feat: encryptedResponse and signingRequests

aws · Mar 23, 2024 · eba9c25 · eba9c25
1 parent 9f869dd
commit eba9c25
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 0 deletions.
diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/saml.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/saml.ts
@@ -35,6 +35,24 @@ export interface UserPoolIdentityProviderSamlProps extends UserPoolIdentityProvi
    * @default - false
    */
   readonly idpSignout?: boolean;
+
+  /**
+   * Whether to require encrypted SAML assertions from IdP.
+   *
+   * @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-signing-encryption.html#cognito-user-pools-SAML-encryption
+   *
+   * @default false
+   */
+  readonly encryptedResponses?: boolean;
+
+  /**
+   * Whether to sign SAML requests.
+   *
+   * @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-signing-encryption.html#cognito-user-pools-SAML-signing
+   *
+   * @default false
+   */
+  readonly signingRequests?: boolean;
 }
 
 /**
@@ -99,6 +117,8 @@ export class UserPoolIdentityProviderSaml extends UserPoolIdentityProviderBase {
         IDPSignout: props.idpSignout ?? false,
         MetadataURL: metadataType === UserPoolIdentityProviderSamlMetadataType.URL ? metadataContent : undefined,
         MetadataFile: metadataType === UserPoolIdentityProviderSamlMetadataType.FILE ? metadataContent : undefined,
+        EncryptedResponses: props.encryptedResponses ?? undefined,
+        RequestSigningAlgorithm: props.signingRequests ? 'rsa-sha256' : undefined,
       },
       idpIdentifiers: props.identifiers,
       attributeMapping: super.configureAttributeMapping(),

diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/saml.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/saml.test.ts
@@ -86,6 +86,54 @@ describe('UserPoolIdentityProvider', () => {
       expect(pool.identityProviders).toContain(provider);
     });
 
+    test('encryptedResponses', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'userpool');
+
+      // WHEN
+      new UserPoolIdentityProviderSaml(stack, 'userpoolidp', {
+        userPool: pool,
+        metadata: UserPoolIdentityProviderSamlMetadata.file('my-file-contents'),
+        encryptedResponses: true,
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ProviderName: 'userpoolidp',
+        ProviderType: 'SAML',
+        ProviderDetails: {
+          MetadataFile: 'my-file-contents',
+          IDPSignout: false,
+          EncryptedResponses: true,
+        },
+      });
+    });
+
+    test('siningRequests', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'userpool');
+
+      // WHEN
+      new UserPoolIdentityProviderSaml(stack, 'userpoolidp', {
+        userPool: pool,
+        metadata: UserPoolIdentityProviderSamlMetadata.file('my-file-contents'),
+        signingRequests: true,
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ProviderName: 'userpoolidp',
+        ProviderType: 'SAML',
+        ProviderDetails: {
+          MetadataFile: 'my-file-contents',
+          IDPSignout: false,
+          RequestSigningAlgorithm: 'rsa-sha256',
+        },
+      });
+    });
+
     test('attribute mapping', () => {
       // GIVEN
       const stack = new Stack();