CreateIdentityProvider
Creates an IdP for a user pool.
Request Syntax
{
"AttributeMapping": {
"string
" : "string
"
},
"IdpIdentifiers": [ "string
" ],
"ProviderDetails": {
"string
" : "string
"
},
"ProviderName": "string
",
"ProviderType": "string
",
"UserPoolId": "string
"
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- AttributeMapping
-
A mapping of IdP attributes to standard and custom user pool attributes.
Type: String to string map
Key Length Constraints: Minimum length of 1. Maximum length of 32.
Required: No
- IdpIdentifiers
-
A list of IdP identifiers.
Type: Array of strings
Array Members: Minimum number of 0 items. Maximum number of 50 items.
Length Constraints: Minimum length of 1. Maximum length of 40.
Pattern:
[\w\s+=.@-]+
Required: No
- ProviderDetails
-
The IdP details. The following list describes the provider detail keys for each IdP type.
-
For Google and Login with Amazon:
-
client_id
-
client_secret
-
authorize_scopes
-
-
For Facebook:
-
client_id
-
client_secret
-
authorize_scopes
-
api_version
-
-
For Sign in with Apple:
-
client_id
-
team_id
-
key_id
-
private_key
-
authorize_scopes
-
-
For OpenID Connect (OIDC) providers:
-
client_id
-
client_secret
-
attributes_request_method
-
oidc_issuer
-
authorize_scopes
-
The following keys are only present if Amazon Cognito didn't discover them at the
oidc_issuer
URL.-
authorize_url
-
token_url
-
attributes_url
-
jwks_uri
-
-
Amazon Cognito sets the value of the following keys automatically. They are read-only.
-
attributes_url_add_attributes
-
-
-
For SAML providers:
-
MetadataFile or MetadataURL
-
IDPSignout optional
-
Type: String to string map
Required: Yes
-
- ProviderName
-
The IdP name.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 32.
Pattern:
[^_][\p{L}\p{M}\p{S}\p{N}\p{P}][^_]+
Required: Yes
- ProviderType
-
The IdP type.
Type: String
Valid Values:
SAML | Facebook | Google | LoginWithAmazon | SignInWithApple | OIDC
Required: Yes
- UserPoolId
-
The user pool ID.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 55.
Pattern:
[\w-]+_[0-9a-zA-Z]+
Required: Yes
Response Syntax
{
"IdentityProvider": {
"AttributeMapping": {
"string" : "string"
},
"CreationDate": number,
"IdpIdentifiers": [ "string" ],
"LastModifiedDate": number,
"ProviderDetails": {
"string" : "string"
},
"ProviderName": "string",
"ProviderType": "string",
"UserPoolId": "string"
}
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- IdentityProvider
-
The newly created IdP object.
Type: IdentityProviderType object
Errors
For information about the errors that are common to all actions, see Common Errors.
- DuplicateProviderException
-
This exception is thrown when the provider is already supported by the user pool.
HTTP Status Code: 400
- InternalErrorException
-
This exception is thrown when Amazon Cognito encounters an internal error.
HTTP Status Code: 500
- InvalidParameterException
-
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.
HTTP Status Code: 400
- LimitExceededException
-
This exception is thrown when a user exceeds the limit for a requested AWS resource.
HTTP Status Code: 400
- NotAuthorizedException
-
This exception is thrown when a user isn't authorized.
HTTP Status Code: 400
- ResourceNotFoundException
-
This exception is thrown when the Amazon Cognito service can't find the requested resource.
HTTP Status Code: 400
- TooManyRequestsException
-
This exception is thrown when the user has made too many requests for a given operation.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: