aws-cdk-lib 2.136.1__py3-none-any.whl → 2.138.0__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -599,6 +599,30 @@ provider = cognito.UserPoolIdentityProviderGoogle(self, "Google",
 )
 ```
 
+Using SAML identity provider is possible to use SAML metadata file content or SAML metadata file url.
+
+```python
+userpool = cognito.UserPool(self, "Pool")
+
+# specify the metadata as a file content
+cognito.UserPoolIdentityProviderSaml(self, "userpoolIdpFile",
+    user_pool=userpool,
+    metadata=cognito.UserPoolIdentityProviderSamlMetadata.file("my-file-contents"),
+    # Whether to require encrypted SAML assertions from IdP
+    encrypted_responses=True,
+    # The signing algorithm for the SAML requests
+    request_signing_algorithm=cognito.SigningAlgorithm.RSA_SHA256,
+    # Enable IdP initiated SAML auth flow
+    idp_initiated=True
+)
+
+# specify the metadata as a URL
+cognito.UserPoolIdentityProviderSaml(self, "userpoolidpUrl",
+    user_pool=userpool,
+    metadata=cognito.UserPoolIdentityProviderSamlMetadata.url("https://my-metadata-url.com")
+)
+```
+
 Attribute mapping allows mapping attributes provided by the third-party identity providers to [standard and custom
 attributes](#Attributes) of the user pool. Learn more about [Specifying Identity Provider Attribute Mappings for Your
 User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html).
@@ -14452,6 +14476,39 @@ class SignInUrlOptions(BaseUrlOptions):
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.SigningAlgorithm")
+class SigningAlgorithm(enum.Enum):
+    '''Signing algorithms for SAML requests.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        userpool = cognito.UserPool(self, "Pool")
+        
+        # specify the metadata as a file content
+        cognito.UserPoolIdentityProviderSaml(self, "userpoolIdpFile",
+            user_pool=userpool,
+            metadata=cognito.UserPoolIdentityProviderSamlMetadata.file("my-file-contents"),
+            # Whether to require encrypted SAML assertions from IdP
+            encrypted_responses=True,
+            # The signing algorithm for the SAML requests
+            request_signing_algorithm=cognito.SigningAlgorithm.RSA_SHA256,
+            # Enable IdP initiated SAML auth flow
+            idp_initiated=True
+        )
+        
+        # specify the metadata as a URL
+        cognito.UserPoolIdentityProviderSaml(self, "userpoolidpUrl",
+            user_pool=userpool,
+            metadata=cognito.UserPoolIdentityProviderSamlMetadata.url("https://my-metadata-url.com")
+        )
+    '''
+
+    RSA_SHA256 = "RSA_SHA256"
+    '''RSA with SHA-256.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cognito.StandardAttribute",
     jsii_struct_bases=[],
@@ -17754,48 +17811,28 @@ class UserPoolIdentityProviderSaml(
     '''Represents an identity provider that integrates with SAML.
 
     :resource: AWS::Cognito::UserPoolIdentityProvider
-    :exampleMetadata: fixture=_generated
+    :exampleMetadata: infused
 
     Example::
 
-        # The code below shows an example of how to instantiate this type.
-        # The values are placeholders you should change.
-        from aws_cdk import aws_cognito as cognito
-        
-        # provider_attribute: cognito.ProviderAttribute
-        # user_pool: cognito.UserPool
-        # user_pool_identity_provider_saml_metadata: cognito.UserPoolIdentityProviderSamlMetadata
+        userpool = cognito.UserPool(self, "Pool")
         
-        user_pool_identity_provider_saml = cognito.UserPoolIdentityProviderSaml(self, "MyUserPoolIdentityProviderSaml",
-            metadata=user_pool_identity_provider_saml_metadata,
-            user_pool=user_pool,
+        # specify the metadata as a file content
+        cognito.UserPoolIdentityProviderSaml(self, "userpoolIdpFile",
+            user_pool=userpool,
+            metadata=cognito.UserPoolIdentityProviderSamlMetadata.file("my-file-contents"),
+            # Whether to require encrypted SAML assertions from IdP
+            encrypted_responses=True,
+            # The signing algorithm for the SAML requests
+            request_signing_algorithm=cognito.SigningAlgorithm.RSA_SHA256,
+            # Enable IdP initiated SAML auth flow
+            idp_initiated=True
+        )
         
-            # the properties below are optional
-            attribute_mapping=cognito.AttributeMapping(
-                address=provider_attribute,
-                birthdate=provider_attribute,
-                custom={
-                    "custom_key": provider_attribute
-                },
-                email=provider_attribute,
-                family_name=provider_attribute,
-                fullname=provider_attribute,
-                gender=provider_attribute,
-                given_name=provider_attribute,
-                last_update_time=provider_attribute,
-                locale=provider_attribute,
-                middle_name=provider_attribute,
-                nickname=provider_attribute,
-                phone_number=provider_attribute,
-                preferred_username=provider_attribute,
-                profile_page=provider_attribute,
-                profile_picture=provider_attribute,
-                timezone=provider_attribute,
-                website=provider_attribute
-            ),
-            identifiers=["identifiers"],
-            idp_signout=False,
-            name="name"
