Menu
Amazon Cognito
Developer Guide

Specifying Identity Providers for Your User Pool

Note

The Identity providers tab appears only when you're editing an existing user pool.

In the Identity providers tab, you can specify identity providers (IdPs) for your user pool. For more information, see Using Federation for Amazon Cognito User Pools.

Allowing Users to Sign in Using a Social Identity Provider

You can use federation for Amazon Cognito User Pools to integrate with social identity providers such as Facebook, Google, and Login with Amazon.

To add a social identity provider, you first create a developer account with the identity provider. Once you have your developer account, you register your app with the identity provider. The identity provider creates an app ID and an app secret for your app, and you configure those values in your Amazon Cognito User Pools.

Here are links to help you get started with social identity providers:

To allow users to sign in using a social identity provider

  1. Choose a social identity provider such as Facebook, Google, or Login with Amazon.

  2. For the Facebook (or Google or Amazon) app ID, enter the app ID that you received when you created your Facebook, Google, or Login with Amazon client app.

  3. For App secret, enter the app secret that you received when you created your client app.

  4. For Authorize scopes, enter the names of the social identity provider scopes that you want to map to user pool attributes. Scopes define which user attributes (such as name and email) you want to access with your app. For Facebook, these should be separated by commas (for example, public_profile, email). For Google and Login with Amazon, they should be separated by spaces. (Google example: profile email openid. Login with Amazon example: profile postal_code.)

    The end-user is asked to consent to providing these attributes to your app. For more information about their scopes, see the documentation from Google, Facebook, and Login with Amazon.

  5. Choose Enable Facebook (or Enable Google or Enable Login with Amazon).

Allowing Users to Sign in Using Corporate ID via SAML

You can use federation for Amazon Cognito User Pools to integrate with a SAML identity provider (IdP). You supply a metadata document, either by uploading the file or by entering a metadata document endpoint URL. For information about obtaining metadata documents for third-party SAML IdPs, see Integrating Third-Party SAML Identity Providers with Amazon Cognito User Pools.

To allow users to sign in using corporate ID via SAML

  1. Choose Corporate ID via SAML to display the SAML identity provider options.

  2. To upload a metadata document, choose Select file, or enter a metadata document endpoint URL. The metadata document must be a valid XML file.

  3. Enter your SAML Provider name, for example, "SAML_provider_1", and any Identifiers you want. The provider name is required; the identifiers are optional. For more information, see Creating SAML Identity Providers for Your User Pool.

  4. Choose Create provider.

  5. To create additional providers, repeat the previous steps.

Note

If you see InvalidParameterException while creating a SAML identity provider with an HTTPS metadata endpoint URL, for example, "Error retrieving metadata from <metadata endpoint>," make sure that the metadata endpoint has SSL correctly set up and that there is a valid SSL certificate associated with it.