This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::ElasticLoadBalancingV2::Listener AuthenticateCognitoConfig Specifies information required when integrating with Amazon Cognito to authenticate users. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AuthenticationRequestExtraParams](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-authenticationrequestextraparams)" : {Key: Value, ...}, "[OnUnauthenticatedRequest](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-onunauthenticatedrequest)" : String, "[Scope](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-scope)" : String, "[SessionCookieName](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-sessioncookiename)" : String, "[SessionTimeout](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-sessiontimeout)" : String, "[UserPoolArn](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-userpoolarn)" : String, "[UserPoolClientId](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-userpoolclientid)" : String, "[UserPoolDomain](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-userpooldomain)" : String } ``` ### YAML ``` [AuthenticationRequestExtraParams](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-authenticationrequestextraparams): Key: Value [OnUnauthenticatedRequest](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-onunauthenticatedrequest): String [Scope](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-scope): String [SessionCookieName](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-sessioncookiename): String [SessionTimeout](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-sessiontimeout): String [UserPoolArn](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-userpoolarn): String [UserPoolClientId](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-userpoolclientid): String [UserPoolDomain](#cfn-elasticloadbalancingv2-listener-authenticatecognitoconfig-userpooldomain): String ``` ## Properties `AuthenticationRequestExtraParams` The query parameters (up to 10) to include in the redirect request to the authorization endpoint. *Required*: No *Type*: Object of String *Pattern*: `[a-zA-Z0-9]+` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OnUnauthenticatedRequest` The behavior if the user is not authenticated. The following are possible values: + deny`` - Return an HTTP 401 Unauthorized error. + allow`` - Allow the request to be forwarded to the target. + authenticate`` - Redirect the request to the IdP authorization endpoint. This is the default value. *Required*: No *Type*: String *Allowed values*: `deny | allow | authenticate` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Scope` The set of user claims to be requested from the IdP. The default is `openid`. To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SessionCookieName` The name of the cookie used to maintain session information. The default is AWSELBAuthSessionCookie. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SessionTimeout` The maximum duration of the authentication session, in seconds. The default is 604800 seconds (7 days). *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserPoolArn` The Amazon Resource Name (ARN) of the Amazon Cognito user pool. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserPoolClientId` The ID of the Amazon Cognito user pool client. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserPoolDomain` The domain prefix or fully-qualified domain name of the Amazon Cognito user pool. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)