1

Here's the scenario (using AWS Cognito via AWS Amplify):

Our company (ExampleCorp) is building a web application where its users will authenticate via it's own internal Active Directory (SSO).

There are also customers of ExampleCorp that will use the web app but authenticate with THEIR Active Directories (SSO). The customers would then create their own users for the web app.

ExampleCorp would like to maintain identities for the customer accounts within its AD (perhaps for the purpose of permissions boundaries).

So essentially the customer user authenticates to the web app via it's AD but there is also a check somehow within ExampleCorp's AD to ensure the customer account user is in the right ExampleCorp AD group or whatever.

Is this "double check" possible within Cognito, or does this even make sense as I've explained it?

Alexander Witte
  • 195
  • 1
  • 11

1 Answers1

0

If the external users are already in ExampleCorp's AD, why would you ask them to authenticate both with their own IdP (identity provider) and ExampleCorp's AD? I'd suggest authenticating via ExampleCorp's AD only.

Or by using SAML federation based on the domain part of the email you could redirect these external users to their own IdP.

--J

James
  • 1
  • 1