I have an app that uses AWS Cognito for user login through OIDC. Now I want those same Cognito users to log into JIRA Cloud using SAML where Cognito works as the identity provider. I keep getting stuck on the setup process.
When I go to JIRA Cloud admin settings and try to add Cognito as an identity provider, I fill out these fields:
Entity ID: I use my user pool ARN (something like arn:aws:cognito-idp::123456789:userpool/us-west-2_ABC123XYZ)
SSO URL: I set this to my user pool domain plus /saml2/idpresponse endpoint
Certificate: I grab this from the signing certificate section in Cognito
Everything looks right but when I test the SSO login, JIRA shows an error saying “Domain Does not Exist”.
I think the problem is with my domain setup in Cognito. Right now I’m just using the default AWS domain that gets created automatically. I don’t have a custom domain configured.
In the Cognito console, I can only see domain settings under the Branding section, but it only lets me change visual stuff, not actually modify the domain itself. I read somewhere that I might need to set up a proper domain through the App Integration settings, but I can’t find where to do this in the current AWS interface.
Do I really need to create a custom domain just to make this work? Is there a way to use the default AWS domain for SAML? Any guidance would be helpful.
You might be hitting this because JIRA requires the SAML response to come from a domain that matches what you’ve configured in their system. I encountered something similar when integrating with another SaaS platform. The issue wasn’t the custom domain requirement but rather the SAML configuration on the Cognito side. Check if you’ve actually configured Cognito to act as a SAML identity provider - you need to enable SAML IdP functionality in your user pool settings, not just OIDC. Go to your Cognito user pool, then under App Integration look for SAML identity providers section. You’ll need to configure the SAML IdP settings there including the proper attribute mappings for JIRA. Also verify that your user pool domain is actually active and responding. Test the metadata endpoint at https://your-domain.auth.region.amazoncognito.com/saml2/metadata - if this doesn’t return valid XML metadata, then your SAML setup isn’t complete on the Cognito side.
The default AWS domain should work fine for SAML authentication with JIRA Cloud. The “Domain Does not Exist” error usually indicates an issue with the Entity ID or SSO URL configuration rather than the domain itself. I ran into similar problems when setting this up last year. The key issue was that I was using the user pool ARN as the Entity ID, but JIRA actually expects a proper URL format. Try using your Cognito domain URL as the Entity ID instead - something like https://your-domain.auth.us-west-2.amazoncognito.com/saml2/idpresponse. Also double-check your SSO URL format. It should be https://your-domain.auth.us-west-2.amazoncognito.com/saml2/idpresponse where “your-domain” is the domain prefix you can find in the Cognito console under App Integration > Domain name. Make sure you’ve enabled SAML identity provider in your Cognito user pool settings under Sign-in experience > Federated identity provider sign-in. Without this enabled, the SAML endpoints won’t respond properly even if the URLs are correct.
had the exact same issue few months back. the problem isnt your domain setup - its probably the certificate format. jira cloud is picky about how you paste the cert. make sure you include the full -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers when copying from cognito. also check that theres no extra spaces or line breaks. sometimes copying from aws console adds weird formatting that breaks saml validation.