# Identity pools third-party identity providers
With Amazon Cognito identity pools, you can integrate with a variety of external identity providers (IdPs) to provide temporary AWS credentials through federated authentication in your application. By configuring your identity pool to work with these external IdPs, you can authorize access to back-end AWS resources for your users with authentication by Amazon Cognito user pools, social providers, OIDC providers, or SAML providers. This section covers the steps to set up and integrate IdPs with your Amazon Cognito identity pool.
Using the `logins` property, you can set credentials received from an identity provider (IdP). You can also associate an identity pool with multiple IdPs. For example, you can set both the Facebook and Google tokens in the `logins` property to associate the unique Amazon Cognito identity with both IdP logins. The user can authenticate with either account, but Amazon Cognito returns the same user identifier.
The following instructions guide you through authentication with the IdPs that Amazon Cognito identity pools support.
**Topics**
+ [Setting up Facebook as an identity pools IdP](facebook.md)
+ [Setting up Login with Amazon as an identity pools IdP](amazon.md)
+ [Setting up Google as an identity pool IdP](google.md)
+ [Setting up Sign in with Apple as an identity pool IdP](apple.md)
+ [Setting up an OIDC provider as an identity pool IdP](open-id.md)
+ [Setting up a SAML provider as an identity pool IdP](saml-identity-provider.md)
# Setting up Facebook as an identity pools IdP
Amazon Cognito identity pools work with Facebook to provide federated authentication for your application users. This section explains how to register and set up your application with Facebook as an IdP.
## Set up Facebook
Register your application with Facebook before you authenticate Facebook users and interact with Facebook APIs.
The [Facebook Developers portal](https://developers.facebook.com/) helps you to set up your application. Do this procedure before you integrate Facebook in your Amazon Cognito identity pool:
**Note**
Amazon Cognito identity pools federation isn't compatible with [Facebook Limited Login](https://developers.facebook.com/docs/facebook-login/limited-login). For more information about how to set up Facebook Login for iOS without exceeding the permissions set for Limited Login, see [Facebook Login for iOS - Quickstart](https://developers.facebook.com/docs/facebook-login/ios) at *Meta for Developers*.
**Setting up Facebook**
1. At the [Facebook Developers portal](https://developers.facebook.com/), log in with your Facebook credentials.
1. From the **Apps** menu, select **Add a New App**.
1. Select a platform and complete the quick start process.
### Android
For more information about how to integrate Android apps with Facebook Login, see the [Facebook Getting Started Guide](https://developers.facebook.com/docs/android/getting-started).
### iOS - Objective-C
For more information about how to integrate iOS Objective-C apps with Facebook Login, see the [Facebook Getting Started Guide](https://developers.facebook.com/docs/ios/getting-started/).
### iOS - Swift
For more information about how to integrate iOS Swift apps with Facebook Login, see the [Facebook Getting Started Guide](https://developers.facebook.com/docs/ios/getting-started/).
### JavaScript
For more information about how to integrate JavaScript web apps with Facebook Login, see the [Facebook Getting Started Guide](https://developers.facebook.com/docs/facebook-login/login-flow-for-web/v2.3).
## Configure an identity provider in the Amazon Cognito identity pools console
Use the following procedure to configure your identity provider.
**To add a Facebook identity provider (IdP)**
1. Choose **Identity pools** from the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). Select an identity pool.
1. Choose the **User access** tab.
1. Select **Add identity provider**.
1. Choose **Facebook**.
1. Enter the **App ID** of the OAuth project that you created at [Meta for Developers](https://developers.facebook.com/). For more information, see [Facebook Login](https://developers.facebook.com/docs/facebook-login/) in the *Meta for Developers Docs*.
1. To set the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, configure **Role settings**.
1. You can assign users from that IdP the **Default role** that you set up when you configured your **Authenticated role**, or you can **Choose role with rules**.
1. If you chose **Choose role with rules**, enter the source **Claim** from your user's authentication, the **Operator** that you want to compare the claim by, the **Value** that will cause a match to this role choice, and the **Role** that you want to assign when the **Role assignment** matches. Select **Add another** to create an additional rule based on a different condition.
1. Choose a **Role resolution**. When your user's claims don't match your rules, you can deny credentials or issue credentials for your **Authenticated role**.