+        # specify the metadata as a URL
+        cognito.UserPoolIdentityProviderSaml(self, "userpoolidpUrl",
+            user_pool=userpool,
+            metadata=cognito.UserPoolIdentityProviderSamlMetadata.url("https://my-metadata-url.com")
         )
     '''
 
@@ -17805,9 +17842,12 @@ class UserPoolIdentityProviderSaml(
         id: builtins.str,
         *,
         metadata: "UserPoolIdentityProviderSamlMetadata",
+        encrypted_responses: typing.Optional[builtins.bool] = None,
         identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+        idp_initiated: typing.Optional[builtins.bool] = None,
         idp_signout: typing.Optional[builtins.bool] = None,
         name: typing.Optional[builtins.str] = None,
+        request_signing_algorithm: typing.Optional[SigningAlgorithm] = None,
         user_pool: IUserPool,
         attribute_mapping: typing.Optional[typing.Union[AttributeMapping, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
@@ -17815,9 +17855,12 @@ class UserPoolIdentityProviderSaml(
         :param scope: -
         :param id: -
         :param metadata: The SAML metadata.
+        :param encrypted_responses: Whether to require encrypted SAML assertions from IdP. Default: false
         :param identifiers: Identifiers. Identifiers can be used to redirect users to the correct IdP in multitenant apps. Default: - no identifiers used
+        :param idp_initiated: Whether to enable IdP-initiated SAML auth flows. Default: false
         :param idp_signout: Whether to enable the "Sign-out flow" feature. Default: - false
         :param name: The name of the provider. Must be between 3 and 32 characters. Default: - the unique ID of the construct
+        :param request_signing_algorithm: The signing algorithm for SAML requests. Default: - don't sign requests
         :param user_pool: The user pool to which this construct provides identities.
         :param attribute_mapping: Mapping attributes from the identity provider to standard and custom attributes of the user pool. Default: - no attribute mapping
         '''
@@ -17827,9 +17870,12 @@ class UserPoolIdentityProviderSaml(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = UserPoolIdentityProviderSamlProps(
             metadata=metadata,
+            encrypted_responses=encrypted_responses,
             identifiers=identifiers,
+            idp_initiated=idp_initiated,
             idp_signout=idp_signout,
             name=name,
+            request_signing_algorithm=request_signing_algorithm,
             user_pool=user_pool,
             attribute_mapping=attribute_mapping,
         )
@@ -17853,15 +17899,29 @@ class UserPoolIdentityProviderSamlMetadata(
 ):
     '''Metadata for a SAML user pool identity provider.
 
-    :exampleMetadata: fixture=_generated
+    :exampleMetadata: infused
 
     Example::
 
-        # The code below shows an example of how to instantiate this type.
-        # The values are placeholders you should change.
-        from aws_cdk import aws_cognito as cognito
+        userpool = cognito.UserPool(self, "Pool")
         
-        user_pool_identity_provider_saml_metadata = cognito.UserPoolIdentityProviderSamlMetadata.file("fileContent")
+        # specify the metadata as a file content
+        cognito.UserPoolIdentityProviderSaml(self, "userpoolIdpFile",
+            user_pool=userpool,
+            metadata=cognito.UserPoolIdentityProviderSamlMetadata.file("my-file-contents"),
+            # Whether to require encrypted SAML assertions from IdP
+            encrypted_responses=True,
+            # The signing algorithm for the SAML requests
+            request_signing_algorithm=cognito.SigningAlgorithm.RSA_SHA256,
+            # Enable IdP initiated SAML auth flow
+            idp_initiated=True
+        )
+        
+        # specify the metadata as a URL
+        cognito.UserPoolIdentityProviderSaml(self, "userpoolidpUrl",
+            user_pool=userpool,
+            metadata=cognito.UserPoolIdentityProviderSamlMetadata.url("https://my-metadata-url.com")
+        )
     '''
 
     @jsii.member(jsii_name="file")
@@ -17920,9 +17980,12 @@ class UserPoolIdentityProviderSamlMetadataType(enum.Enum):
         "user_pool": "userPool",
         "attribute_mapping": "attributeMapping",
         "metadata": "metadata",
+        "encrypted_responses": "encryptedResponses",
         "identifiers": "identifiers",
+        "idp_initiated": "idpInitiated",
         "idp_signout": "idpSignout",
         "name": "name",
+        "request_signing_algorithm": "requestSigningAlgorithm",
     },
 )
 class UserPoolIdentityProviderSamlProps(UserPoolIdentityProviderProps):
@@ -17932,61 +17995,47 @@ class UserPoolIdentityProviderSamlProps(UserPoolIdentityProviderProps):
         user_pool: IUserPool,
         attribute_mapping: typing.Optional[typing.Union[AttributeMapping, typing.Dict[builtins.str, typing.Any]]] = None,
         metadata: UserPoolIdentityProviderSamlMetadata,
+        encrypted_responses: typing.Optional[builtins.bool] = None,
         identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+        idp_initiated: typing.Optional[builtins.bool] = None,
         idp_signout: typing.Optional[builtins.bool] = None,
         name: typing.Optional[builtins.str] = None,
+        request_signing_algorithm: typing.Optional[SigningAlgorithm] = None,
     ) -> None:
         '''Properties to initialize UserPoolIdentityProviderSaml.
