Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I group AWS Cognito users based on a team or organization?

Tags:

aws-cognito

I want to create a service which allows users to sign up, but these users can be part of a team or organization; just like any other service, e.g. Slack, Trello, Google Apps, etc. So these users will need to inherit settings and permissions from the parent team or organization they have signed up as part of.

I understand there are user groups in Cognito, but these are limited to 25 per user pool as per the limits, and there is a limit of 60 pools by default. Is this even the correct way, or is there a better way to do this? Specifically is there a built in mechanism in Cognito to deal with this issue or will it require some additional work?

Thanks in advance.

like image 720
Meanman Avatar asked Jun 27 '18 10:06

Meanman

People also ask

How many groups can be created in Cognito?

Each user pool can contain up to 25 groups. Additionally, you can add users and remove users from groups within a user pool, and you can use groups to control permissions to access your resources in AWS by assigning an AWS IAM roles for the groups.

What is the difference between user pool and identity pool?

With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access to other AWS services.

How many groups can be created in AWS?

General rules and limitations. Before you use placement groups, be aware of the following rules: You can create a maximum of 500 placement groups per account in each Region. The name that you specify for a placement group must be unique within your AWS account for the Region.

1 Answers

To implement multi-tenant (teams, groups, organizations) support for your application, separating them as Cognito groups isn't the right choice.

You can either provision a Userpool per tenant (you can request to increase the limit from 60 by sending a limit increase support request to AWS) or handle tenants at the application level using a single Userpool (using Cognito only to authenticate).

Note: Unless you are using separate subdomains (e.g tenant1.xyz.com) for each tenant with their own custom login page icon, you can use a single Cognito Userpool approach which is simpler.

After a user authenticates using Cognito login page, you can use the Cognito pre token generation trigger Lambda to query user's Tenant ID from the database and add it to the JWT token so that upon verification of the token, you can retrieve the Tenant ID of the logged in user.

like image 78
Ashan Avatar answered Sep 27 '22 22:09

Ashan
Sign in to Comment

Related questions

AWS API Gateway Method Test: Error Authorization not configured
Hide sensitive data from cloudwatch logs
AWS Cognito - Prevent Password Reuse
AWS Cognito missing functions
AWS - nodejs SDK - CognitoIdentityServiceProvider.initiateAuth - CredentialsError: Missing credentials in config
Username's regular expression in AWS Cognito [duplicate]
AWS cognito: sign in with usernam/password OR facebook
AWS Cognito UI uses a hash to include parameters when it calls the callback page
AWS Cognito not sending verification SMS
AWS Cognito + google signup
AWS CLI - how to generate security tokens for a cognito user
Creating a Cognito UserPool with lambda's configured as triggers
What does 'developer credentials' exactly mean in the Amazon Cognito docs
Username cannot be of email format, since user pool is configured for email
AWS Lambda vs Elastic Beanstalk
Cognito without Verifying Email

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!