1. To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, configure **Attributes for access control**.
1. To apply no principal tags, choose **Inactive**.
1. To apply principal tags based on `sub` and `aud` claims, choose **Use default mappings**.
1. To create your own custom schema of attributes to principal tags, choose **Use custom mappings**. Then enter a **Tag key** that you want to source from each **Claim** that you want to represent in a tag.
1. Select **Save changes**.
## Using Facebook
### Android
To add Facebook authentication, first follow the [Facebook guide](https://developers.facebook.com/docs/android) and integrate the Facebook SDK into your application. Then add a [**Login with Facebook** button](https://developers.facebook.com/docs/facebook-login/android) to your Android user interface. The Facebook SDK uses a session object to track its state. Amazon Cognito uses the access token from this session object to authenticate the user, generate the unique identifier, and, if needed, grant the user access to other AWS resources.
After you authenticate your user with the Facebook SDK, add the session token to the Amazon Cognito credentials provider.
Facebook SDK 4.0 or later:
```
Map logins = new HashMap();
logins.put("graph.facebook.com", AccessToken.getCurrentAccessToken().getToken());
credentialsProvider.setLogins(logins);
```
Facebook SDK before 4.0:
```
Map logins = new HashMap();
logins.put("graph.facebook.com", Session.getActiveSession().getAccessToken());
credentialsProvider.setLogins(logins);
```
The Facebook login process initializes a singleton session in its SDK. The Facebook session object contains an OAuth token that Amazon Cognito uses to generate AWS credentials for your authenticated end user. Amazon Cognito also uses the token to check against your user database for the existence of a user that matches this particular Facebook identity. If the user already exists, the API returns the existing identifier. Otherwise, the API returns a new identifier. The client SDK automatically caches identifiers on the local device.
**Note**
After you set the logins map, make a call to `refresh` or `get` to retrieve the AWS credentials.
### iOS - Objective-C
To add Facebook authentication, first follow the [Facebook guide](https://developers.facebook.com/docs/ios) and integrate the Facebook SDK into your application. Then add a [Login with Facebook button](https://developers.facebook.com/docs/facebook-login/ios) to your user interface. The Facebook SDK uses a session object to track its state. Amazon Cognito uses the access token from this session object to authenticate the user and bind them to a unique Amazon Cognito identity pools (federated identities).
To provide the Facebook access token to Amazon Cognito, implement the [https://github.com/aws-amplify/aws-sdk-ios](https://github.com/aws-amplify/aws-sdk-ios) protocol.
When you implement the `logins` method, return a dictionary that contains `AWSIdentityProviderFacebook`. This dictionary acts as the key, and the current access token from the authenticated Facebook user acts as the value, as shown in the following code example.
```
- (AWSTask *> *)logins {
FBSDKAccessToken* fbToken = [FBSDKAccessToken currentAccessToken];
if(fbToken){
NSString *token = fbToken.tokenString;
return [AWSTask taskWithResult: @{ AWSIdentityProviderFacebook : token }];
}else{
return [AWSTask taskWithError:[NSError errorWithDomain:@"Facebook Login"
code:-1
userInfo:@{@"error":@"No current Facebook access token"}]];
}
}
```
When you instantiate the `AWSCognitoCredentialsProvider`, pass the class that implements `AWSIdentityProviderManager` as the value of `identityProviderManager` in the constructor. For more information, go to the [AWSCognitoCredentialsProvider](https://github.com/aws-amplify/aws-sdk-ios) reference page and choose **initWithRegionType:identityPoolId:identityProviderManager**.
### iOS - Swift
To add Facebook authentication, first follow the [Facebook guide](https://developers.facebook.com/docs/ios) and integrate the Facebook SDK into your application. Then add a [Login with Facebook button](https://developers.facebook.com/docs/facebook-login/ios) to your user interface. The Facebook SDK uses a session object to track its state. Amazon Cognito uses the access token from this session object to authenticate the user and bind them to a unique Amazon Cognito identity pools (federated identities).
**Note**
Amazon Cognito identity pools federation isn't compatible with [Facebook Limited Login](https://developers.facebook.com/docs/facebook-login/limited-login). For more information about how to set up Facebook Login for iOS without exceeding the permissions set for Limited Login, see [Facebook Login for iOS - Quickstart](https://developers.facebook.com/docs/facebook-login/ios) at *Meta for Developers*.
To provide the Facebook access token to Amazon Cognito, implement the [https://github.com/aws-amplify/aws-sdk-ios](https://github.com/aws-amplify/aws-sdk-ios) protocol.
