By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Disabling Google login for a Cognito user once they signed-up using another external IdP

0

I have a scenario where users sign up to our system via Cognito, using either Google login or "natively" (username / password). That worked well, with the native identity linked to the Google identity using a pre-signup Lambda trigger executing the AdminLinkProviderForUser API command if both login methods are used consequently with the same email.

A new requirement allows users to sign-in via additional external IdPs (such as Azure AD or Okta), but then they are forced to lose their access via Google, to make sure only their organizational IdP will be used from that point onwards. Once such a user signs-up for the first time, we link its new federated SAML identity to the already-existing identity with the Google provider, forming the following identities attribute:

[
    {
        "userId": "123456789000",
        "providerName": "Google",
        "providerType": "Google",
        "issuer": null,
        "primary": true,
        "dateCreated": 1711882849284
    },
    {
        "userId": "harelm@lumigo.io",
        "providerName": "some-test-idp,
        "providerType": "SAML",
        "issuer": null,
        "primary": false,
        "dateCreated": 1711887418857
    }
]

However, when I try to run AdminDisableProviderForUser to disable the Google login for that user using the following command:

aws cognito-idp admin-disable-provider-for-user --user-pool-id us-west-2_XXXXXX --user ProviderName=Google,ProviderAttributeName=Cognito_Subject,ProviderAttributeValue=123456789000

I keep getting the following error:

Account isn't linked to anyone else, verify that the account has been linked

I've tried using Google_123456789000 and the username (sub) as potential values for ProviderAttributeValue , but got the same error. What am I missing here? is there a special command / a "magical" set of values to be used with AdminDisableProviderForUser when the provider to be disabled is Google (as opposed to SAML*)?

  • It's important to mention that when trying to disable a SAML IdP, using the same command works with the only difference being the provider name and the value of ProviderAttributeValue, which is the user-id coming from the SAML provider.
Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAmazon Cognito
Language
English
Harel Moshe
asked a month ago104 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content