Creating user accounts as administrator - Amazon Cognito

Creating user accounts as administrator

User pools aren't only a customer identity and access management (CIAM) user directory, where anyone on the internet can sign up for a user profile in your application. You can disable self-service sign-up. You might already know your customers and want to only admit those who have been authorized in advance. You can put manual authentication guardrails around your application with a private SAML 2.0 or OIDC identity provider, by importing users, by screening users at sign-up—or by creating users with administrative API operations. Your workflow for administrative creation of users can be programmatic, provisioning users after they register in another system, or it can be on a case-by-case or testing basis in the Amazon Cognito console.

When you create users as an administrator, Amazon Cognito sets a temporary password for them and sends a welcome, or invitation, message. They can follow the link in their invitation message and sign in for the first time, setting a password and confirming their account. The page that follows describes how to create new users and configure the welcome message. For more information about user creation with the user pools API and an AWS SDK or CDK, see AdminCreateUser.

After you create your user pool, you can create users using the AWS Management Console, as well as the AWS Command Line Interface or the Amazon Cognito API. You can create a profile for a new user in a user pool and send a welcome message with sign-up instructions to the user via SMS or email.

Developers and administrators can perform the following tasks:

  • Create a new user profile by using the AWS Management Console or by calling the AdminCreateUser API.

  • Set user attribute values.

  • Create custom attributes.

  • Set the value of immutable custom attributes in AdminCreateUser API requests. This feature isn't available in the Amazon Cognito console.

  • Specify the temporary password or allow Amazon Cognito to automatically generate one.

  • Specify whether provided email addresses and phone numbers are marked as verified for new users.

  • Specify custom SMS and email invitation messages for new users via the AWS Management Console or a Custom Message Lambda trigger. For more information, see Customizing user pool workflows with Lambda triggers.

  • Specify whether invitation messages are sent via SMS, email, or both.

  • Resend the welcome message to an existing user by calling the AdminCreateUser API, specifying RESEND for the MessageAction parameter.

    Note

    This action cannot currently be performed using the AWS Management Console.

  • Suppress the sending of the invitation message when the user is created.

  • Specify an expiration time limit for the user account (up to 90 days).

  • Allow users to sign themselves up or require that new users only be added by the administrator.

Authentication flow for users created by administrators or developers

The authentication flow for these users includes the extra step to submit the new password and provide any missing values for required attributes. The steps are outlined next; steps 5, 6, and 7 are specific to these users.

  1. The user starts to sign in for the first time by submitting their user name and password.

  2. The SDK calls InitiateAuth(Username, USER_SRP_AUTH).

  3. Amazon Cognito returns the PASSWORD_VERIFIER challenge with Salt & Secret block.

  4. The SDK performs the SRP calculations and calls RespondToAuthChallenge(Username, <SRP variables>, PASSWORD_VERIFIER).

  5. Amazon Cognito returns the NEW_PASSWORD_REQUIRED challenge. The body of this challenge includes the user's current attributes, and any required attributes in your user pool that don't currently have a value in the user's profile. For more information, see RespondToAuthChallenge.

  6. The user is prompted and enters a new password and any missing values for required attributes.

  7. The SDK calls RespondToAuthChallenge(Username, <New password>, <User attributes>).

  8. If the user requires a second factor for MFA, Amazon Cognito returns the SMS_MFA challenge and the code is submitted.

  9. After the user has successfully changed his or her password and optionally provided attributed values or completed MFA, the user is signed in and tokens are issued.

When the user has satisfied all challenges, the Amazon Cognito service marks the user as confirmed and issues ID, access, and refresh tokens for the user. For more information, see Understanding user pool JSON web tokens (JWTs).

Creating a new user in the AWS Management Console

You can set user password requirements, configure the invitation and verification messages sent to users, and add new users with the Amazon Cognito console.

Set a password policy and enable self-registration

You can configure settings for minimum password complexity and whether users can sign up using public APIs in your user pool.

Configure a password policy
  1. Navigate to the Amazon Cognito console, and choose User Pools.