 
         :param user_pool: The user pool to which this construct provides identities.
         :param attribute_mapping: Mapping attributes from the identity provider to standard and custom attributes of the user pool. Default: - no attribute mapping
         :param metadata: The SAML metadata.
+        :param encrypted_responses: Whether to require encrypted SAML assertions from IdP. Default: false
         :param identifiers: Identifiers. Identifiers can be used to redirect users to the correct IdP in multitenant apps. Default: - no identifiers used
+        :param idp_initiated: Whether to enable IdP-initiated SAML auth flows. Default: false
         :param idp_signout: Whether to enable the "Sign-out flow" feature. Default: - false
         :param name: The name of the provider. Must be between 3 and 32 characters. Default: - the unique ID of the construct
+        :param request_signing_algorithm: The signing algorithm for SAML requests. Default: - don't sign requests
 
-        :exampleMetadata: fixture=_generated
+        :exampleMetadata: infused
 
         Example::
 
-            # The code below shows an example of how to instantiate this type.
-            # The values are placeholders you should change.
-            from aws_cdk import aws_cognito as cognito
-            
-            # provider_attribute: cognito.ProviderAttribute
-            # user_pool: cognito.UserPool
-            # user_pool_identity_provider_saml_metadata: cognito.UserPoolIdentityProviderSamlMetadata
+            userpool = cognito.UserPool(self, "Pool")
             
-            user_pool_identity_provider_saml_props = cognito.UserPoolIdentityProviderSamlProps(
-                metadata=user_pool_identity_provider_saml_metadata,
-                user_pool=user_pool,
+            # specify the metadata as a file content
+            cognito.UserPoolIdentityProviderSaml(self, "userpoolIdpFile",
+                user_pool=userpool,
+                metadata=cognito.UserPoolIdentityProviderSamlMetadata.file("my-file-contents"),
+                # Whether to require encrypted SAML assertions from IdP
+                encrypted_responses=True,
+                # The signing algorithm for the SAML requests
+                request_signing_algorithm=cognito.SigningAlgorithm.RSA_SHA256,
+                # Enable IdP initiated SAML auth flow
+                idp_initiated=True
+            )
             
-                # the properties below are optional
-                attribute_mapping=cognito.AttributeMapping(
-                    address=provider_attribute,
-                    birthdate=provider_attribute,
-                    custom={
-                        "custom_key": provider_attribute
-                    },
-                    email=provider_attribute,
-                    family_name=provider_attribute,
-                    fullname=provider_attribute,
-                    gender=provider_attribute,
-                    given_name=provider_attribute,
-                    last_update_time=provider_attribute,
-                    locale=provider_attribute,
-                    middle_name=provider_attribute,
-                    nickname=provider_attribute,
-                    phone_number=provider_attribute,
-                    preferred_username=provider_attribute,
-                    profile_page=provider_attribute,
-                    profile_picture=provider_attribute,
-                    timezone=provider_attribute,
-                    website=provider_attribute
-                ),
-                identifiers=["identifiers"],
-                idp_signout=False,
-                name="name"
+            # specify the metadata as a URL
+            cognito.UserPoolIdentityProviderSaml(self, "userpoolidpUrl",
+                user_pool=userpool,
+                metadata=cognito.UserPoolIdentityProviderSamlMetadata.url("https://my-metadata-url.com")
             )
         '''
         if isinstance(attribute_mapping, dict):
@@ -17996,21 +18045,30 @@ class UserPoolIdentityProviderSamlProps(UserPoolIdentityProviderProps):
             check_type(argname="argument user_pool", value=user_pool, expected_type=type_hints["user_pool"])
             check_type(argname="argument attribute_mapping", value=attribute_mapping, expected_type=type_hints["attribute_mapping"])
             check_type(argname="argument metadata", value=metadata, expected_type=type_hints["metadata"])
+            check_type(argname="argument encrypted_responses", value=encrypted_responses, expected_type=type_hints["encrypted_responses"])
             check_type(argname="argument identifiers", value=identifiers, expected_type=type_hints["identifiers"])
+            check_type(argname="argument idp_initiated", value=idp_initiated, expected_type=type_hints["idp_initiated"])
             check_type(argname="argument idp_signout", value=idp_signout, expected_type=type_hints["idp_signout"])
