We are using OKTA SAML as an iDP along with Cognito as a SP.
We have groups that are assigned to the users, and these attributes are mapped are part of the Okta SAML config.
The issue is the following - on the Cognito side, we get 2 tokens - id_token and access_token.
These groups appear as part of the decoded id_token as
"custom:groups": "[Group1, Group2, Everyone, Group3]", - which is what we want.
Is it possible instead of these groups to appear on the id_token side, to be on the access_token?
If that is not possible is there a workaround with some other kind of attributes to appear as part of the claims in access_token?
custom:groups claim coming from the application user profile, or a custom claim mapping in a custom Okta authorization server? Assuming it is from a custom claim from an authorization server you can define the exact same claim and assign it to the access token instead of the id token.
I don’t have a custom Authorization Server created in Okta, my assumption is that it is coming from application user profile (check screenshot of the mapping below)
Can you create a custom Authorization Server for SAML use cases or this is only supported for Open Id Connect?
Because as i mentioned here, my use case is the following: I am creating SAML 2.0 Application and hooking it up to AWS Cognito as a SP - i am not working woth Okta Authorization Server or anything. After that, the login happens on the Okta page which redirects me back to the redirect uri i have configured in Cognito and this is where i get the Authorizaion Code, Id, Access Tokens from.