0

Scenario

  • I have an app with is currently responsible for its own user profiles.
  • I am moving the authentication to an external identity provider.
  • The identity provider is an enterprise solution and cannot contain app-specific data (such as which account the user is a member of and what roles they have)
  • The app is hosted on AWS and consists of several microservices.

I need to find a home for the app-specific data

Attempted Solution

I looked at Cognito User Pool Federate. My plan was to create and manage the users primarily in the User Pool (where I control their groups/attributes/etc) then enable a sign-in from the external provider.

My Question

Does this federate option allow existing User Pool users to sign in through an external identity provider?

I.e. They exist in the pool then they sign in (with a mapping linking the two)

If so, what does the User Pool configuration look like?

If not, are there any mechanisms in Cognito which achieve this "token exchange" between my external identity provider and my internal identity provider? The key point being that I need to be able to provision the app's version of the user before they sign in.

Plan B

I'm aware that I can always keep the app-specific stuff in an internal DB and access it as required. However I'm keen on the roles/groups/etc token-based.

Update

I don't believe this functionality currently exists. I've raised a feature request asking for it,

Andy N
  • 1,238
  • 1
  • 12
  • 30
  • Hey andy, I am in the exact same state as this question. Let me know if you solved the puzzle. – Gautam Jain Feb 03 '19 at 16:55
  • Unfortunately, no, I didn't. In the end the company I was working for had a change of heart and I was able to manage the roles I needed in their enterprise-level identity provider. Since then I've had a few thoughts on how this might be achieved. If I get a chance in the next few days I'll raise it as a feature request with AWS. – Andy N Feb 04 '19 at 19:18

0 Answers0