Amazon Cognito
Developer Guide

Integrating User Pools with Federated Identities

Amazon Cognito user pools represent an identity provider that you manage. To enable users in your user pool to access AWS resources through your client apps, you must configure Amazon Cognito Federated Identities to accept users that are federated with your user pool.

Setting Up a User Pool

Create an Amazon Cognito user pool and make a note of the User Pool ID and App Client ID for each of your client apps. For more information about creating user pools, see Amazon Cognito User Pools. For more information about creating apps (to get app client IDs) for your client apps, see Specifying User Pool App Settings.

You can create multiple user pools, and each user pool can have multiple apps.

Configuring Your Identity Pool Using the AWS Management Console

The following procedure describes how to use the AWS Management Console to integrate an identity pool with one or more user pools and client apps.

To configure your identity pool

  1. Open the Amazon Cognito console.

  2. Choose Manage Federated Identities.

  3. Choose the name of the identity pool for which you want to enable Amazon Cognito user pools as a provider.

  4. On the Dashboard page, choose Edit identity pool.

  5. Expand the Authentication providers section.

  6. Choose Cognito.

  7. Type the User Pool ID.

  8. Type the App Client ID. This must be the same client app ID that you received when you created the app in the Your User Pools section of the AWS Management Console for Amazon Cognito.

  9. If you have additional apps or user pools, choose Add Another Provider and type the User Pool ID and App Client ID for each app in each user pool.

  10. When you have no more apps or user pools to add, choose Save changes.

    If successful, you will see Changes saved successfully. on the Dashboard page.

Using Amazon Cognito User Pools

Follow the instructions in Authentication Flow to authenticate users.

After the user is authenticated, add that user's identity token to the logins map in the credentials provider. The provider name will depend on your Amazon Cognito user pool ID. It will have the following structure:


The value for <region> will be the same as the region in the User Pool ID. For example,

iOS - Objective-C

AWSServiceConfiguration *serviceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1 credentialsProvider:nil]; AWSCognitoIdentityUserPoolConfiguration *userPoolConfiguration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:@"YOUR_CLIENT_ID" clientSecret:@"YOUR_CLIENT_SECRET" poolId:@"YOUR_USER_POOL_ID"]; [AWSCognitoIdentityUserPool registerCognitoIdentityUserPoolWithConfiguration:serviceConfiguration userPoolConfiguration:userPoolConfiguration forKey:@"UserPool"]; AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"]; AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1 identityPoolId:@"YOUR_IDENTITY_POOL_ID" identityProviderManager:pool];

iOS - Swift

let serviceConfiguration = AWSServiceConfiguration(region: .USEast1, credentialsProvider: nil) let userPoolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: "YOUR_CLIENT_ID", clientSecret: "YOUR_CLIENT_SECRET", poolId: "YOUR_USER_POOL_ID") AWSCognitoIdentityUserPool.registerCognitoIdentityUserPoolWithConfiguration(serviceConfiguration, userPoolConfiguration: userPoolConfiguration, forKey: "UserPool") let pool = AWSCognitoIdentityUserPool(forKey: "UserPool") let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .USEast1, identityPoolId: "YOUR_IDENTITY_POOL_ID", identityProviderManager:pool)


cognitoUser.getSessionInBackground(new AuthenticationHandler() { @Override public void onSuccess(CognitoUserSession session) { String idToken = session.getIdToken().getJWTToken(); Map<String, String> logins = new HashMap<String, String>(); logins.put("cognito-idp.<region><YOUR_USER_POOL_ID>", session.getIdToken().getJWTToken()); credentialsProvider.setLogins(logins); } });


var cognitoUser = userPool.getCurrentUser(); if (cognitoUser != null) { cognitoUser.getSession(function(err, result) { if (result) { console.log('You are now logged in.'); // Add the User's Id Token to the Cognito credentials login map. AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'YOUR_IDENTITY_POOL_ID', Logins: { 'cognito-idp.<region><YOUR_USER_POOL_ID>': result.getIdToken().getJwtToken() } }); } }); }