When you implement the `logins` method, return a dictionary containing `AWSIdentityProviderFacebook`. This dictionary acts as the key, and the current access token from the authenticated Facebook user acts as the value, as shown in the following code example.
```
class FacebookProvider: NSObject, AWSIdentityProviderManager {
func logins() -> AWSTask {
if let token = AccessToken.current?.authenticationToken {
return AWSTask(result: [AWSIdentityProviderFacebook:token])
}
return AWSTask(error:NSError(domain: "Facebook Login", code: -1 , userInfo: ["Facebook" : "No current Facebook access token"]))
}
}
```
When you instantiate the `AWSCognitoCredentialsProvider`, pass the class that implements `AWSIdentityProviderManager` as the value of `identityProviderManager` in the constructor. For more information, go to the [https://github.com/aws-amplify/aws-sdk-ios](https://github.com/aws-amplify/aws-sdk-ios) reference page and choose **initWithRegionType:identityPoolId:identityProviderManager**.
### JavaScript
To add Facebook authentication, follow the [Facebook Login for the Web](https://developers.facebook.com/docs/facebook-login/login-flow-for-web/v2.3) and add the **Login with Facebook** button on your website. The Facebook SDK uses a session object to track its state. Amazon Cognito uses the access token from this session object to authenticate the user, generate the unique identifier, and, if needed, grant the user access to other AWS resources.
After you authenticate your user with the Facebook SDK, add the session token to the Amazon Cognito credentials provider.
```
FB.login(function (response) {
// Check if the user logged in successfully.
if (response.authResponse) {
console.log('You are now logged in.');
// Add the Facebook access token to the Amazon Cognito credentials login map.
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'IDENTITY_POOL_ID',
Logins: {
'graph.facebook.com': response.authResponse.accessToken
}
});
// Obtain AWS credentials
AWS.config.credentials.get(function(){
// Access AWS resources here.
});
} else {
console.log('There was a problem logging you in.');
}
});
```
The Facebook SDK obtains an OAuth token that Amazon Cognito uses to generate AWS credentials for your authenticated end user. Amazon Cognito also uses the token to check against your user database for the existence of a user matching this particular Facebook identity. If the user already exists, the API returns the existing identifier. Otherwise a new identifier is returned. Identifiers are automatically cached by the client SDK on the local device.
**Note**
After you set the logins map, make a call to `refresh` or `get` to get the credentials. For a code example, see "Use Case 17, Integrating User Pools with Cognito Identity," in the [JavaScript README file](https://github.com/amazon-archives/amazon-cognito-identity-js/blob/master/README.md).
### Unity
To add Facebook authentication, first follow the [Facebook guide](https://developers.facebook.com/docs/unity) and integrate the Facebook SDK into your application. Amazon Cognito uses the Facebook access token from the `FB` object to generate a unique user identifier that is associated with an Amazon Cognito identity.
After you authenticate your user with the Facebook SDK, add the session token to the Amazon Cognito credentials provider:
```
void Start()
{
FB.Init(delegate() {
if (FB.IsLoggedIn) { //User already logged in from a previous session
AddFacebookTokenToCognito();
} else {
FB.Login ("email", FacebookLoginCallback);
}
});
}
void FacebookLoginCallback(FBResult result)
{
if (FB.IsLoggedIn)
{
AddFacebookTokenToCognito();
}
else
{
Debug.Log("FB Login error");
}
}
void AddFacebookTokenToCognito()
{
credentials.AddLogin ("graph.facebook.com", AccessToken.CurrentAccessToken.TokenString);
}
```
Before you use `FB.AccessToken`, call `FB.Login()` and make sure `FB.IsLoggedIn` is true.
### Xamarin
**Xamarin for Android:**
```
public void InitializeFacebook() {
FacebookSdk.SdkInitialize(this.ApplicationContext);
callbackManager = CallbackManagerFactory.Create();
LoginManager.Instance.RegisterCallback(callbackManager, new FacebookCallback < LoginResult > () {
HandleSuccess = loginResult = > {
var accessToken = loginResult.AccessToken;
credentials.AddLogin("graph.facebook.com", accessToken.Token);
//open new activity
},
HandleCancel = () = > {
//throw error message
},
HandleError = loginError = > {
//throw error message
}
});
LoginManager.Instance.LogInWithReadPermissions(this, new List < string > {
"public_profile"
});
}
```
**Xamarin for iOS:**
```
public void InitializeFacebook() {
LoginManager login = new LoginManager();
login.LogInWithReadPermissions(readPermissions.ToArray(), delegate(LoginManagerLoginResult result, NSError error) {
if (error != null) {
//throw error message
} else if (result.IsCancelled) {
//throw error message
} else {
var accessToken = loginResult.AccessToken;
credentials.AddLogin("graph.facebook.com", accessToken.Token);
//open new view controller
}
});
}
```
# Setting up Login with Amazon as an identity pools IdP
Amazon Cognito identity pools work with Login with Amazon to provide federated authentication for your mobile and web app users. This section explains how to register and set up your application with Login with Amazon as an identity provider (IdP).
