I’ve published an open-source reference implementation for enterprise SSO in Django using AWS Cognito as an identity broker. Sharing it here in case it’s useful — the pattern isn’t well-covered in the Django ecosystem.
What it covers:
- Multi-tenant SSO: each tenant gets its own Cognito app client and OIDC provider, provisioned via API
- Supports Azure AD and Okta out of the box; any OIDC provider works
- Role mapping from external groups → application Member.role
- Soft-deletion via Azure/Okta webhooks (user removed from a group → Member.is_active = False)
- Django admin protected by the same SSO flow
- Full test suite with mocked Cognito
I also wrote a 5-part article series walking through the setup step by step (Cognito config, Azure AD, Okta, admin panel, testing): From Django Library to AWS Cognito: My Journey Building Enterprise SSO - DEV Community