Configure SSO with AWS Cognito for multi-tenant Sign-In

Question

Good Morning.

We have an Enterprise app that we have setup and running with AWS Cognito, to allow for SSO sign in for our portal and mobile app. When this is setup and running with a single tenant, it works flawlessly, and we get all the info we need.

However, as soon as we try and change the Enterprise App to allow for multi-tenant access, we receive an error stating that the URI Scheme is incorrect:

We don't change any other values during this time. From what I have read so far, It seems to point back to the Identifier ID not being supported.
If I'm wrong, please let me know what else I should check.

If the Entity ID needs to be changed - then what should the value be for Cognito Apps that can allow for Multi-tenant access. I cannot find the answer anywhere to this question.

Thanks so much in advance for your help!

Answer 1

Hello @Martin Naude

The error about the URI scheme being incorrect when you switch your Azure AD Enterprise App from single tenant to multi-tenant for AWS Cognito SSO typically relates to how the Identifier (Entity ID) and Reply URLs are configured.

When a single-tenant application is created in the Microsoft Entra admin center, one of the items listed on the Overview page is the Application ID URI. This is one of the ways an application is identified in protocol messages and can be added at any time. The App ID URI for single tenant apps can be globally unique within that tenant.

In contrast, for multitenant apps it must be globally unique across all tenants, ensuring that Microsoft Entra ID can find the app across all tenants.

For example, if the name of your tenant was contoso.onmicrosoft.com then a valid App ID URI would be https://contoso.onmicrosoft.com/myapp. If the App ID URI doesn’t follow this pattern, setting an application as multitenant fails.

So, it suggests you change it in Manifest. You can ignore that WARNING, if you are changing to multi-tenant.

After the application has been registered, you can check or change the account type that the application supports at any time. Under the Manage pane of your application, search for Manifest and find the signInAudience value. The different account types, and the corresponding signInAudience are shown in the following table:

Now in Manifest you need to change the signInAudience value from AzureADMyOrg to AzureADMultipleOrgs

After changing this click on save now this application convert from single tenant to multitenant.

Please check this MSDOC that can help you in the process.

And also, Identifier URI Format:

For multi-tenant apps, the Identifier URI (Entity ID) should be a valid HTTPS URL rather than a URN. 1.For AWS Cognito, this often means using the fully qualified domain name or URL of your Cognito user pool or app client redirect endpoint. For example:

https://cognito-idp.<region>.amazonaws.com/<user-pool-id>
2.Ensure that the Reply URLs configured in Azure AD for the Enterprise App are valid HTTPS URLs matching those configured in Cognito. They must be consistent and explicitly listed.
3.Issuer URL and OIDC Configuration:

If you are using Azure AD as an OIDC provider for Cognito, the issuer URL must match exactly. The "common" endpoint (https://login.microsoftonline.com/common/v2.0) is not supported by Cognito because the issuer claim in tokens is tenant-specific. You need to use tenant-specific issuer URLs (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".