Cognito with Okta as IdP using SAML 2 Renew token problem

0
votes

I've come here with a problem with AWS Cognito where I use Okta as IdP using SAML protocol.

I configured everything using this one documentation https://aws.amazon.com/premiumsupport/knowledge-center/cognito-okta-saml-identity-provider/

At Okta there is integrated AD, which from we get users. Everything is ok, when I send a request for a Token to Cognito I've got that Access token and Id token and token type. After that in Cognito User Pool are created that "external user" with specific prefix which is name of IdP saved in Cognito. Problem caused when I deleted every cookies and trying to send request Token one more time with same credentials like before. After this step I've got an error everytime Error: server_error: {"error_description":"Error+in+SAML+response+processing:+Invalid+user+attributes:+email:+Attribute+cannot+be+updated.+","error":"server_error"}

I using Postman to get token using "Authorization" tab and checked type as OAuth 2.0. Every properties are good but I don't know why I've got that error everytime after first successfull requested token (or after 1 hour when current token will expired).

1
amazon-cognitosaml-2.0okta

1 Answers

0
votes

Ok, propably I found a solution. When I created Cognito from AWS UI, everything works fine. While after creation Cognito from Terraform something doesn't work, but all settings and properties is equals to that Cognito created by hand.

The thing what I changed is another way to add schema to Cognito User Pool from this

schema = {
  attribute_data_type = "String",
  name = "email",
  required = true
}

to this

  schema {
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = true
    name                     = "email"
    required                 = true

    string_attribute_constraints {
      min_length = 7
      max_length = 256
    }
  }

I think mutable property is important. Without this property, terraform thoughts that state of this service is change and every tf apply want to destroy service where in reality nothing has changed.