How to share groups between Okta and Cognito?

I have searched around to find similar issues but no answers:

  1. Use OKTA Groups in AWS Cognito
  2. Okta OIDC and AWS Cognito - #3 by AleksandarT

I made a video to show what I’ve done step by step https://www.youtube.com/watch?v=fASFCpiwEoI

Yet I am not sure where or what I am missing for Okta attributes like groups to be shared to Cognito. In fact email is not working either.

Thank you in advance for any help!

From your video, it sounds like you are using the Default authorization Server. In order to include group membership details within a users tokens/userinfo response, you will need to set up a Custom Claim on the authorization server and configure it to pull in the authenticating user’s groups. Details on how to configure this claim can be found here: Customize tokens returned from Okta with a Groups claim | Okta Developer

That only handles the Okta portion, so not sure what you would need to do on the Cognito side to read this claim.


You mentioned email isn’t working either. In what way? Are you seeing that the tokens issued by Okta do not contain the user’s email?