Configuring attribute mapping for your user pool

Under the Sign-in experience tab, in the configuration of each identity provider (IdP) that you configure in your user pool, you can map IdP attributes or assertions to user pool attributes. For more information, see Specifying identity provider attribute mappings for your user pool.

Note

Currently, only the Facebook id, Google sub, Login with Amazon user_id, and Sign in with Apple sub attributes can be mapped to the Amazon Cognito User Pools username attribute.

Note

The attribute in the user pool must be large enough to contain the values of the mapped identity provider attributes, or an error will occur when users sign in. Custom attributes should be set to the maximum 2048 character size if mapped to identity provider tokens.

You must create mappings for any attributes that are required for your user pool.

To specify a social identity provider attribute mapping for your user pool

1. Go to the Amazon Cognito console. If prompted, enter your AWS credentials.

2. Choose User Pools from the navigation menu.

3. Choose an existing user pool from the list, or create a user pool.

4. Choose the Sign-in experience tab. Locate Federated identity provider sign-in.

5. Choose Add an identity provider, or choose the Facebook, Google, Amazon or Apple identity provider you have configured. Locate Attribute mapping, and choose Edit. For more information about adding a social identity provider, see Adding social identity providers to a user pool.

6. For each attribute you need to map, complete the following steps:

   1. Select an attribute from the User pool attribute column. This is the attribute that is assigned to the user profile in your user pool. Custom attributes are listed after standard attributes.

   2. Select an attribute from the <provider> attribute column. This will be the attribute passed from the provider directory. Known attributes from the social provider are provided in a drop-down list.

   3. To map additional attributes between your IdP and Amazon Cognito, choose Add another attribute.

7. Choose Save changes.

To specify a SAML provider attribute mapping for your user pool

1. Sign in to the Amazon Cognito console. If prompted, enter your AWS credentials.

2. In the navigation pane, choose User Pools, and choose the user pool you want to edit.

3. Choose the Sign-in experience tab and locate Federated sign-in.

4. Choose Add an identity provider, or choose the SAML identity provider you have configured. Locate Attribute mapping, and choose Edit. For more information about adding a SAML identity provider, see Adding SAML identity providers to a user pool.

5. For each attribute you need to map, complete the following steps:

   1. Select an attribute from the User pool attribute column. This is the attribute that is assigned to the user profile in your user pool. Custom attributes are listed after standard attributes.

   2. Select an attribute from the SAML attribute column. This will be the attribute passed from the provider directory.

      Your identity provider might offer sample SAML assertions for reference. Some identity providers use simple names, such as email, while others use URL-formatted attribute names similar to:

      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

   3. To map additional attributes between your IdP and Amazon Cognito, choose Add another attribute.

6. Choose Save changes.