top of page
  • Writer's picture Kseniia Zozulia

Setup AWS Cognito User Pool with an Azure AD identity provider to perform SSO in mobile app. Part 3.

This is the third part of the tutorial of how to setup AWS Cognito User and Identity Pools with an Azure AD identity provider to perform SSO authentication. It aims to setup your Android Project.

The complete sign-in flow described on the diagram:

Please refer to the first part of the tutorial for more information about sign-in process and settings for AWS Cognito and Azure AD.


After finishing the settings in AWS console and Azure portal you should have all of this parameters:

  • Amazon Cognito User Pool ID;

  • Amazon Cognito Domain associated with User Pool;

  • App client ID;

  • App client secret;

  • Callback URL;

  • Sign Out URL;

  • Region.

You should also have a test user account, assigned to the corresponding Azure AD enterprise application in Azure portal. Refer the tutorial how to invite a user.

The Android Project setup consists of 4 steps:

  1. Add dependencies to your app/build.gradle.

  2. Add corresponding AWS keys to your project.

  3. Configure the Custom URL Scheme via intent-filter.

  4. Make corresponding changed in your source code.

1. Add dependencies to your app/build.gradle.

AWS Cognito Auth requires Chrome Custom Tabs to opens Cognito’s hosted web pages on Chrome. This also means that Chrome app should be installed on the device to use this SDK.

Make sync now you’re ready to go further.

2. Add corresponding AWS keys to your project.

To authenticate users in a UserPool, get tokens, retrieve

the last authenticated user on the device, and sign-out users you need to work with Auth object. Auth require from client app the set of keys to verify app client id, connect to the correct User and Identity Pools, redirect after sign-in and sign-out operations. You can keep these keys in the project in a strings file or separate object ( always keep in mind about security and storing sensitive information).

This is an example of how to create Auth object:

To provide AWS credentials to your app for access to AWS resources and services you can use CognitoCachingCredentialsProvider. Before using this object you need to assign IAM role with your identity pool via the Cognito console.

Otherwise you will have an InvalidIdentityPoolConfigurationException when access to the service.

Fill the corresponding keys by replacing _SETME_ with keys which you’ve prepared at the first part of the tutorial. To be sure that you set the correct keys to check the description for each key:

  1. AppClientId and AppClientSecret - the client id and secret of your app, assigned to the User Pool in AWS Cognito. See the tutorial how to setup it.

  2. AWSCognitoWebDomain - Amazon Cognito hosted domain for the address of your sign-up and sign-in webpages. You can also use own web address as a custom domain. See the tutorial how to set Amazon Cognito hosted domain. Note that for the Android project AWSCognitoWebDomain should be used without protocol value (without the http:// or https:// at the beginning). For example, If your domain in AWS Cognito Console is:, you should set AWSCognitoWebDomain as:

  3. UserPoolId - id of your Cognito User Pool. See the tutorial how to setup it.

  4. SignInRedirect - the URL which will be called after your app performs signIn operation. For the Android project, this is custom deep link like androidAppScheme:// (see the Defining a Create Deep Links to App Content ). Note that in intent-filter scheme should be set without "://".

  5. SignOutRedirect - the URL which will be called after your app performs sign-out operation. You can use the same custom scheme as for CognitoAuthSignInRedirectUri or define another scheme. Make sure that CognitoAuthSignInRedirectUri and CognitoAuthSignOutRedirectUri which you set in the app match with corresponding values for your app client (in AWS User Pool app client settings).

  6. COGNITO_IDENTITY_POOL_ID - id of your Cognito Identity Pool. See the tutorial how to setup it.

  7. COGNITO_IDENTITY_POOL_REGION - AWS Region is separate geographic area where Amazon cloud computing resources are hosted.

You should also update manifest:

  • add permissions:

3. Configure the Custom URL Scheme via intent-filter.

Add intent-filter to invoke app specific Activity after successful authentication and sign-out:

4. Make corresponding changed in your source code

To handle authentication result Cognito Auth AuthHandler callback should be implemented. Make your class conforms to AuthHandler or create new handler object:

Initialize auth object:

Handle app redirect with Cognito tokens and pass them to auth:

Get session:

Get user identity credentials:

Avoid call credentials and identityId from the main thread. In the sample app for background invocation used Kotlin Coroutines


You can check the demo project, replace _SETME_ values in AWSConstants file with own to make it work.

Additional Sources:

What Is Amazon Cognito?

Amazon Cognito Auth SDK for Android

AWS Sample app for Cognito User Pools with the AWS Mobile SDK for Android.

Getting Started with Amazon Cognito Identity Pools (Federated Identities)

Using Identity Pools (Federated Identities)

Amazon Cognito User Pools supports federation with SAML.

How to configure SAML-based single sign-on

Microsoft identity platform ID tokens

Configure SAML-based single sign-on to non-gallery applications

Adding SAML Identity Providers to a User Pool

bottom of page