We have an existing system where we create the user id (db) internally and use it across db tables as refrential integrity. We are looking to move to Cognito and Api Gateway for authentication and authorization flow. However, we would like to retain the existing identity (user id in db) internally once we authenticate at Api Gateway using Cognito. To do this, we are thinking of using Pre-Signup Lambda trigger to first create the user in our system via that and then Cognito will create the user in the userpool. This way we can associate custom attribute (user id) information using Pre-Token generation lambda which will be passed to Api Gateway with ID Token.
Is this the right approach to create the user first in our system (via Pre-Signup lambda) and then in Cognito?
I have a Cognito Identity Pool set up to use a Cognito user pool as a source of identity. Now, in my case the Cognito User Pool has 2 different client id, one for my mobile application and one for my website. In order to support login from both I need to add both client ids in the Authentication Providers settings but it seems that you can add only 1 client id at a time. Is there a way to configure Cognito Identity Pool to accept 2 different Cognito Pool client IDs?
I don't wanna use the same client id cause I need to do different user validations on user sign-up based on where the user came from (app or web) and the client id is the only parameter passed to my lambda that allows me to identify from where a user came from.
From the Identity Pool Cloudformation docs, it looks like you can provide a list of identity providers. A user pool identity provider is defined as the user pool ID plus the client ID. It seems like you should be able to specify two different ones with the same user pool ID and different client IDs. I don't know whether this is possible through the console.
An app is communicating via the Open ID Connect protocol with AWS Cognito, which is connected to ADFS, communicating via SAML. Cognito is essentially "proxying" the ADFS server.
ADFS holds a group mapping that the app requires, and I would like to import these groups into Cognito as actual Cognito Group - which will then be read by the app from the cognito:groups from the ID-token Cognito provides.
In the AWS Cognito User Pool setup, I don't see a way to map ADFS groups to Cognito Groups - must I absolutely rely on a custom attribute for my User Pool that I can map to the ADFS-property, or am I missing some piece of configuration that allows Cognito to create new groups on the fly and automatically assign the users to the groups in Cognito?
edit: To clarify, Is it possible to setup Cognito to add/create groups (not as a custom property, but a actual manageable cognito groups) when it imports users?
I had the same issue, and I have not found a static mapping option in Cognito either.
The only way I see is to map the AD groups to custom:adgroups attribute in Cognito, and set up a Cognito "Pre Token Generation" lambda trigger. The lambda reads the value of the custom:adgroups and manually overrides the user's Cognito groups.
NB - this does not change the cognito user's group permanently, only for the current session, but from the application perspective that's exactly what I needed.
Please see a dummy static (non conditional) ADMIN group assignment example here:
def lambda_handler(event, context):
print(f'incoming event: {json.dumps(event)}')
# manual cognito group override
if event['triggerSource'] == "TokenGeneration_HostedAuth":
event['response'] = {
"claimsOverrideDetails": {
"groupOverrideDetails": {
"groupsToOverride": [
"ADMIN"
]
}
}
}
return event
More detailed documentation here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
Could you use the Post authentication Lambda trigger to update the user's group in the Cognito User Pool based off the group in AD? You could use the APIs: AdminAddUserToGroup and AdminRemoveUserFromGroup. The only issue with this approach is that if you change the user's group in AD, it won't be updated in Cognito until the user authenticates to Cognito again.
How to setup ADFS with Cognito is documented in this link. The section answering your question is the mapping in step 4, item 5. I'm copying the relevant text below:
Choose Attribute mapping. These mappings map the claims from the SAML assertion from AD FS to the user pool attributes.
Make sure that ADFS is sending the groups in the assertions. For setting up the ADFS side for groups this link might be useful.
You could debug the flow with SAML-tracer plugin in Firefox.
I want to use Cognito Federated Identities with multiple Authentication Providers, and I want to manage my own user database so I have a simple immutable unique user id for other areas of the application.
What would be the correct way to trigger a lambda function that inserts newly authenticated users into my user database?
If I was only using Cognito User Pools I could use the offered triggers, and would create a mapping of the User Pool's unique "sub" id to my applications user id, but if I use other Authentication Provider's (Facebook etc..) through Federated Identities there are no triggers offered.
I cannot see any triggers within Federated Identities.
I understand User Pools can now do federation within User Pools, meaning a Facebook sign up there would create a User Pool identity which would have a "sub" id I could use, but I feel the federation in User Pool's is not as mature and strong as in Federated Identities, there are also less Providers to choose from.
Secondary question: Is there a best standard for mapping Authentication Providers ids to my application user id? I understand sub is an immutable unique id for User Pools, but Federated Identitie's "Identity ID" can merge and thus change so I guess best practive would be to use each Authentication Provider's unique id?
Using cognito, I'm able to obtain an 'unauthenticated' identityId representing "me". How does cognito prevent someone else from claiming to be "me"?
GetCredentialsForIdentityRequest request = new GetCredentialsForIdentityRequest();
request.setIdentityId("us-west-2:639dc6e0-1f14-4c0a-9a08-a48c742f5395"); //Could I just enter whatever identity Id I want here? Is knowing what the identityId is the security? Is that really secure?
GetCredentialsForIdentityResult result = cognitoIdentityClient.getCredentialsForIdentity(request);
Code shown from AWS JAVA SDK