We are using the AWS Cognito PHP SDK, last version ( https://github.com/aws/aws-sdk-php ).
We have configured the Microsoft ACtive Directory and AWS Cognito link, by creating an attribute in AD and later by creating a Custom Attribute in Cognito, to map to the AD’s attribute schema, such as:
For custom:UsersRole attribute, we also tried with the full schema path: http://schemas.xmlsoap.org/ws/…/userextendedattribute2 but it’s still now working.
We have followed the documentation from: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html and https://medium.com/@zippicoder/setup-aws-cognito-user-pool-with-an-azure-ad-identity-provider-to-perform-single-sign-on-sso-7ff5aa36fc2a
The link between AD and Cognito is well configured, the custom attributes were given read/write permissions and the “profile” permissions are also enabled in Cognito.
We have tried to use the getUser and listUsers ( https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#getuser and https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#listusers ) methods, to read the attributes, but both of them return the following data:
"Attributes"
=>array(2){
[
0
]=>array(2){
[
"Name"
]=>string(3)"sub"[
"Value"
]=>string(36)"6asdsadasd-dsadasd-asdasd"
}[
1
]=>array(2){
[
"Name"
]=>string(10)"identities"[
"Value"
]=>string(201)"[{"userId":"[email protected]","providerName":"ourprovidername","providerType":"SAML","issuer":"https: //sts.windows.net/123213213-123123cx3123-12321321/","primary":true,"dateCreated":1664952636840}]"
}
}
We have two attributes that are not being returned: Email and custom:UsersRole. We are receiving the email under the userId attribute name, under the identities attribute, but how can we ask for and receive the custom attribute custom:UsersRole?
Any help will be great, thank you.