Set up Login with Amazon to work with Amazon Cognito in the [Developer Portal](https://developer.amazon.com/login-with-amazon). For more information, see [Setting Up Login with Amazon](https://developer.amazon.com/docs/login-with-amazon/faq.html#setting-up-login-with-amazon) in the Login with Amazon FAQ.
**Note**
To integrate Login with Amazon into a Xamarin application, follow the [Xamarin Getting Started Guide](https://developer.xamarin.com/guides/cross-platform/getting_started/).
**Note**
You can't natively integrate Login with Amazon on the Unity platform. Instead, use a web view and go through the browser sign-in flow.
## Setting up Login with Amazon
**Implement Login with Amazon **
In the [Amazon developer portal](https://developer.amazon.com/apps-and-games/login-with-amazon), you can set up an OAuth application to integrate with your identity pool, find Login with Amazon documentation, and download SDKs. Choose **Developer console**, then **Login with Amazon** in the developer portal. You can create a security profile for your application and then build Login with Amazon authentication mechanisms into your app. See [Getting credentials](getting-credentials.md) for more information about how to integrate Login with Amazon authentication with your app.
Amazon issues an OAuth 2.0 **client ID** for your new security profile. You can find the **client ID** on the security profile **Web Settings** tab. Enter the **Security Profile ID** in the **App ID** field of the Login with Amazon IdP in your identity pool.
**Note**
You enter the **Security Profile ID** in the **App ID** field of the Login with Amazon IdP in your identity pool. This differs from user pools, which use **client ID**.
## Configure the external provider in the Amazon Cognito console
**To add a Login with Amazon identity provider (IdP)**
1. Choose **Identity pools** from the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). Select an identity pool.
1. Choose the **User access** tab.
1. Select **Add identity provider**.
1. Choose **Login with Amazon**.
1. Enter the **App ID** of the OAuth project that you created at [Login with Amazon](https://developer.amazon.com/apps-and-games/login-with-amazon). For more information, see [Login with Amazon Documentation](https://developer.amazon.com/docs/login-with-amazon/documentation-overview.html).
1. To set the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, configure **Role settings**.
1. You can assign users from that IdP the **Default role** that you set up when you configured your **Authenticated role**, or you can **Choose role with rules**.
1. If you chose **Choose role with rules**, enter the source **Claim** from your user's authentication, the **Operator** that you want to compare the claim by, the **Value** that will cause a match to this role choice, and the **Role** that you want to assign when the **Role assignment** matches. Select **Add another** to create an additional rule based on a different condition.
1. Choose a **Role resolution**. When your user's claims don't match your rules, you can deny credentials or issue credentials for your **Authenticated role**.
1. To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, configure **Attributes for access control**.
1. To apply no principal tags, choose **Inactive**.
1. To apply principal tags based on `sub` and `aud` claims, choose **Use default mappings**.
1. To create your own custom schema of attributes to principal tags, choose **Use custom mappings**. Then enter a **Tag key** that you want to source from each **Claim** that you want to represent in a tag.
