is It possible to programmatically capture Saml Assertion from external Idp?

[PavelJacobo]

Hello, I'm using Cognito and Okta as external SAML Idp. So when user wants to access my application it's redirected to Okta that is acting as Idp.
Okta sends a SAML response with SAML assertion back to Cognito to /idpresponse endpoint. I can see SAML response in the browser, but I'm not able to capture this SamlResponse programatically to be able to retrieve a token from Okta Oauth server.

I want to implement the following flow here:

Saml assertion flow with grant-type: urn:ietf:params:oauth:grant-type:saml2-bearer

this implies that we have to be able to get SAML assertion and send it back to Okta OAuth to /token endpoint.

How can we programmatically capture SAML response from Idp in Cognito to be able to implement SAML assertion grant flow as described in Okta documentation? I've tried with Post authentication Lambda trigger and Pre authentication Lambda trigger, but SamlReponse parameters do not end on any of the lambdas.

this is the flow:

this is the flow I would like to implement. I need to capture SAML assertion, because I also need a token from external Okta OAuth.

Thanks so much

[ashishdhingra]

@PavelJacobo Good morning. I'm unsure if this could help, you may try Customizing user pool workflows with Lambda triggers.

[PavelJacobo]

Hello, Thanks for answer

I've tried with Post authentication Lambda trigger and Pre authentication Lambda trigger, but SamlReponse parameters do not end on any of the lambdas.

I cannot find no info in the documentation related to how to capture the outboud request to /saml2/idpresponse

for example this is the event I receive in a Post authentication Lambda trigger Lambda
as you can see, the event has no information about the http request parameters

{
    "version": "1",
    "region": "us-east-1",
    "userPoolId": "us-east-1_xyzxyz",
    "userName": "oktassopoc_johndoe@xxx.com",
    "callerContext": {
        "awsSdkVersion": "aws-sdk-unknown-unknown",
        "clientId": "69pf1gxyzrk9obqxyz"
    },
    "triggerSource": "PostAuthentication_Authentication",
    "request": {
        "userAttributes": {
            "sub": "6zxy67f-9011-4999-xyz-52xyzf51",
            "custom:Idp_Id": "00u8xxyz123gdOw5d7",
            "email_verified": "false",
            "identities": "[{\"userId\":\"pgonzalez@xxx.com\",\"providerName\":\"oktassopoc\",\"providerType\":\"SAML\",\"issuer\":\"http://www.okta.com/xyz\",\"primary\":true,\"dateCreated\":1680689741221}]",
            "cognito:user_status": "EXTERNAL_PROVIDER",
            "name": "Pavel xxx",
            "middle_name": "xxx",
            "given_name": "Pavel",
            "email": "jonhdoe@xxx.com"
        },
        "newDeviceUsed": false
    },
    "response": {}
}

Thanks so much

regards