User pool federation endpoints and hosted UI reference
Amazon Cognito activates the public webpages listed here when you assign a domain to your user pool. Your domain serves as a central access point for all of your app clients. They include the hosted UI, where your users can sign up and sign in (the Login endpoint), and sign out (the Logout endpoint). For more information about these resources, see Setting up and using the Amazon Cognito hosted UI and federation endpoints.
These pages also include the public web resources that allow your user pool to communicate with third-party SAML, OpenID Connect (OIDC) and OAuth 2.0 identity providers (IdPs). To sign in a user with a federated identity provider, your users must initiate a request to the interactive hosted UI Login endpoint or the OIDC Authorize endpoint. The Authorize endpoint redirects your users either to your hosted UI or your IdP sign-in page.
Your app can also sign in local users with the Amazon Cognito user pools API. A local user exists exclusively in your user pool directory without federation through an external IdP.
In addition to the hosted UI and federation endpoints, Amazon Cognito integrates with SDKs for Android, iOS, JavaScript, and more. The SDKs provide tools to perform user pool API operations with Amazon Cognito API service endpoints. For more information about service endpoints, see Amazon Cognito Identity endpoints and quotas.
Warning
Don't pin the end-entity or intermediate Transport Layer Security (TLS) certificates for Amazon Cognito domains. AWS manages all certificates for all of your user pool endpoints and prefix domains. The certificate authorities (CAs) in the chain of trust that supports Amazon Cognito certificates dynamically rotate and renew. When you pin your app to an intermediate or leaf certificate, your app can fail without notice when AWS rotates certificates.
Instead, pin your application to all available Amazon root certificates
Topics
