navigation

Implementing AWS Cognito Across Sites

Introduction to Cognito

Amazon Cognito is an identity authentication platform for web and mobile applications. It encompasses a user directory, an authentication server, and an authorization service for OAuth 2.0 access tokens and AWS authentication information. With Amazon Cognito, you can authenticate and authorize users from a built-in user directory, from your enterprise directory, and from consumer identity providers.

The following two components comprise Amazon Cognito. They operate independently or in combination, depending on your users’ access needs.

Cognito

User Pool

Create a user pool when you want to authenticate and authorize users for your application or API. User pools are user directories with both self-service and administrative features, enabling user creation by administrators. Your user pool can be a standalone directory and an OIDC (IdP) identity provider, as well as an intermediary service provider (SP) for third-party identity providers for employees and customers. SAML 2.0 and OIDC IdPs from your organization bring employee identities into Cognito and your application. Public OAuth 2.0 identity repositories like Amazon, Google, Apple, and Facebook bring customer identities in.

User pools do not require integration with an identity pool. From a user pool, you can directly issue authenticated JSON web tokens (JWTs) to an application, web server, or API.

Cognito

Identity Pools

Establish an Amazon Cognito identity pool when you want to grant access to AWS resources for authenticated or anonymous users. Identity pools authorize AWS credentials for your application to serve resources to users. You can authenticate users with a trusted identity provider, such as a user pool or SAML 2.0 service. It can also optionally authorize credentials for guest visitors. Identity pools use both role-based and attribute-based access controls to manage user access to your AWS resources.

Cognito