The following configuration is supported with any SAML based SSO and was tested for the following providers:

• PingFederate
• JumpCloud
• Enta ID

SSO URL / Assertion Consumer Service (ACS)

The SSO URL or Assertion Consumer Service (ACS) URL is a crucial endpoint where the SAML response is sent after authentication. This URL is provided by the Service Provider (SP) and is responsible for processing the SAML assertion received from the Identity Provider (IdP).

The ACS URL is:

https://mypileus.auth.us-east-1.amazoncognito.com/saml2/idpresponse

The Identity Provider (IdP) must be configured to send the SAML response to this endpoint after successful authentication.

The SAML response is signed and base64-encoded, ensuring security and integrity.

Audience URI / Entity ID

The Audience URI, also known as the Entity ID, uniquely identifies the Service Provider (SP). The SAML assertion issued by the Identity Provider must contain this identifier to ensure that the authentication request is directed to the correct service.

The Entity ID is:

urn:amazon:cognito:sp:us-east-1_Uv6ArNdSK

This identifier must match exactly between the Service Provider and the Identity Provider configuration.

The IdP validates the Entity ID to prevent authentication responses from being misused.

Email Attribute (Optional)

Depending on the SSO provider, the SAML assertion may contain an attribute for identifying the user. A common attribute used is the email address.

The attribute is generally passed in the SAML assertion as follows:

[email protected]

Some providers may use a different attribute name, such as:

User.Email
The claim name is:

http\://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

It is important to check the SAML attribute mapping settings in both the IdP and SP to ensure proper user identification.