AWS Cognito SSO

Configure AWS Cognito single sign-on for Cased CD Enterprise

This guide walks through setting up AWS Cognito as your identity provider for Cased CD Enterprise.

Prerequisites

• AWS account with Cognito access
• Cased CD Enterprise deployed
• ArgoCD 2.0+

Setup

1. Create a Cognito User Pool

   aws cognito-idp create-user-pool \
     --pool-name "cased-cd-sso" \
     --region us-west-2 \
     --auto-verified-attributes email \
     --policies "PasswordPolicy={MinimumLength=8,RequireUppercase=true,RequireLowercase=true,RequireNumbers=true,RequireSymbols=false}"

   Note the User Pool ID from the output (e.g., us-west-2_XXXXXXXXX).

2. Create a Cognito domain

   aws cognito-idp create-user-pool-domain \
     --domain "your-company-cased-cd" \
     --user-pool-id us-west-2_XXXXXXXXX \
     --region us-west-2

   Your domain will be: your-company-cased-cd.auth.us-west-2.amazoncognito.com

3. Create an App Client (public, no secret)

   Caution

   The App Client must be a public client (no secret) for browser-based authentication to work.

   aws cognito-idp create-user-pool-client \
     --user-pool-id us-west-2_XXXXXXXXX \
     --client-name "cased-cd" \
     --region us-west-2 \
     --no-generate-secret \
     --callback-urls "https://cased-cd.example.com/auth/callback" \
     --logout-urls "https://cased-cd.example.com/login" \
     --allowed-o-auth-flows "code" \
     --allowed-o-auth-scopes "openid" "profile" "email" \
     --allowed-o-auth-flows-user-pool-client \
     --supported-identity-providers "COGNITO"

   Note the Client ID from the output.

   For local development, also add http://localhost:5173/auth/callback to callback URLs.

4. Configure ArgoCD

   kubectl patch configmap argocd-cm -n argocd --type merge -p '
   data:
     url: "https://cased-cd.example.com"
     oidc.config: |
       name: AWS Cognito
       issuer: https://cognito-idp.us-west-2.amazonaws.com/us-west-2_XXXXXXXXX
       clientID: YOUR_CLIENT_ID
       requestedScopes: ["openid", "profile", "email"]
   '

5. Configure Cased CD with Cognito domain

   helm upgrade cased-cd cased/cased-cd-enterprise \
     --namespace argocd \
     --set 'imagePullSecrets[0].name=cased-cd-registry' \
     --set cognito.domain=your-company-cased-cd.auth.us-west-2.amazoncognito.com

   Or set the environment variable directly:

   kubectl set env deployment/cased-cd-enterprise \
     -n argocd \
     COGNITO_DOMAIN=your-company-cased-cd.auth.us-west-2.amazoncognito.com

6. Restart ArgoCD

   kubectl rollout restart deployment argocd-server -n argocd

Test the login

1. Navigate to your Cased CD login page
2. Click “Sign in with AWS Cognito”
3. Log in with your Cognito user credentials
4. You’ll be redirected back and logged in

Create test users

# Create a user
aws cognito-idp admin-create-user \
  --user-pool-id us-west-2_XXXXXXXXX \
  --username user@example.com \
  --user-attributes Name=email,Value=user@example.com Name=email_verified,Value=true \
  --region us-west-2

# Set a permanent password
aws cognito-idp admin-set-user-password \
  --user-pool-id us-west-2_XXXXXXXXX \
  --username user@example.com \
  --password "SecurePassword123!" \
  --permanent \
  --region us-west-2

Configure groups

Create groups in Cognito and map them to ArgoCD RBAC roles:

# Create a group in Cognito
aws cognito-idp create-group \
  --user-pool-id us-west-2_XXXXXXXXX \
  --group-name developers \
  --region us-west-2

# Add a user to the group
aws cognito-idp admin-add-user-to-group \
  --user-pool-id us-west-2_XXXXXXXXX \
  --username user@example.com \
  --group-name developers \
  --region us-west-2

Then configure ArgoCD RBAC:

kubectl patch configmap argocd-rbac-cm -n argocd --type merge -p '
data:
  policy.csv: |
    p, role:developer, applications, get, */*, allow
    p, role:developer, applications, sync, */*, allow
    g, developers, role:developer
'

Troubleshooting

”No access token received” error

This usually means the Cognito domain is not configured. Verify:

1. COGNITO_DOMAIN environment variable is set on the enterprise deployment
2. The domain matches your Cognito User Pool domain exactly

”unauthorized_client” error

Check that:

1. The App Client has “Authorization code grant” enabled
2. The callback URL is registered correctly
3. The App Client is a public client (no secret)

Groups not working

1. Verify users are added to Cognito groups (not just attributes)
2. Group names in Cognito must match ArgoCD RBAC policy exactly
3. Cognito automatically includes groups in the cognito:groups claim