🔐 Setting Up SSO with AWS Cognito as IdP for Tyk Dashboard

This guide walks you through setting up AWS Cognito as an OpenID Connect (OIDC) Identity Provider (IdP) for use with the Tyk Dashboard SSO integration.

Step 1: Create a Cognito User Pool

Navigate to Amazon Cognito → User Pools.

Click on Create user pool.

Under Define your application, select:

• Traditional web application for application type.

• Provide a name for your application (e.g., aws-myapp).

  This name will later be used as your Tyk SSO app-id.

Step 2: Configure Attributes and Callback URL

1. Scroll down and check email under attributes.

2. Under Required attributes, also select email.

3. Provide a return URL for your app:

        http://<dashboard-url>/auth/<app-id>/openid-connect/callback

Replace <dashboard-url> with your Tyk Dashboard domain and <app-id> with the app name you set earlier   (e.g., aws-myapp).

   4. Click Create user directory to complete setup.

   5. Once the application is created, scroll down and click the "Overview" button to return to the overview page.

Step 3: Locate Important Cognito Endpoints

  1. On the Overview page, copy the Token Signing Key URL. It should look like this:

https://cognito-idp.us-east-1.amazonaws.com/us-east-1_dPyrEGLzM/.well-known/jwks.json

  2. Modify the URL to point to the OpenID Configuration endpoint:

https://cognito-idp.us-east-1.amazonaws.com/us-east-1_dPyrEGLzM/.well-known/openid-configuration 

 
   3. This URL will be used in your Tyk SSO profile under the DiscoverURL.

⚙️ Step 4: Configure App Client in Cognito

1. In the left panel, click App clients → then click Create app.

2. Choose your application (e.g., aws-myapp).

  3. Go to the Login pages tab and click Edit.

  4. Scroll down to the Scopes section:

      Uncheck phone.

      Leave email and openid checked.

      Click Save.

   5. Back in the app overview, copy the Client ID and Client Secret.

These will also be used in the Tyk SSO profile.

🔧 Step 5: Configure the Tyk SSO Profile

Here's a sample Tyk SSO profile configuration using the Cognito values:

{
 "ID": "aws-myapp",
 "Name": "",
 "OrgID": "6890e76e8446bb000115eab0",
 "ActionType": "GenerateOrLoginUserProfile",
 "MatchedPolicyID": "",
 "Type": "redirect",
 "ProviderName": "SocialProvider",
 "ProviderConfig": {
   "CallbackBaseURL": "http://localhost:32044",
   "FailureRedirect": "http://localhost:32044/?fail=true",
   "UseProviders": [
     {
       "DiscoverURL": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_NREmhDOJ1/.well-known/openid-configuration",
       "Key": "niujv4pt1mdqtmqsbkuaklk4p",
       "Name": "openid-connect",
       "Scopes": [
         "openid",
         "email"
       ],
       "Secret": "oi39nvg2r47mbn8otcieid8pl40n15mlu4o7f59g8jin4iei34f",
       "SkipUserInfoRequest": false
     }
   ]
 },
 "IdentityHandlerConfig": {
   "DashboardCredential": "a48fdb26708042bd7356063de8c010e8"
 },
 "ReturnURL": "http://localhost:32044/tap",
 "SSOOnlyForRegisteredUsers": false
}

✅ Finally, test the SSO login flow by navigating to:

http://<dashboard-url>/auth/<app-id>/openid-connect

For example, if your Tyk Dashboard URL is http://localhost:32044 and your App ID is aws-myapp, the full URL would be:

http://localhost:32044/auth/aws-myapp/openid-connect

This should redirect you to the AWS Cognito login page. After successful authentication, you’ll be redirected back to the Tyk Dashboard.
 

Key Fields:

• DiscoverURL – From Cognito's openid-configuration endpoint.

• Key / Secret – From Cognito's App Client ID and Secret.

• Scopes – At minimum, include openid and email.

• CallbackBaseURL – Must match the callback you defined in Cognito.

🎉 Login Flow

When a user attempts to log in via SSO:

1. Tyk redirects to the Cognito Hosted UI.

2. The user authenticates (via Cognito or any federated IdP).

3. Cognito redirects back to Tyk using the return URL.