1. Select **Save changes**.
## Use Login with Amazon: Android
After you authenticate Amazon login, you can pass the token to the Amazon Cognito credentials provider in the onSuccess method of the TokenListener interface. The code looks like this:
```
@Override
public void onSuccess(Bundle response) {
String token = response.getString(AuthzConstants.BUNDLE_KEY.TOKEN.val);
Map logins = new HashMap();
logins.put("www.amazon.com", token);
credentialsProvider.setLogins(logins);
}
```
## Use Login with Amazon: iOS - Objective-C
After you authenticate Amazon login, you can pass the token to the Amazon Cognito credentials provider in the requestDidSucceed method of the AMZNAccessTokenDelegate:
```
- (void)requestDidSucceed:(APIResult \*)apiResult {
if (apiResult.api == kAPIAuthorizeUser) {
[AIMobileLib getAccessTokenForScopes:[NSArray arrayWithObject:@"profile"] withOverrideParams:nil delegate:self];
}
else if (apiResult.api == kAPIGetAccessToken) {
credentialsProvider.logins = @{ @(AWSCognitoLoginProviderKeyLoginWithAmazon): apiResult.result };
}
}}
```
## Use Login with Amazon: iOS - Swift
After you authenticate Amazon login, you can pass the token to the Amazon Cognito credentials provider in the `requestDidSucceed` method of the `AMZNAccessTokenDelegate`:
```
func requestDidSucceed(apiResult: APIResult!) {
if apiResult.api == API.AuthorizeUser {
AIMobileLib.getAccessTokenForScopes(["profile"], withOverrideParams: nil, delegate: self)
} else if apiResult.api == API.GetAccessToken {
credentialsProvider.logins = [AWSCognitoLoginProviderKey.LoginWithAmazon.rawValue: apiResult.result]
}
}
```
## Use Login with Amazon: JavaScript
After the user authenticates with Login with Amazon and is redirected back to your website, the Login with Amazon access\$1token is provided in the query string. Pass that token into the credentials login map.
```
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'IDENTITY_POOL_ID',
Logins: {
'www.amazon.com': 'Amazon Access Token'
}
});
```
# Setting up Google as an identity pool IdP
Amazon Cognito identity pools work with Google to provide federated authentication for your mobile application users. This section explains how to register and set up your application with Google as an IdP.
## Android
**Note**
If your app uses Google and is available on multiple mobile platforms, you should configure it as an [OpenID Connect Provider](open-id.md). Add all created client IDs as additional audience values for better integration. To learn more about Google's cross-client identity model, see [Cross-client Identity](https://developers.google.com/accounts/docs/CrossClientAuth).
**Setting up Google**
To activate Google Sign-in for Android, create a Google Developers console project for your application.
1. Go to the [Google Developers console](https://console.developers.google.com/) and create a new project.
1. Choose **APIs & Services**, then **OAuth consent screen**. Customize the information that Google shows to your users when Google asks for their consent to share their profile data with your app.
1. Choose **Credentials**, then **Create credentials**. Choose **OAuth client ID**. Select **Android** as the **Application type**. Create a separate client ID for each platform where you develop your app.
1. From **Credentials**, choose **Manage service accounts**. Choose **Create service account**. Enter your service account details, and then choose **Create and continue**.
1. Grant the service account access to your project. Grant users access to the service account as your app requires.
1. Choose your new service account, choose the **Keys** tab, and **Add key**. Create and download a new JSON key.
For more information about how to use the Google Developers console, see [Creating and managing projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects) in the Google Cloud documentation.
For more information about how to integrate Google into your Android app, see [Authenticate users with Sign in with Google](https://developer.android.com/identity/sign-in/credential-manager-siwg) in the Google Identity documentation.
**To add a Google identity provider (IdP)**
1. Choose **Identity pools** from the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). Select an identity pool.
1. Choose the **User access** tab.
1. Select **Add identity provider**.
1. Choose **Google**.
1. Enter the **Client ID** of the OAuth project you created at [Google Cloud Platform](https://console.cloud.google.com/). For more information, see [Setting up OAuth 2.0](https://support.google.com/cloud/answer/6158849) in *Google Cloud Platform Console Help*.
1. To set the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, configure **Role settings**.
1. You can assign users from that IdP the **Default role** that you set up when you configured your **Authenticated role**, or you can **Choose role with rules**.
1. If you chose **Choose role with rules**, enter the source **Claim** from your user's authentication, the **Operator** that you want to compare the claim by, the **Value** that will cause a match to this role choice, and the **Role** that you want to assign when the **Role assignment** matches. Select **Add another** to create an additional rule based on a different condition.
1. Choose a **Role resolution**. When your user's claims don't match your rules, you can deny credentials or issue credentials for your **Authenticated role**.
1. To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, configure **Attributes for access control**.
1. To apply no principal tags, choose **Inactive**.
1. To apply principal tags based on `sub` and `aud` claims, choose **Use default mappings**.
1. To create your own custom schema of attributes to principal tags, choose **Use custom mappings**. Then enter a **Tag key** that you want to source from each **Claim** that you want to represent in a tag.
