5. Topics
AWS Mobile Services and Amazon Cognito
Introduction to Amazon Cognito Identity
Summary of Features
Sample Use Cases
Getting Started
Q & A
Demo
6. Authenticate users
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Amazon Cognito
(Sync)
Amazon Cognito
(Identity)
Amazon S3
Amazon CloudFront
Store data
Amazon DynamoDB
Amazon RDS
Run Targeted Campaigns
Send push notifications
Amazon SNS
Mobile Push
Server-side logic
Lambda
Device Farm
Test your app
Build and Scale Your Apps on AWS
Amazon Pinpoint
Amazon Pinpoint
8. Identity is mission critical for applications
Authentication User ManagementAuthorization
Manage user lifecycles
Store and manage
user profile data
Monitor engagement
Protect data and
operations
Provide fine-grained
access control
Sign in users
Enable federation with
enterprise identities
Enable federation with
social identities
User Identity
9. Your User Pools
Add user sign-up and sign-
in easily to your mobile and
web apps without worrying
about server infrastructure
Serverless Authentication
and User Management
Verify phone numbers and
email addresses and offer
multi-factor authentication
Enhanced Security
Features
Launch a simple, secure,
low-cost, and fully managed
service to create and
maintain a user directory
that scales to 100s of
millions of users
Managed User Directory
1 2 3
10. Comprehensive User Flows
Email or Phone
Number Verification
Forgot Password
User Sign-Up and
Sign-In
Require users to verify their email address or phone number prior to activating
their account with a one-time password challenge
Provide users the ability to change their password when they forget it with a one-
time password challenge
Allow users to sign up and sign in using an email, phone number, or username
(and password) for your application.
User Profile Data Enable users to view and update their profile data – including custom attributes
SMS Multifactor
Authentication
Require users to complete a second factor of authentication by inputting a
security code received via SMS as part of the sign-in flow
Customize these User Flows Using Lambda
Token Based
Authentication
Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth
2.0 standards for user authentication in your backend
11. Custom User Flows Using Lambda Hooks
11
Category Lambda Hook Example Scenarios
Custom
Authentication
Flow
Define Auth Challenge Determines the next challenge in a custom auth flow
Create Auth Challenge Creates a challenge in a custom auth flow
Verify Auth Challenge Response Determines if a response is correct in a custom auth flow
Authentication
Events
Pre Authentication Custom validation to accept or deny the sign-in request
Post Authentication Event logging for custom analytics
Sign-Up
Pre Sign-up Custom validation to accept or deny the sign-up request
Post Confirmation Custom welcome messages or event logging for custom analytics
Messages Custom Message Advanced customization and localization of messages
12. Extensive Admin Capabilities
Define Custom
Attributes
Set per-App
Permissions
Set up Password
Policies
Create and manage
User Pools
Define custom attributes for your user profiles
Set read and write permissions for each user attribute on a per-app basis
Enforce password policies like minimum length and requirement of certain
types of characters
Create, configure, and delete multiple user pools across AWS regions
Require Submission of
Attribute Data
Select which attributes must be provided by the user prior to completion of
the sign-up process
Search Users
Search users based on a full match or a prefix match of their attributes
through the console or Admin API
Manage Users
Conduct admin actions, such as reset user password, confirm user, enable
MFA, delete user, and global sign-out
13. App Integration with User Pools - Beta
• User Pools now provide a
hosted UI for sign up, sign in,
forgot password, etc.
