Amazon Cognito
Developer Guide

Configuring Identity Providers for Your User Pool


The Identity providers tab appears only when you're editing an existing user pool.

In the Identity providers tab, you can specify identity providers (IdPs) for your user pool. For more information, see Adding User Pool Sign-in Through a Third Party.

Allowing Users to Sign in Using a Social Identity Provider

You can use federation for Amazon Cognito User Pools to integrate with social identity providers such as Facebook, Google, and Login with Amazon.

To add a social identity provider, you first create a developer account with the identity provider. Once you have your developer account, you register your app with the identity provider. The identity provider creates an app ID and an app secret for your app, and you configure those values in your Amazon Cognito User Pools.

Here are links to help you get started with social identity providers:

To allow users to sign in using a social identity provider

  1. Choose a social identity provider such as Facebook, Google, or Login with Amazon.

  2. For the Facebook (or Google or Amazon) app ID, enter the app ID that you received when you created your Facebook, Google, or Login with Amazon client app.

  3. For App secret, enter the app secret that you received when you created your client app.

  4. For Authorize scopes, enter the names of the social identity provider scopes that you want to map to user pool attributes. Scopes define which user attributes (such as name and email) you want to access with your app. For Facebook, these should be separated by commas (for example, public_profile, email). For Google and Login with Amazon, they should be separated by spaces. (Google example: profile email openid. Login with Amazon example: profile postal_code.)

    The end-user is asked to consent to providing these attributes to your app. For more information about their scopes, see the documentation from Google, Facebook, and Login with Amazon.

  5. Choose Enable Facebook (or Enable Google or Enable Login with Amazon).

Allowing Users to Sign in Using SAML

You can use federation for Amazon Cognito User Pools to integrate with a SAML identity provider (IdP). You supply a metadata document, either by uploading the file or by entering a metadata document endpoint URL. For information about obtaining metadata documents for third-party SAML IdPs, see Integrating Third-Party SAML Identity Providers with Amazon Cognito User Pools.

To allow users to sign in using SAML

  1. Choose SAML to display the SAML identity provider options.

  2. To upload a metadata document, choose Select file, or enter a metadata document endpoint URL. The metadata document must be a valid XML file.

  3. Enter your SAML Provider name, for example, "SAML_provider_1", and any Identifiers you want. The provider name is required; the identifiers are optional. For more information, see Adding SAML Identity Providers for Your User Pool.

  4. Select Enable IdP sign out flow when you want your user to be logged out from a SAML IdP when logging out from Amazon Cognito.

    Enabling this flow sends a signed logout request to the SAML IdP when the LOGOUT Endpoint is called.


    If this option is selected and your SAML identity provider expects a signed logout request, you will also need to configure the signing certificate provided by Amazon Cognito with your SAML IdP.

    The SAML IdP will process the signed logout request and logout your user from the Amazon Cognito session.

  5. Choose Create provider.

  6. To create additional providers, repeat the previous steps.


If you see InvalidParameterException while creating a SAML identity provider with an HTTPS metadata endpoint URL, for example, "Error retrieving metadata from <metadata endpoint>," make sure that the metadata endpoint has SSL correctly set up and that there is a valid SSL certificate associated with it.

To set up the SAML IdP to add a signing certificate

  • To get the certificate containing the public key which will be used by the identity provider to verify the signed logout request, choose Show signing certificate under Active SAML Providers on the SAML dialog under Identity providers on the Federation console page.