How do I link or unlink external federated users to native Cognito users?

2 minute read

I want to link users who federate through a third-party identity provider (IdP) to native Amazon Cognito user profiles in my user pool. Or, I want to unlink federated users from Amazon Cognito user profiles in my user pool.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Link an external federated user

You can link up to five federated users to each native user profile.

To link your federated users, run the following admin-link-provider-for-user AWS CLI command:

aws cognito-idp admin-link-provider-for-user \
    --user-pool-id User_Pool_ID \
    --destination-user ProviderAttributeValue=Username,ProviderName=Cognito \
    --source-user ProviderName=Provider_Name,ProviderAttributeName=Attribute,ProviderAttributeValue=Attribute_Value

Note: Replace User_Pool_ID with your Amazon Cognito user pool ID, Username with the native Amazon Cognito username, and Provider_Name with the third-party IdP. Replace Attribute with the user attribute that's mapped to the IdP and Attribute_Value with the attribute for the federated user.

If the command is successful, then the output show an HTTP 200 status with an empty body.

Note: You can't use Amazon Cognito threat detection with federated sign-in providers. Amazon Cognito user activity logs don't record federated sign-in activity. For more information, see Linking federated users to an existing user profile.

Unlink an external federated user

To unlink the federated user, run the following admin-disable-provider-for-user command:

aws cognito-idp admin-disable-provider-for-user \
    --user-pool-id User_Pool_ID \
    --user ProviderName=Provider_Name,ProviderAttributeName=Attribute,ProviderAttributeValue=Attribute_Value

Note: Replace User_Pool_ID with your Amazon Cognito user pool ID and Provider_Name with your IdP. Replace Attribute with the user attribute that's mapped to the federated IdP and Attribute_Value with the attribute for the federated user.

If the command is successful, then the output show an HTTP 200 status with an empty body.

To confirm that the user's attribute no longer shows the unlinked user, run the admin-get-user command.

After you unlink the federated user, the user can't use the IdP to sign in to the Amazon Cognito user account.

Related information

User pool sign-in with third party identity providers

Managed login and federation error responses

Topics: Security, Identity, & Compliance
Tags: Amazon Cognito
Language: English

AWS OFFICIALUpdated 3 months ago

No comments

Relevant content

AWS federate user delete and link with Cognito native user will lead invalid_grant error in next login for certain period of time.
Janesh
asked 6 months ago
Linking federated users to existing user profile in a PreSignUp trigger
andreigog
asked 2 years ago
Cognito external provider user email cannot be automatically verified
rePost-User-0582860
asked 3 years ago
Remove external identity from Cognito user
David
asked 3 years ago
When using an external service provider (Azure AD) to log into my user pool, my Cognito migrate user lambda never executes
Accepted Answer
jfast_whiskerlabs
asked 2 years ago
How do I troubleshoot invalid SAML response errors that users receive when they federate into Amazon Cognito?
AWS OFFICIALUpdated 5 years ago
How do I securely integrate and configure Amazon Cognito with external SAML identity providers?
AWS OFFICIALUpdated 3 months ago
How do I set up Google as a federated identity provider in an Amazon Cognito user pool?
AWS OFFICIALUpdated 4 months ago
How do I set up AD FS as a SAML identity provider with an Amazon Cognito user pool?
AWS OFFICIALUpdated 6 months ago
How to setup cross-account Cognito User Pool migration with the Migrate User Lambda Trigger
EXPERT
Mitchell Tennison
published a year ago