             check_type(argname="argument name", value=name, expected_type=type_hints["name"])
+            check_type(argname="argument request_signing_algorithm", value=request_signing_algorithm, expected_type=type_hints["request_signing_algorithm"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "user_pool": user_pool,
             "metadata": metadata,
         }
         if attribute_mapping is not None:
             self._values["attribute_mapping"] = attribute_mapping
+        if encrypted_responses is not None:
+            self._values["encrypted_responses"] = encrypted_responses
         if identifiers is not None:
             self._values["identifiers"] = identifiers
+        if idp_initiated is not None:
+            self._values["idp_initiated"] = idp_initiated
         if idp_signout is not None:
             self._values["idp_signout"] = idp_signout
         if name is not None:
             self._values["name"] = name
+        if request_signing_algorithm is not None:
+            self._values["request_signing_algorithm"] = request_signing_algorithm
 
     @builtins.property
     def user_pool(self) -> IUserPool:
@@ -18035,6 +18093,17 @@ class UserPoolIdentityProviderSamlProps(UserPoolIdentityProviderProps):
         assert result is not None, "Required property 'metadata' is missing"
         return typing.cast(UserPoolIdentityProviderSamlMetadata, result)
 
+    @builtins.property
+    def encrypted_responses(self) -> typing.Optional[builtins.bool]:
+        '''Whether to require encrypted SAML assertions from IdP.
+
+        :default: false
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-signing-encryption.html#cognito-user-pools-SAML-encryption
+        '''
+        result = self._values.get("encrypted_responses")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def identifiers(self) -> typing.Optional[typing.List[builtins.str]]:
         '''Identifiers.
@@ -18046,6 +18115,15 @@ class UserPoolIdentityProviderSamlProps(UserPoolIdentityProviderProps):
         result = self._values.get("identifiers")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
+    @builtins.property
+    def idp_initiated(self) -> typing.Optional[builtins.bool]:
+        '''Whether to enable IdP-initiated SAML auth flows.
+
+        :default: false
+        '''
+        result = self._values.get("idp_initiated")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def idp_signout(self) -> typing.Optional[builtins.bool]:
         '''Whether to enable the "Sign-out flow" feature.
@@ -18066,6 +18144,17 @@ class UserPoolIdentityProviderSamlProps(UserPoolIdentityProviderProps):
         result = self._values.get("name")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def request_signing_algorithm(self) -> typing.Optional[SigningAlgorithm]:
+        '''The signing algorithm for SAML requests.
+
+        :default: - don't sign requests
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-signing-encryption.html#cognito-user-pools-SAML-signing
+        '''
+        result = self._values.get("request_signing_algorithm")
+        return typing.cast(typing.Optional[SigningAlgorithm], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -20595,6 +20684,7 @@ __all__ = [
     "ResourceServerScopeProps",
     "SignInAliases",
     "SignInUrlOptions",
+    "SigningAlgorithm",
     "StandardAttribute",
     "StandardAttributes",
     "StandardAttributesMask",
@@ -22889,9 +22979,12 @@ def _typecheckingstub__718ac630a451940587ebda0797cfbdec5b11e5bcd3f498d39d6663201
     id: builtins.str,
     *,
     metadata: UserPoolIdentityProviderSamlMetadata,
+    encrypted_responses: typing.Optional[builtins.bool] = None,
     identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+    idp_initiated: typing.Optional[builtins.bool] = None,
     idp_signout: typing.Optional[builtins.bool] = None,
     name: typing.Optional[builtins.str] = None,
+    request_signing_algorithm: typing.Optional[SigningAlgorithm] = None,
     user_pool: IUserPool,
     attribute_mapping: typing.Optional[typing.Union[AttributeMapping, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -22915,9 +23008,12 @@ def _typecheckingstub__2f52f706aa700f252fccd887b4c4fad1305e00535d6e476a5d2ee9577
     user_pool: IUserPool,
     attribute_mapping: typing.Optional[typing.Union[AttributeMapping, typing.Dict[builtins.str, typing.Any]]] = None,
     metadata: UserPoolIdentityProviderSamlMetadata,
+    encrypted_responses: typing.Optional[builtins.bool] = None,
     identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+    idp_initiated: typing.Optional[builtins.bool] = None,
     idp_signout: typing.Optional[builtins.bool] = None,
     name: typing.Optional[builtins.str] = None,
+    request_signing_algorithm: typing.Optional[SigningAlgorithm] = None,
 ) -> None:
     """Type checking stubs"""
     pass