  2. Choose an existing user pool from the list, or create a user pool.

  3. Choose the Sign-in experience tab and locate Password policy. Choose Edit.

  4. Choose a Password policy mode of Custom.

  5. Choose a Password minimum length. For limits to the password length requirement, see User pools resource quotas.

  6. Choose a Password complexity requirement.

  7. Choose how long password set by administrators should be valid for.

  8. Choose Save changes.

Allow self-service sign-up
  1. Navigate to the Amazon Cognito console, and choose User Pools.

  2. Choose an existing user pool from the list, or create a user pool.

  3. Choose the Sign-up experience tab and locate Self-service sign-up. Select Edit.

  4. Choose whether to Enable self-registration. Self-registration is typically used with public app clients that need to register new users in your user pool without distributing a client secret or AWS Identity and Access Management (IAM) API credentials.

    Disabling self-registration

    If you do not enable self-registration, new users must be created by administrative API actions using IAM API credentials or by sign-in with federated providers.

  5. Choose Save changes.

Customize email and SMS messages

Customize user messages

You can customize the messages that Amazon Cognito sends to your users when you invite them to sign in, they sign up for a user account, or they sign in and are prompted for multi-factor authentication (MFA).

Note

An Invitation message is sent when you create a user in your user pool and invite them to sign in. Amazon Cognito sends initial sign-in information to the user's email address or phone number.

A Verification message is sent when a user signs up for a user account in your user pool. Amazon Cognito sends a code to the user. When the user provides the code to Amazon Cognito, they verify their contact information and confirm their account for sign-in. Verification codes are valid for 24 hours.

An MFA message is sent when you enable SMS MFA in your user pool, and a user that has configured SMS MFA signs in and is prompted for MFA.

  1. Navigate to the Amazon Cognito console, and choose User Pools.

  2. Choose an existing user pool from the list, or create a user pool.

  3. Choose the Messaging tab and locate Message templates. Select Verification messages, Invitation messages, or MFA messages and choose Edit.

  4. Customize the messages for the chosen message type.

    Note

    All variables in message templates must be included when you customize the message. If the variable, for example {####}, is not included, your user will have insufficient information to complete the message action.

    For more information, see Message templates.

    1. Verification messages

      1. Choose a Verification type for Email messages. A Code verification sends a numeric code that the user must enter. A Link verification sends a link the user can click to verify their contact information. The text in the variable for a Link message is displayed as hyperlink text. For example, a message template using the variable {##Click here##} is displayed as Click here in the email message.

      2. Enter an Email subject for Email messages.

      3. Enter a custom Email message template for Email messages. You can customize this template with HTML.

      4. Enter a custom SMS message template for SMS messages.

      5. Choose Save changes.

    2. Invitation messages

      1. Enter an Email subject for Email messages.

      2. Enter a custom Email message template for Email messages. You can customize this template with HTML.

      3. Enter a custom SMS message template for SMS messages.

      4. Choose Save changes.

    3. MFA messages

      1. Enter a custom SMS message template for SMS messages.

      2. Choose Save changes.

Create a user

Create a user

You can create new users for your user pool from the Amazon Cognito console. Typically, users can sign in after they set a password. To sign in with an email address, a user must verify the email attribute. To sign in with a phone number, the user must verify the phone_number attribute. To confirm accounts as an administrator, you can also use the AWS CLI or API, or create user profiles with a federated identity provider. For more information, see the Amazon Cognito API Reference.

  1. Navigate to the Amazon Cognito console, and choose User Pools.

  2. Choose an existing user pool from the list, or create a user pool.

  3. Choose the Users tab, and choose Create a user.

  4. Review the User pool sign-in and security requirements for guidance on password requirements, available account recovery methods, and alias attributes for your user pool.

  5. Choose how you want to send an Invitation message. Choose SMS message, email message, or both.

    Note

    Before you can send invitation messages, configure a sender and an AWS Region with Amazon Simple Notification Service and Amazon Simple Email Service in the Messaging tab of your user pool . Recipient message and data rates apply. Amazon SES bills you for email messages separately, and Amazon SNS bills you for SMS messages separately.

  6. Choose a Username for the new user.

  7. Choose if you want to Create a password or have Amazon Cognito Generate a password for the user. Any temporary password must adhere to the user pool password policy.

  8. Choose Create.

  9. Choose the Users tab, and choose the User name entry for the user. Add and edit User attributes and Group memberships. Review User event history.