Amazon Cognito
Developer Guide

Example: Migrating iOS Users with a Lambda Trigger

A user migration Lambda trigger allows easy migration of users from your existing user management system into your user pool without a password reset.

Set Up a User Migration Lambda Trigger

Before making changes in your iOS app, set up a user migration Lambda for your user pool.

To learn more about Lambda triggers see Customizing User Pool Workflows with Lambda Triggers.

For more information about migrating users with a Lambda trigger see Importing Users into User Pools With a User Migration Lambda Trigger.

iOS App Changes

  1. Update your SDK

    Update your AWSCognitoIdentityProvider iOS SDK to version 2.6.12 or above.

  2. Enable Migration

    If you are using Info.plist to configure your user pool:

    Add a Boolean MigrationEnabled key with the value YES. If you Open As->Source Code your Info.plist, it should look something like this:

<key>AWS</key> <dict> <key>CognitoUserPool</key> <dict> <key>Default</key> <dict> <key>AppClientId</key> <string>YOUR_APP_CLIENT_ID</string> <key>PoolId</key> <string>region_YOUR_USER_POOL_ID </string> <key>Region</key> <string>us-west-2</string> <key>MigrationEnabled</key> <true/> </dict> </dict> </dict>

Authentication Flow for User Migration

You can authenticate your users and validate their passwords against your legacy system and seamlessly migrate their profiles into your user pool. However, the service needs the legacy password to avoid a password reset. So, if explicitly enabled in the authentication flow, the SDK will send your users’ passwords to the service in text over an encrypted SSL connection.

If you are using AWSCognitoIdentityUserPoolConfiguration to configure your user pool, change your initializer to one that supports the migrationEnabled flag.

AWSCognitoIdentityUserPoolConfiguration * poolConfiguration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:@"YOUR_APP_CLIENT_ID" clientSecret:@"YOUR_OPTIONAL_APP_CLIENT_SECRET" poolId:@"YOUR_USER_POOL_ID" shouldProvideCognitoValidationData:YES pinpointAppId:@"YOUR_OPTIONAL_PINPOINT_APP_ID" migrationEnabled:YES];
let poolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: "YOUR_APP_CLIENT_ID", clientSecret: "YOUR_OPTIONAL_APP_CLIENT_SECRET", poolId: "YOUR_USER_POOL_ID", shouldProviderCognitoValidationData: YES, pinpointAppId: "YOUR_OPTIONAL_PINPOINT_APP_ID", migrationEnabled: YES)