Personal Health Dashboard in the AWS console. Identify the SAML identity provider(s) configured in each of these User Pools.

2. Ensure all SAML responses by the SAML identity provider made to Cognito contain an audience restriction [2] as follows:

<saml:AudienceRestriction>
    <saml:Audience> urn:amazon:cognito:sp:yourUserPoolID
</saml:AudienceRestriction>

3. Ensure all SAML responses contain an InResponse element in the Response object that matches the request ID in the authentication request as in the following example:

<samlp:Response ... InResponseTo="originalSAMLrequestId">

4. Ensure that a SubjectConfirmationData attribute has a Recipient and InResponse values set as follows:

<saml:SubjectConfirmation>
       <saml:SubjectConfirmationData ... Recipient=“https://youruserpooldomain/saml2/idpresponse”
          InResponseTo="originalSAMLrequestId">
</saml:SubjectConfirmation>

If you will be unable to complete these changes by January 31, 2024, please open a support ticket with your AWS account ID and your User Pool ID.

If you require further assistance, reach out to AWS Support [3].

Sincerely,
Amazon Web Services

[c6fc]

Interesting, this is the first I've seen of it. Weird that I didn't get one across any of my SAML deployments. Thanks for raising it.

At a glance, it looks like this might massively complicate SAML deployments, but I'll have to try to develop a fix before we'll know for sure.

On Wed, Aug 16, 2023 at 3:25 PM JRodriguez556 @.***> wrote:

Received an Email from AWS stating that Congnito SAML responses will need to be modified.

We use NPK with SSO for authentication. Is this a change that should:

-

[A] Be made within SSO provider?

[B] Be made within the npk-settings.json?

[C] Be made within AWS Congnito Directly?

[D] Be made within the NPK code?

Thank you.

Below is the full message from AWS.

In July 2023, we notified you that Amazon Cognito would begin enforcing verification checks in the SAML federation feature to enhance filtering for higher risk traffic [1]. At that time, we notified you that your application is sending traffic that does not meet the requirements for SAML federation and that you needed to make changes to avoid disruption before September 1, 2023. We are writing to inform you that this date will now be extended to January 31, 2024.

As a reminder, Amazon Cognito will begin rejecting SAML responses unless they include the following:

• An audience constraint to restrict the usage of the SAML assertion to a particular User Pool in Cognito.
• An InResponseTo element in the Response attribute that matches the ID sent in the original authentication request.
• A SubjectConfirmationData attribute with a recipient set to your User Pool.
• An InResponseTo element in the above SubjectConfirmationData attribute that matches the ID sent by Cognito in the SAML request.

We have identified that your account is using the Cognito User Pools service with SAML federation, and your SAML identity provider is sending responses that do not meet one or more of the above requirements to Cognito. To prevent disruption in your service, we strongly recommend that you perform the following steps before January 31, 2024. You do not have to wait until this date to complete them.

1. Locate the User Pools in the 'Affected resources' tab of your Personal Health Dashboard in the AWS console. Identify the SAML identity provider(s) configured in each of these User Pools.

2. Ensure all SAML responses by the SAML identity provider made to Cognito contain an audience restriction [2] as follows:

urn:amazon:cognito:sp:yourUserPoolID 3. Ensure all SAML responses contain an InResponse element in the Response object that matches the request ID in the authentication request as in the following example: 4. Ensure that a SubjectConfirmationData attribute has a Recipient and InResponse values set as follows: If you will be unable to complete these changes by January 31, 2024, please open a support ticket with your AWS account ID and your User Pool ID. If you require further assistance, reach out to AWS Support [3]. Sincerely, Amazon Web Services — Reply to this email directly, view it on GitHub , or unsubscribe . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Brad Woodward AWS PSA+SCS, OSCP, OSCE, MCITP, MCSA, CISSP-ISSAP, CRISC, CPSA, CRT

@.*** @bradwoodward_io