Simple way to put AWS Lambda app behind SAML authentication

I have a simple AWS Lambda app. I need to front it with SSO, our IdP provider is Okta. The app is rarely used by a large amount of employees. What would be the easiest way to do that without additional expenses and InfoSec complications (Amazon Cognito, ...)?

Note: You have in parentheses (Amazon Cog[n]ito, ...). I assume you are supplying Amazon Cognito as something you are considering, not something you want to avoid.

I think a relatively easy and cost-effective way would be to:

1. Put your AWS Lambda app behind an AWS API Gateway REST API. Use Lambda proxy integration if you want to have the Lambda app handle all paths.
2. Set up a Cognito User Pool with Okta as a SAML identity provider (https://repost.aws/knowledge-center/cognito-okta-saml-identity-provider).
3. Set up a Cognito authorizer for your API Gateway API.

There will be some cost associated with the user pool and API, but I think this will be small compared to the complexity you would have to assume by handling all the SAML flows in your own code.