• WebView for Mobile
• You can customize the UI and
domain
• Basic in beta, more advanced
coming
14. Federation with User Pools - Beta
• Cognito handles interactions with IdPs to authenticate
users and receive tokens
• Identity providers (IdPs) are configured in Cognito
• E.g., SAML metadata document, issuer URL,
identifiers/domains
• Cognito User Pools act as a universal directory providing
user profiles and authentication tokens for federated and
“native” users
• Initially supporting SAML in beta, but more IdPs are
coming
15. User Pool SAML Federation
Amazon Cognito
IdPIdPIdP
Hosted
UI
Determine IdP
1
2
3
5
OIDC
token
IdP UI 4
7
Redirect to IdP
POST back with SAML assertion
User authenticated by IdP
(SSO if active session)
Amazon Cognito tokens provided to app
Mobile or web app
<SAML>
Create/Update profile
6
16. Cognito Federated Identities (Identity Pools)
• Exchanges tokens from
authenticated users for AWS
credentials to access
resources such as S3 or
DynamoDB
• You can defined rules for
mapping users to different IAM
roles to manage permissions
• Provides an identity pool id to
uniquely identify users
Cognito
Identity Pool
AWS
Credentials
/ / etc
token
Mobile or web app
DynamoDB
S3
API GW
Access backend
resources
- tied to IAM
role
1
3
2
17. Two Ways to Federate with Amazon Cognito
Cognito User Pools Cognito Identity Pools
• Handles the IdP interactions
for you
• Provides profiles to manage
users
• Provides OpenID Connect and
OAuth2.0 standard tokens
• Priced per monthly active user
• Provides AWS credentials for
accessing resources on behalf
of users
• Supports rules to map users to
different IAM roles
• Free
19. Cognito User Pool as a Standalone IdP
Username
Password
Sign In
Cognito
User Pool
CUP
Token
Backend
resources
Authenticate with a
user pool via our SDK
or hosted UI (beta)
Access backend
resources
• Cognito User Pools can be
used as standalone IdPs
• User Pools provide
OpenID Connect and
OAuth2.0 standard tokens
that can be used for
authorizing access to your
APIs / backend
CUP
Token
API GW
1
2
3
20. Business to Consumer
Sign in with
Facebook
Or
Username
Password
Sign In
Authenticate with
Facebook via their
SDK
FB
Token
Cognito
User Pool
CUP
Token
Exchange user tokens
for AWS credentials
tied to an IAM role
Cognito
Identity Pool
CUP/FB
Token
Authenticate with a
user pool via our SDK
DynamoDB
S3
API GW
Access backend
resources
1b
1a
2
3
• User Pools provide a
directory for users to
sign up and sign in
• Identity Pools provide
AWS credentials to
access backend
resources
21. Business to Business/Employee with SAML
Get AWS credentials
Cognito
Identity Pool
DynamoDB
S3
API GW
Access backend
resources
SAML IdP
(e.g., ADFS)
Cognito
User Pool• User Pools authenticate
users and returns OpenID
Connect and OAuth2.0
standard tokens
• Identity Pools provide
AWS credentials to access
backend resources
Authenticate
3
CUP
Token1
SAML
2
Redirect /
Post back
CUP/FB
Token
4
5
22. Business to Business/Employee with SAML v2
SAML IdP
(e.g., ADFS)
Cognito
User Pool• User Pools authenticate
users and returns OpenID
Connect and OAuth2.0
standard tokens
• User Pool tokens can be
used for authorizing
access to your APIs /
backend
Authenticate
3
CUP
Token1
SAML
2
Redirect /
Post back
Backend
resources
Access backend
resources
CUP
Token
API GW
4
23. Getting Started with Your User Pools
See aws.amazon.com/cognito/dev-resources/ for links to
Getting Started Guides
Documentation, SDKs, and Sample Apps
Videos
Presentation Slides
Blog Posts
Developer Forums
24. Q & A
Visit aws.amazon.com/cognito/ to learn more
Find resources at aws.amazon.com/cognito/dev-resources/
Get started with the beta features at
docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-
federation-beta-release-overview.html
Ask questions at the AWS Developer Forum or Stack Overflow
(‘amazon-cognito’ tag)
29. Groups
Cognito User Pools
Groups and Multiple Authenticated Roles
Group A
IAM Role A
Group B
IAM Role B
…
Authenticated
User Identity
Get
Credentials
Multiple Roles for Authenticated Identities
Cognito Federated Identities
IAM Role and Policy
IAM Role and Policy
IAM Role and Policy
Backend
Resources
MaptodifferentIAMroles
API Gateway
DynamoDB
S3
ControlAccess
30. Your User Pools and Amazon API Gateway
Native Support Custom Authorizer Function
Control access to your APIs using bearer
token authentication strategies, such as
OAuth or SAML – API Gateway’s custom
authorizer feature uses bearer tokens to
determine access privileges
Configure API Gateway to accept ID tokens
to authorize users based on their existence
in a user pool – User Pools works together
with API Gateway to authorize API requests
1 2
32. Creating Users as an Administrator
Developers or administrators can create users in a user pool and
send them an optional, customizable invitation email or SMS message
New users sign in with a temporary password and create a new
password
User pools can be configured to only allow users created by an
administrator
33. Importing Existing Users
Batch Imports
Import users by uploading .csv files
Users will create a new password when they first sign-in
Each imported user must have an email address or a
phone number
One-at-a-Time Migration
Migrate users individually as they sign in
App first tries to sign in via Cognito, if user does not
exist, app signs in via prior identity system, captures
username and password, and silently creates user in
Cognito
Retains passwords, but requires app coding and
maintenance of prior system for some period
Prior
IdP
34. Understanding User Status
New users start with
“Registered” status
Users must be
confirmed before
they can sign-in
Users must be
disabled before they
can be deleted
Registered
(cannot sign in)
Sign-up
Confirmed
Disabled
Admin
Confirm
Confirm via
email/phone
or
Disable
Delete
(deleted)
Lambda Trigger:
Pre Sign-up Reset Required
User import
Force Change
Password
Admin Create User
Reset password
Enable