Skip to content

Instantly share code, notes, and snippets.

@pwillis-els

pwillis-els/ABOUT_AWS_COGNITO.md

Last active January 28, 2021 01:31
Show Gist options
  • Save pwillis-els/e4b614dc2ada34a0fc2bce3958a141ae to your computer and use it in GitHub Desktop.
Save pwillis-els/e4b614dc2ada34a0fc2bce3958a141ae to your computer and use it in GitHub Desktop.
Download ZIP
A description of what AWS Cognito is and how it works
Raw
ABOUT_AWS_COGNITO.md

About

This document explains what Cognito is and how it works.

This page is partly a summary of the following articles:

What is AWS Cognito?

AWS Cognito is a service that manages user authentication and authorization. It manages both sign-ups and sign-ins.

(Authentication is the process of verifying a user’s identity. Authorization is the process of granting users access to specific resources after they have been authenticated.)

Cognito is comprised of two services: User Pools and Identity Pools (or Federated Identities). They seem similar but are different under the hood. These both solve the same problem, but in different ways. They can be used separately or together.

What is an Identity Provider?

An Identity Provider (IdP) is a service that manages authentication. It provides a user login service, and the ability to verify a user’s identity.

Cognito User Pools is an Identity Provider.

Cognito will also let you use third-party Identity Providers. Cognito can integrate with any Identity Provider that implements SAML 2.0 or OAuth2. The process of integrating with a third-party for authentication is called Federation.

What is a User Pool and an Identity Pool?

User Pool

User Pools provide a directory of users for an application. User Pools provides user management functions, like sign-up, sign-in, group management, etc. It provides an app with a user's profile information (the user’s ID, group membership, etc) so the app can handle the authorization itself.

User Pools by themselves don’t deal with permissions at the IAM-level.

With a User Pool, you can:

  • let app users sign up or sign in with an email address or phone number
  • set up password policies
  • verify the email and phone number of an app's users
  • use SMS-based multi-factor authentication (MFA)
  • customize user sign-up and sign-in workflows
  • remember the devices associated with an app's users
  • migrate existing (non-Cognito) app users to a User Pool

Remember that a Cognito User Pool is a kind of Identity Provider (IdP).

What is a user profile?

A user profile is the attributes of a given user.

Developers can use OpenID Connect-based user profile attributes (user name, phone number, address, time zone, etc.) or customize to add app-specific user attributes.

Identity Pool

Identity Pools map a user from an Identity Provider to an IAM role.

With an Identity Pool (aka Cognito Identity) you can:

  • authenticate users through an external identity provider
  • provide temporary IAM credentials to access an app’s backend resources in AWS (or any service behind Amazon API Gateway)
  • use external identity providers that support SAML 2.0 or OpenID Connect, social identity providers (such as Amazon, Facebook, Twitter, Digits, Google), or integrate your own identity provider

In the AWS documentation, Identity Pool, Cognito Identity, and Federated Identity are used synonymously.

Can I use User Pools and Identity Pools together?

Yes.

An Identity Pool doesn’t have its own user directory, it just assigns users from other user directories to an IAM role in your AWS environment. Usually the Identity Provider is an external third-party. But it can also be your app’s user directory if it’s implemented as a Cognito User Pool.

Since a Cognito User Pool is an Identity Provider, you can configure your Identity Pool to use your app’s User Pool as one of its Identity Providers. This lets you authenticate users with your User Pool and assign them an IAM role using an Identity Pool.

Can I use an external provider with a User Pool without an Identity Pool?

Yes.

A user can sign up/sign into your app with Facebook. The User Pool assigns the users to a group called "Facebook" and maps those attributes to the ones you've defined in your User Pool. No Identity Pool is used (so no IAM roles, basically).

How do login flows work?

Your mobile app authenticates with an Identity Provider (IdP) using the provider’s SDK. Once the end user is authenticated with the IdP, the OAuth token, OpenID Connect token, or the SAML assertion (all returned from the IdP) is passed by your app to Cognito Identity, which returns a new Cognito ID for the user and a set of temporary, limited-privilege AWS credentials.

Does Amazon Cognito Identity store users’ credentials?

No.

Does Cognito Identity receive or store confidential information about my users from the identity providers?

No.

Can I create an IAM role just for unauthenticated users?

Yes.

Does Cognito with with Active Directory Federated Services (ADFS)?

Yes. ADFS exposes APIs to enable you to use Active Directory as an Identity Provider, using SAML 2.0.

The following steps allow you to use ADFS with Cognito:

  1. Set up a new AWS Cognito User Pool.
  • Set up the Identity Provider.
    • If the Metadata URL is public, add it to your User Pool's SAML Identity Provider, rather than uploading the file.
    • If the Metadata URL is not public, download it (https://<adfs_url>/federationmetadata/2007-06/federationmetadata.xml) and use it to set up your SAML Identity Provider in your User Pool.
  • Map the OpenID Connect SAML Schema attributes back to your User Pool attributes.
  • Enable the Identity Provider in the User Pool's App client settings.
  1. In ADFS, create a new Relying Party Trust.
  • Use the Relying Party Trust Identifier of urn:amazon:cognito:sp:<yourUserPoolID>.
  • Create a Claim Rule to map the LDAP SAM-Account-Name to Outgoing Claim Type Name ID.
  • Add an Endpoint of type SAML to your Relying Party with URL https://<your_cognito_url>/saml2/idpresponse.

Notes: 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment