Menu
Amazon Cognito
Developer Guide (Version Last Updated: 07/28/2016)

Specifying Identity Provider Attribute Mappings for Your User Pool

You can use the AWS Management Console, or the AWS CLI or API, to specify attribute mappings for your user pool's identity providers.

Specifying Identity Provider Attribute Mappings for Your User Pool (AWS Management Console)

You can use the AWS Management Console to specify attribute mappings for your user pool's identity providers.

Note

Currently, only the Facebook id, Google sub, and Login with Amazon user_id attributes can be mapped to the Amazon Cognito user pools username attribute.

Note

Make sure the attribute in the Amazon Cognito User Pool is large enough to fit the values of the mapped identity provider attributes, or an error occurs when users sign in. Custom attributes should be set to the maximum 2048 character size if mapped to identity provider tokens.

Make sure you create mappings for any attributes that are required for your user pool.

To specify a social identity provider attribute mapping

  1. Sign in to the Amazon Cognito console.

  2. In the navigation pane, choose Manage your User Pools, and choose the user pool you want to edit.

  3. Choose the Attribute mapping tab.

  4. Choose the Facebook, Google, or Amazon tab.

  5. For each attribute you need to map, perform the following steps:

    1. Select the Capture check box.

    2. For User pool attribute, choose the user pool attribute you want to map to the social identity provider attribute to from the drop-down list.

    3. If you need more attributes, choose Add Facebook attribute (or Add Google attribute or Add Amazon attribute) and perform the following steps:

      1. In the Facebook attribute (or Google attribute or Amazon attribute) field, enter the name of the attribute to be mapped.

      2. In the User pool attribute field, choose the user pool attribute to map the social identity provider attribute to from the drop-down list.

    4. Choose Save changes.

To specify a SAML provider attribute mapping

  1. Sign in to the Amazon Cognito console.

  2. In the navigation pane, choose Manage your User Pools, and choose the user pool you want to edit.

  3. Choose the Attribute mapping tab.

  4. Choose the SAML tab.

  5. Select the Capture box for all attributes for which you want to capture values. If you clear the Capture box for an attribute and save your changes, that attribute's mapping is removed.

  6. Choose the identity provider from the drop-down list.

  7. For each attribute you need to map, perform the following steps:

    1. Choose Add SAML attribute.

    2. In the SAML attribute field, enter the name of the SAML attribute to be mapped.

    3. In the User pool attribute field, choose the user pool attribute to map the SAML attribute to from the drop-down list.

  8. Choose Save changes.

Specifying Identity Provider Attribute Mappings for Your User Pool (AWS CLI and AWS API)

Use the following commands to specify identity provider attribute mappings for your user pool.

To specify attribute mappings at provider creation time

  • AWS CLI: aws cognito-idp create-identity-provider

    Example with metadata file: aws cognito-idp create-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1 --provider-type SAML --provider-details file:///details.json --attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    Where details.json contains:

    { 
        "MetadataFile": "<SAML metadata XML>"
    }

    Note

    If the <SAML metadata XML> contains any quotations ("), they must be escaped (\").

    Example with metadata URL: aws cognito-idp create-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1 --provider-type SAML --provider-details MetadataURL=<metadata_url> --attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • AWS API: CreateIdentityProvider

To specify attribute mappings for an existing identity provider

  • AWS CLI: aws cognito-idp update-identity-provider

    Example: aws cognito-idp update-identity-provider --user-pool-id <user_pool_id> --provider-name <provider_name> --attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • AWS API: UpdateIdentityProvider

To get information about attribute mapping for a specific identity provider

  • AWS CLI: aws cognito-idp describe-identity-provider

    Example: aws cognito-idp describe-identity-provider --user-pool-id <user_pool_id> --provider-name <provider_name>

  • AWS API: DescribeIdentityProvider