I have an app that uses AWS Cognito for user login through OIDC. Now I want those same Cognito users to also log into JIRA Cloud using Cognito as the identity provider. I’m having trouble getting this to work and would rather not use third party solutions.
Steps I’ve taken
In JIRA Cloud, I went to Admin settings and tried adding Cognito as an identity provider. I filled in these values:
Entity ID: My user pool ARN (arn:aws:cognito-idp::xxxxxxxx:userpool/us-east-1_xxxxxxx)
SSO URL: My user pool domain with /saml2/idpresponse added to the end
Certificate: Got this from the signing certificate section in Cognito
The Problem
When I try to test the SSO login, I get a “Domain Does not Exist” error. I think the issue is with my SSO URL.
To successfully set up SAML SSO with Cognito, you will indeed need a custom domain, as the default amazoncognito.com domain has restrictions that prevent it from functioning properly as a SAML identity provider. You can establish a custom domain by navigating to the Cognito User Pool console, then to the App Integration tab and the Domain section. You’ll need to acquire your own domain name and an SSL certificate through AWS Certificate Manager. Expect it to take approximately 15-20 minutes for the configuration to propagate. Once your custom domain is live, your SSO URL will be formatted as Redirecting..., and ensure to update the Entity ID accordingly. Additionally, I recommend verifying that your domain ownership is confirmed in ACM to avoid any certificate validation issues before attempting configuration in JIRA again.
You can’t use the default Cognito domain for SAML SSO with JIRA Cloud - that’s why you’re getting the domain error. AWS blocks amazoncognito.com domains from SAML operations. I hit this same wall when setting up SSO for our team. You need a custom domain, no way around it. Go to your User Pool settings in the Cognito console, click the App Integration tab, and find the Domain Name section. You’ll need your own domain plus an SSL cert through AWS Certificate Manager first. The provisioning takes a while, so don’t expect it to be instant. Once your custom domain’s live, update your SAML config in Cognito to match the new domain before testing JIRA again. That certificate you downloaded should still work, but verify the metadata endpoint functions with your new domain.
hey mikezhang, i faced the same issue few months back. the default cognito domain doesn’t work well with saml. ya gotta set up a custom domain. just go to cognito console > app integration > domain name and set it up. then use Redirecting... as ur SSO URL.