Specifying Identity Provider Attribute Mappings for Your User Pool
You can use the AWS Management Console, or the AWS CLI or API, to specify attribute mappings for your user pool's identity providers.
Requirements
Remember the following requirements when you map user pool attributes to identity pool attributes:
-
A mapping must be present for each user pool attribute that's required when a user signs in to your application. For example, if your user pool requires an email attribute for sign-in, map this attribute to its equivalent from the identity provider.
-
For each mapped user pool attribute, the maximum value length (2048 characters) must be large enough for the value that Amazon Cognito obtains from the identity provider. Otherwise, Amazon Cognito throws an error when users sign in to your application. If you map a custom attribute to an identity provider token, set the length to 2048 characters.
-
The
usernameuser pools attribute must be mapped only to specific attributes for the following identity providers:Identity Provider Attribute to Map to usernameFacebook idGoogle subLogin with Amazon user_idOpenID Connect (OIDC) providers sub -
Amazon Cognito must be able to update your mapped user pool attributes when users sign in to your application. When a user signs in through an identity provider, Amazon Cognito updates the mapped attributes with the latest information from the identity provider. Amazon Cognito updates each mapped attribute, even if its current value already matches the latest information. If Amazon Cognito can't update the attribute, it throws an error. To ensure that Amazon Cognito can update the attributes, check the following requirements:
-
The mapped user pool attributes must be mutable. Mutable attributes can be updated by app clients that have write permissions for those attributes. You can set user pool attributes as mutable when you define them in the Amazon Cognito console. Or, if you create your user pool by using the CreateUserPool API operation, you can set the
Mutableparameter for each of these attributes totrue. -
In the app client settings for your application, the mapped attributes must be writable. You can set which attributes are writable in the App clients page in the Amazon Cognito console. Or, if you create the app client by using the
CreateUserPoolClientAPI operation, you can add these attributes to theWriteAttributesarray.
-
Specifying Identity Provider Attribute Mappings for Your User Pool (AWS Management Console)
You can use the AWS Management Console to specify attribute mappings for your user pool's identity providers.
To specify a social identity provider attribute mapping
-
Sign in to the Amazon Cognito console.
-
In the navigation pane, choose Manage your User Pools, and choose the user pool you want to edit.
-
Choose the Attribute mapping tab.
-
Choose the Facebook, Google, or Amazon tab.
-
For each attribute you need to map, perform the following steps:
-
Select the Capture check box.
-
For User pool attribute, in the drop-down list, choose the user pool attribute you want to map to the social identity provider attribute.
-
If you need more attributes, choose Add Facebook attribute (or Add Google attribute or Add Amazon attribute) and perform the following steps:
-
In the Facebook attribute (or Google attribute or Amazon attribute) field, enter the name of the attribute to be mapped.
-
In the User pool attribute field, choose the user pool attribute to map the social identity provider attribute to from the drop-down list.
-
-
Choose Save changes.
-
To specify a SAML provider attribute mapping
-
Sign in to the Amazon Cognito console.
-
In the navigation pane, choose Manage your User Pools, and choose the user pool you want to edit.
-
Choose the Attribute mapping tab.
-
Choose the SAML tab.
-
Select the Capture box for all attributes for which you want to capture values. If you clear the Capture box for an attribute and save your changes, that attribute's mapping is removed.
-
Choose the identity provider from the drop-down list.
-
For each attribute you need to map, perform the following steps:
-
Choose Add SAML attribute.
-
In the SAML attribute field, enter the name of the SAML attribute to be mapped.
-
In the User pool attribute field, choose the user pool attribute to map the SAML attribute to from the drop-down list.
-
-
Choose Save changes.
Specifying Identity Provider Attribute Mappings for Your User Pool (AWS CLI and AWS API)
Use the following commands to specify identity provider attribute mappings for your user pool.
To specify attribute mappings at provider creation time
-
AWS CLI:
aws cognito-idp create-identity-providerExample with metadata file:
aws cognito-idp create-identity-provider --user-pool-id<user_pool_id>--provider-name=SAML_provider_1 --provider-type SAML --provider-details file:///details.json --attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressWhere
details.jsoncontains:{ "MetadataFile": "<SAML metadata XML>" }Note
If the
<SAML metadata XML>contains any quotations ("), they must be escaped (\").Example with metadata URL:
aws cognito-idp create-identity-provider --user-pool-id<user_pool_id>--provider-name=SAML_provider_1 --provider-type SAML --provider-details MetadataURL=<metadata_url>--attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress -
AWS API: CreateIdentityProvider
To specify attribute mappings for an existing identity provider
-
AWS CLI:
aws cognito-idp update-identity-providerExample:
aws cognito-idp update-identity-provider --user-pool-id<user_pool_id>--provider-name<provider_name>--attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress -
AWS API: UpdateIdentityProvider
To get information about attribute mapping for a specific identity provider
-
AWS CLI:
aws cognito-idp describe-identity-providerExample:
aws cognito-idp describe-identity-provider --user-pool-id<user_pool_id>--provider-name<provider_name> -
AWS API: DescribeIdentityProvider
