Amazon Cognito
The Amazon Cognito connection is a user provider that automatically imports your users and keeps them up-to-date in UserHub.
To enable the Amazon Cognito connection, you'll need access to an Amazon Cognito user pool and the ability to create an access key with the appropriate permissions.
Get Amazon Cognito user pool ID
- Go to the Cognito dashboard
- Switch to to the region with the user pool you want to connect to UserHub
- Note the User pool ID, you'll need it for the Setup connection step
Create AWS access key
- Go to the IAM users dashboard
- Click Create user to add a new access key
- Enter
userhub
for the User name and click Next - Select Attach policies directly
- Search for the
AmazonCognitoPowerUser
policy name (you can also create a more restrictive custom policy, see example below) - Check the checkbox to the left of the policy name and click Next
- Click Create user
- Search for
userhub
and click on it - Click the Security credentials tab
- Scroll down to the Access key section and click Create access key
- Select Third-party service, check the Confirmation checkbox, and click Next
- Click Create access key
- Note the Access key and Secret access key, you'll need it in the next step
Setup connection
Next, you will need to set up the connection in the UserHub Admin console.
- Go to Connections from the Developers dropdown
- Click the Setup button for Amazon Cognito
- Enter your Amazon Cognito User pool ID
- Enter the Region for your user pool
- Enter the Access key ID and Access key secret you created above
- Click Save
- Make sure the status switches to
Active
Optional: setup Portal callback
Next, you have the option of using Amazon Cognito's sign-in interface instead of implementing the Portal callback handler.
Create app for callback
- Go to the Cognito dashboard
- Click on your User pool name
- Click App clients in the navigation menu
- Click the Create app client button
- Select Traditional web application for Application type
- Enter
Billing
(or whatever you prefer) for Name your application - Enter
https://<portal-domain>/signin
for the Return URL (you can find this URL in the Admin console Portal settings) - Click Create app client
- Click the Login pages tab
- Click Edit in the Managed login pages configuration section
- Click Add sign-out URL and enter
https://<portal-domain>/signout
- Scroll to the bottom of the page and click Save changes
- Note the Client ID and Client secret, you'll need it in the next step
Add app settings to connection
- Go to Connections from the UserHub Admin console Developers dropdown
- Click Amazon Cognito
- Click the Edit connection button
- Click Enable Portal sign-in
- Enter the Client ID and Client secret you noted above and click Save
You should now be able to open https://<portal-domain>/
in your browser and sign in.
Custom policy
If you'd like to restrict the permissions available to the security key to the absolute minimum, you can create a custom policy based on the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UserHubConnection",
"Effect": "Allow",
"Action": [
"cognito-idp:AdminCreateUser",
"cognito-idp:AdminDeleteUser",
"cognito-idp:AdminDeleteUserAttributes",
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminGetUser",
"cognito-idp:AdminUpdateUserAttributes",
"cognito-idp:DeleteUser",
"cognito-idp:DeleteUserAttributes",
"cognito-idp:DescribeUserPool",
"cognito-idp:GetUser",
"cognito-idp:ListUsers",
"cognito-idp:SignUp",
"cognito-idp:UpdateUserAttributes"
],
"Resource": "<amazon-cognito-user-pool-arn>"
}
]
}