Menu
Amazon Cognito
Developer Guide

Configuring Identity Providers for Your User Pool

Note

The Identity providers tab appears only when you're editing an existing user pool.

In the Identity providers tab, you can specify identity providers (IdPs) for your user pool. For more information, see Adding User Pool Sign-in Through a Third Party.

Allowing Users to Sign in Using a Social Identity Provider

You can use federation for Amazon Cognito User Pools to integrate with social identity providers such as Facebook, Google, and Login with Amazon.

To add a social identity provider, you first create a developer account with the identity provider. Once you have your developer account, you register your app with the identity provider. The identity provider creates an app ID and an app secret for your app, and you configure those values in your Amazon Cognito User Pools.

Here are links to help you get started with social identity providers:

To allow users to sign in using a social identity provider

  1. Choose a social identity provider such as Facebook, Google, or Login with Amazon.

  2. For the Facebook (or Google or Amazon) app ID, enter the app ID that you received when you created your Facebook, Google, or Login with Amazon client app.

  3. For App secret, enter the app secret that you received when you created your client app.

  4. For Authorize scopes, enter the names of the social identity provider scopes that you want to map to user pool attributes. Scopes define which user attributes (such as name and email) you want to access with your app. For Facebook, these should be separated by commas (for example, public_profile, email). For Google and Login with Amazon, they should be separated by spaces. (Google example: profile email openid. Login with Amazon example: profile postal_code.)

    The end-user is asked to consent to providing these attributes to your app. For more information about their scopes, see the documentation from Google, Facebook, and Login with Amazon.

  5. Choose Enable Facebook (or Enable Google or Enable Login with Amazon).

For more information on Social IdPs see .

Allowing Users to Sign in Using an OpenID Connect (OIDC) Identity Provider

You can enable your users to sign in through an OIDC identity provider (IdP) such as Salesforce or Ping Identity.

  1. Go to the Amazon Cognito console. You might be prompted for your AWS credentials.

  2. Choose Manage your User Pools.

  3. Choose an existing user pool from the list, or create a user pool.

  4. On the left navigation bar, choose Identity providers.

  5. Choose OpenId Connect.

  6. Type a unique name into Provider name.

  7. Type the OIDC IdP's client ID into Client ID.

  8. Type the OIDC IdP's client secret into Client secret.

  9. In the drop-down list, choose the HTTP method (either GET or POST) that's used to fetch the details of the user from the userinfo endpoint into Attributes request method.

  10. Type the names of the scopes that you want to authorize. Scopes define which user attributes (such as name and email) that you want to access with your application. Scopes are separated by spaces, according to the OAuth 2.0 specification.

    Your app user is asked to consent to providing these attributes to your application.

  11. Type the URL of your IdP and choose Run discovery.

    For example, Salesforce uses this URL:

    https://login.salesforce.com

    Note

    The URL should start with https://, and shouldn't end with a slash /.

    1. If Run discovery isn't successful, then you need to provide the Authorization endpoint, Token endpoint, Userinfo endpoint, and Jwks uri (the location of the JSON Web Key).

  12. Choose Create provider.

  13. On the left navigation bar, choose App client settings.

  14. Select your OIDC provider as one of the Enabled Identity Providers.

  15. Type a callback URL for the Amazon Cognito authorization server to call after users are authenticated. This is the URL of the page where your user will be redirected after a successful sign-in.

    https://www.examle.com
  16. Under Allowed OAuth Flows, enable both the Authorization code grant and the Implicit code grant.

    Unless you specifically want to exclude one, select the check boxes for all of the Allowed OAuth scopes.

  17. Choose Save changes.

  18. On the Attribute mapping tab on the left navigation bar, add mappings of OIDC claims to user pool attributes.

    1. As a default, the OIDC claim sub is mapped to the user pool attribute Username. You can map other OIDC claims to user pool attributes. Type in the OIDC claim, and choose the corresponding user pool attribute from the drop-down list. For example, the claim email is often mapped to the user pool attribute Email.

    2. In the drop-down list, choose the destination user pool attribute.

    3. Choose Save changes.

    4. Choose Go to summary.

For more information on OIDC IdPs see Adding OIDC Identity Providers to a User Pool.

Allowing Users to Sign in Using SAML

You can use federation for Amazon Cognito User Pools to integrate with a SAML identity provider (IdP). You supply a metadata document, either by uploading the file or by entering a metadata document endpoint URL. For information about obtaining metadata documents for third-party SAML IdPs, see Integrating Third-Party SAML Identity Providers with Amazon Cognito User Pools.

To allow users to sign in using SAML

  1. Choose SAML to display the SAML identity provider options.

  2. To upload a metadata document, choose Select file, or enter a metadata document endpoint URL. The metadata document must be a valid XML file.

  3. Enter your SAML Provider name, for example, "SAML_provider_1", and any Identifiers you want. The provider name is required; the identifiers are optional. For more information, see Adding SAML Identity Providers to a User Pool.

  4. Select Enable IdP sign out flow when you want your user to be logged out from a SAML IdP when logging out from Amazon Cognito.

    Enabling this flow sends a signed logout request to the SAML IdP when the LOGOUT Endpoint is called.

    Note

    If this option is selected and your SAML identity provider expects a signed logout request, you will also need to configure the signing certificate provided by Amazon Cognito with your SAML IdP.

    The SAML IdP will process the signed logout request and logout your user from the Amazon Cognito session.

  5. Choose Create provider.

  6. To create additional providers, repeat the previous steps.

Note

If you see InvalidParameterException while creating a SAML identity provider with an HTTPS metadata endpoint URL, for example, "Error retrieving metadata from <metadata endpoint>," make sure that the metadata endpoint has SSL correctly set up and that there is a valid SSL certificate associated with it.

To set up the SAML IdP to add a signing certificate

  • To get the certificate containing the public key which will be used by the identity provider to verify the signed logout request, choose Show signing certificate under Active SAML Providers on the SAML dialog under Identity providers on the Federation console page.

For more information on SAML IdPs see Adding SAML Identity Providers to a User Pool.