An app is communicating via the Open ID Connect protocol with AWS Cognito, which is connected to ADFS, communicating via SAML. Cognito is essentially "proxying" the ADFS server.

ADFS holds a group mapping that the app requires, and I would like to import these groups into Cognito as actual Cognito Group - which will then be read by the app from the cognito:groups from the ID-token Cognito provides.

In the AWS Cognito User Pool setup, I don't see a way to map ADFS groups to Cognito Groups - must I absolutely rely on a custom attribute for my User Pool that I can map to the ADFS-property, or am I missing some piece of configuration that allows Cognito to create new groups on the fly and automatically assign the users to the groups in Cognito?

edit: To clarify, Is it possible to setup Cognito to add/create groups (not as a custom property, but a actual manageable cognito groups) when it imports users?

I had the same issue, and I have not found a static mapping option in Cognito either.

The only way I see is to map the AD groups to custom:adgroups attribute in Cognito, and set up a Cognito "Pre Token Generation" lambda trigger. The lambda reads the value of the custom:adgroups and manually overrides the user's Cognito groups.

NB - this does not change the cognito user's group permanently, only for the current session, but from the application perspective that's exactly what I needed.

Please see a dummy static (non conditional) ADMIN group assignment example here:

def lambda_handler(event, context):
print(f'incoming event: {json.dumps(event)}')

# manual cognito group override
if event['triggerSource'] == "TokenGeneration_HostedAuth":
    event['response'] = {
            "claimsOverrideDetails": {
                "groupOverrideDetails": {
                    "groupsToOverride": [
                        "ADMIN"
                    ]
                }
            }
        }

return event

More detailed documentation here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html

Could you use the Post authentication Lambda trigger to update the user's group in the Cognito User Pool based off the group in AD? You could use the APIs: AdminAddUserToGroup and AdminRemoveUserFromGroup. The only issue with this approach is that if you change the user's group in AD, it won't be updated in Cognito until the user authenticates to Cognito again.

How to setup ADFS with Cognito is documented in this link. The section answering your question is the mapping in step 4, item 5. I'm copying the relevant text below:

Choose Attribute mapping. These mappings map the claims from the SAML assertion from AD FS to the user pool attributes.

Make sure that ADFS is sending the groups in the assertions. For setting up the ADFS side for groups this link might be useful.

You could debug the flow with SAML-tracer plugin in Firefox.