I see the term "user pool" in lot of amazon documentation, but I can not understand what it is. What does it mean?
Copied from the AWS blog post announcement New - Your User Pools for Amazon Cognito:
With the user pools feature, you can create your own user directory that can scale to hundreds of millions of users, and is fully managed so you don’t have to worry about the heavy lifting associated with building, securing, and scaling authentication to your apps. This feature also provides enhanced security functionality such as email verification, phone number verification, and multi-factor authentication. As an app developer, you already had the option to use an external identity provider such as Amazon, Facebook, Google, Twitter or Digits for this purpose using the Cognito feature that we now call Federated Identity Pools.
Related
I'm trying to understand the relationship between Cognito user pools, and external identity providers via SAML.
What I have at the moment
I have ReactJS application which uses the Amplify library, backed by AWS Cognito. The application is multi-tenanted, and users from different tenants belong in the same user pool. They are separated by their group, and a custom attribute. I use CloudFormation and serverless framework to deploy my stack.
Currently, I have custom login forms, which communicate with the Amplify library to log in the user.
The goal
In addition to giving clients the option to make their own accounts on my platform, I want to provide an option to authenticate via SAML from an external identity provider. The goal is to allow each client to log the web-application using their own Single Sign On.
My prior research
I've seen AWS's example on how to actually deploy a user pool supporting SAML.
I've read Azure's guide on integrating with Cognito.
I have an understanding of the SAML authentication flow.
The question
Is it possible to attach each of these external identity providers to the same user pool, or will I have to deploy a new user pool for each new client I want to onboard?
Thank you very much
Yes, it is possible to add multiple external IDPs to a user pool.
But, there is upper limit of 1000 Identity providers per user pool. So you can add up to 1000 customers. And if you are go with user pool per customer, then there is limit of 10 000 user pools per AWS account.
So we can consider those limits when you are choosing an option.
One other option is to support login with IDPs like Google, Microsoft and etc. So companies(customers) who use them as their IDPs, can rely on that, without specifically configuring SSO. (You can group the users based on the domain).
It has come to my attention that recently AWS added support for federated social providers to authenticate into user pools:
AWS cognito: sign in with usernam/password OR facebook (the last answer seems to be from someone over at AWS)
This is extremely useful as now I can have all my users under one directory. My question is if I set up federation to login to user pools and generate the sample app from mobile hub will it have the functionality I am looking for? Or do I need to code it myself? As it stands in the mobile hub there are no options to generate a user pool with federation from a social identity provider.
AWS MobileHub currently doesn't support the functionality of authenticating federated social providers into user pools. Please let us know if you have any further questions. Regards, Nidhi
We are developing a Saas application on AWS and were looking for ways to store application user login credentials on AWS. User volume will grow quite a lot and would be in thousands presumably. I looked at IAM too but looks like it has a limit of 5000 user profiles whcih we might exhaust down the line.
I dont want to store these on RDS in even a hashed form.
Thanks!!
IAM is for your AWS account users, not for your application users. It sounds like Cognito might be what you're looking for.
Amazon Cognito lets you easily add user sign-up and sign-in to your mobile and web apps. With Amazon Cognito, you also have the options to authenticate users through social identity providers such as Facebook, Twitter, or Amazon, with SAML identity solutions, or by using your own identity system
You can use AWS Cognito user pools to save your application users. It will allow your web/mobile app users to sign up and sign in.
Have a look at this
We're trying to figure out whether to create our own Parse server or migrate to AWS stack. We're looking for AWS alternative to Parse login, where it extracts user info such as email and name.
The closest one I could find is AWS Cognito, but it doesn't seem to store any user info (email/name). It seems that the only way to get them is through the developer authenticated identities, which means I have to deal with user's credentials (encrypt the user's password), handle the fb/google registration, etc.
I'm new to AWS Mobile, but I was hoping that these should be a standard feature that BaaS solution should provide. Am I missing something here? For those who uses AWS Mobile stack, how do you handle this?
Thanks!
We are using aws mobile analytics stack (sdk and export events to redshift) in our ios application and we run into the same issue you are describing. The only way we have to handle it is to ask the user to provide these details as part of the registration process.
At least in ios there is no way to get the user email and name from the os or through aws.
Currently Amazon Cognito does not support user registration. We have heard this request from multiple customers and we will consider adding this feature in future releases.
Note: If you do decide to do your own authentication using developer authenticated identities, you can use Amazon Cognito to store your user data such as email and other profile information. It also provides offline access and synchronizes data across devices for authenticated users.
Cognito User Pools does what you want (authentication, username, email all sorts of claim data).
It is integrated with Cognito Identity in a fork off of the github repository aws-mobile-hub-helper (here)
That repo contains an AWSSignInProvider for Cognito User Pools. It is also modified to support identity merging across any provider with an AWSSignInProvider implemented (Google, Cognito Your User Pools, and Facebook in that repository).
I am planning to write a mobile app with AWS handling the backend work. Like many common apps, mine will support user registration and login. All backend resources should be secure based on the user's role.
After reading AWS Cognito, it handles both Open authentication provider and Developer Authentication provider. This helps to support third party login. The capacity of syncing data is a big plus.
However, I have some questions about Cognito when I try further implementation.
What are the user credentials stored?
I need to add more user attributes (eg. email, profile image etc.) when a new user is created. Can Cognito handle this? Or do I need to use storage like S3 to store the entire user profile?
Does Cognito support email verification for user registration?
Does Cognito handle 'forgot password' feature?
All advices are welcomed.
There is now Amazon Cognito User Pools (currently in beta), allowing to store user credentials, see here
Update: Cognito has since added a new feature that does allow storing credentials. See Cognito User Pools for more information.
Amazon Cognito does not store credentials. Instead, it allows you to offload the task of securely storing credentials to any OpenID Connect-complaint credential provider such as, but not limited to, Facebook, Google, and Login With Amazon.
If you have a credential provider that is not OpenID Connect compliant, you can use the Developer Authenticated Identities capability to leverage another authentication system as a credential store (such as your own back-end service). Registration, email verification, and forgot password features would be handled by the Identity Provider: Either an OpenID Connect provider (e.g. Facebook) or your own provider via Developer Authenticated Identities.
Cognito's Sync capability gives you the ability to store profile information or any other information specific to the current user (referred to as "identity" in Cognito). There is a good blog post about using Cognito Sync to store & synchronize data here.