--- title: "Configuring Amazon Cognito with OpenID Connect" slug: "configuring-amazon-cognito-with-openid-connect" updated: 2025-06-22T21:08:53Z published: 2025-06-22T21:08:53Z --- > ## Documentation Index > Fetch the complete documentation index at: https://documentation.encodify.com/llms.txt > Use this file to discover all available pages before exploring further. # Configuring Amazon Cognito with OpenID Connect ## Overview --- This article provides step-by-step guidance on how to configure **Microsoft Active Directory Federation Services (AD FS)** and **Amazon Cognito** for Encodify **using OpenID Connect (OIDC)**. ## Configuring OpenID Connect for Encodify through Amazon Cognito --- ### Step 1: Start IdP Configuration in Encodify 1. Navigate to: **Site Configuration → Identity Providers and Users → Identity Providers**. 2. Click **Add New IdP**. 3. Fill in the fields as follows: - **Name ID**: Use only English letters without spaces. This will be part of the URL. - **Display Name for Login Page**: This will be shown on the login button. - **Authentication Method**: Select **OpenID Connect**. - **Email Domains (optional)**: Specify allowed domains (e.g. `encode.dk, microsoft.com`). 4. Click **Next** to proceed to Step 2. ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331962155549.png) ### Step 2: Link to a Login URL 1. Link your IdP configuration to an existing **Login URL** and **Login Page**, or create new ones. - Each IdP can be linked to only one Login URL. 2. Click **Next** to proceed to Step 3. ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331947034269.png) ### Step 3: Copy Callback URL 1. Copy the **Callback URL** provided on this page. You'll use it when setting up within Amazon Cognito Console **![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331962160413.png)** ### Step 4: Create OAuth Credentials in Amazon Cognito Console #### Create or Use a User Pool 1. Open the **Amazon Cognito** service in AWS Console. 2. Navigate to **User Pools**. ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331947040669.png) 1. Choose to **create a new User Pool** or select an existing one. 2. Follow the setup wizard: - **User pool name**: Provide a name. - **Initial app client**: Select **Confidential client**. - **App client name**: Choose a recognisable name. - **Generate Client Secret**: Ensure this is enabled. 3. Complete the wizard and click **Create user pool**. ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331962167709.png) ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331947045917.png) ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331947047709.png) ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331962174237.png) ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331947051421.png) ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331962176413.png) #### Configure App Integration 1. Go to the **App integration** tab. 2. Scroll down to **App clients and analytics**. ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331962179869.png) ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331947058205.png) 1. Edit or create an app client. If you are creating a new App please don’t forget to generate “Client Secret” this is needed as part of Encodify configuration in “OAuth2 Client ID” and “OAuth2 Client Secret”. ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331962182557.png) 1. Under **Hosted UI settings** add the **Callback URL** from Encodify. 2. Save your changes. ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331962184605.png) **![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331962186141.png)** #### Retrieve OpenID Metadata 1. From the **Pool Info** page, copy your User Pool ID and AWS region. 2. Construct your OpenID Configuration URL: - Format: `https://cognito-idp.<region>.amazonaws.com/<userPoolId>/.well-known/openid-configuration` ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/23331962187421.png) ### Step 5: Complete IdP Configuration in Encodify 1. In Step 3 of the Encodify IdP setup, enter your **OpenID Connect Config URL** (from Step 6). 2. Encodify will auto-fetch the following: - **OpenID Connect JWK URI** - **OAuth2 Authorization URL** - **OAuth2 Access Token URL** 3. Fill in the remaining fields manually: | Field | Value | | --- | --- | | OAuth2 Client ID | *From Cognito App Client* | | OAuth2 Client Secret | *From Cognito App Client (if secret generated)* | | OAuth2 Scope | `openid, email` | | External User ID Attribute | `email` | 1. Click **Next** to proceed to further steps (e.g., access rights, default groups, etc.) as needed. > [!WARNING] > **Note**: Cognito does not support mapping of custom user claims beyond standard ones (e.g. name, email). ### Step 6: Default User Groups 1. Define default groups to assign on first login. 2. Click **Next**. ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/image-1750619703287.png) ### Step 7: Welcome Message & First Login Email 1. Optionally enable a **Welcome Email** and **First Login Message**. 2. Click **Save IdP** to complete the setup. ![](https://cdn.document360.io/3a63e0a8-1221-4570-aaa1-d43f9b95a612/Images/Documentation/image-1750615026946.png) ### Logging In via Amazon Cognito OIDC If Cognito is the only method linked to the Login URL, users are redirected directly. If multiple methods exist, users will see a button (e.g. **Sign in with Cognito**). Upon first login, users will be auto-provisioned in Encodify with configured roles and attributes.