With Amazon Cognito, users can sign in through various identity providers (Ex: social identity providers such as Google or enterprise identity providers such as Microsoft Active Directory via SAML/OpenID Connect)

Steps in AWS:

Step 1: Login AWS ->Service -> cognito -> Manage User Pool 

Step 2: Select simple attributes and policies and click next and create pool.

Step 3: Create App Client.

Step 4: Get the redirect URL from Anypoint.

Step 5: In AWS, update the App client settings callback URL.

Step 6: Update the AWS User pool domain. You can use your own domain or the default.

Step 7: If required, customize the federation screen with your company logo and modify the CSS to your needs. For the demo, I kept the default.

Resource servers /scope is used for oAuth2. I will briefly discuss that in my next article.

Step 8: Get the OIDC Discovery Endpoint

Example: https://REGION/User-pool-id/.well-known/openid-configuration
Where...

          8.1) Region: cognito-idp.ap-southeast-2.amazonaws.com (https://docs.aws.amazon.com/general/latest/gr/rande.html)
           8.2) Get User-pool-id:            

It will give all the required endpoint details.

Also from App client settings get the clientID and Client secrete 

Step 9: Now go to Anypoint.

Management Center -> Access Management -> External Identity -> Identity Management OpenID Connect -> Use manual registration

Fill in the form with the above collected data.

Step 10: Now login with SSO URL (https://anypoint.mulesoft.com/accounts/login/{yourOrgDomain})

It will redirect you to the AWS Cognito UI login page.

Sign up:

You will get the below error. Just ignore it.

Step 11: In Cognito, check the users and groups.

Confirm the user:

Now again try to access Mule Anypoint with SSO user.

Thanks for reading.