1. Select **Save changes**.
**Use Google**
To enable login with Google in your application, follow the instructions in the [Google documentation for Android](https://developers.google.com/identity/sign-in/android/start). When a user signs in, they request an OpenID Connect authentication token from Google. Amazon Cognito then uses the token to authenticate the user and generate a unique identifier.
The following example code shows how to retrieve the authentication token from the Google Play service:
```
GooglePlayServicesUtil.isGooglePlayServicesAvailable(getApplicationContext());
AccountManager am = AccountManager.get(this);
Account[] accounts = am.getAccountsByType(GoogleAuthUtil.GOOGLE_ACCOUNT_TYPE);
String token = GoogleAuthUtil.getToken(getApplicationContext(), accounts[0].name,
"audience:server:client_id:YOUR_GOOGLE_CLIENT_ID");
Map logins = new HashMap();
logins.put("accounts.google.com", token);
credentialsProvider.setLogins(logins);
```
## iOS - Objective-C
**Note**
If your app uses Google and is available on multiple mobile platforms, configure Google as an [OpenID Connect Provider](open-id.md). Add all created client IDs as additional audience values for better integration. To learn more about Google's cross-client identity model, see [Cross-client Identity](https://developers.google.com/accounts/docs/CrossClientAuth).
**Setting up Google**
To enable Google Sign-in for iOS, create a Google Developers console project for your application.
1. Go to the [Google Developers console](https://console.developers.google.com/) and create a new project.
1. Choose **APIs & Services**, then **OAuth consent screen**. Customize the information that Google shows to your users when Google asks for their consent to share their profile data with your app.
1. Choose **Credentials**, then **Create credentials**. Choose **OAuth client ID**. Select **iOS** as the **Application type**. Create a separate client ID for each platform where you develop your app.
1. From **Credentials**, choose **Manage service accounts**. Choose **Create service account**. Enter your service account details, and choose **Create and continue**.
1. Grant the service account access to your project. Grant users access to the service account as your app requires.
1. Choose your new service account. Choose the **Keys** tab, and **Add key**. Create and download a new JSON key.
For more information about how to use the Google Developers console, see [Creating and managing projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects) in the Google Cloud documentation.
For more information about how to integrate Google into your iOS app, see [Google Sign-In for iOS](https://developers.google.com/identity/sign-in/ios/start-integrating) in the Google Identity documentation.
**To add a Google identity provider (IdP)**
1. Choose **Identity pools** from the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). Select an identity pool.
1. Choose the **User access** tab.
1. Select **Add identity provider**.
1. Choose **Google**.
1. Enter the **Client ID** of the OAuth project you created at [Google Cloud Platform](https://console.cloud.google.com/). For more information, see [Setting up OAuth 2.0](https://support.google.com/cloud/answer/6158849) in *Google Cloud Platform Console Help*.
1. To set the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, configure **Role settings**.
1. You can assign users from that IdP the **Default role** that you set up when you configured your **Authenticated role**, or you can **Choose role with rules**.
1. If you chose **Choose role with rules**, enter the source **Claim** from your user's authentication, the **Operator** that you want to compare the claim by, the **Value** that will cause a match to this role choice, and the **Role** that you want to assign when the **Role assignment** matches. Select **Add another** to create an additional rule based on a different condition.
1. Choose a **Role resolution**. When your user's claims don't match your rules, you can deny credentials or issue credentials for your **Authenticated role**.
1. To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, configure **Attributes for access control**.
1. To apply no principal tags, choose **Inactive**.
1. To apply principal tags based on `sub` and `aud` claims, choose **Use default mappings**.
1. To create your own custom schema of attributes to principal tags, choose **Use custom mappings**. Then enter a **Tag key** that you want to source from each **Claim** that you want to represent in a tag.
1. Select **Save changes**.
**Use Google**
To enable login with Google in your application, follow the [Google documentation for iOS](https://developers.google.com/identity/sign-in/ios/start/). Successful authentication results in an OpenID Connect authentication token, which Amazon Cognito uses to authenticate the user and generate a unique identifier.
Successful authentication results in a `GTMOAuth2Authentication` object, which contains an `id_token`, which Amazon Cognito uses to authenticate the user and generate a unique identifier:
```
- (void)finishedWithAuth: (GTMOAuth2Authentication *)auth error: (NSError *) error {
NSString *idToken = [auth.parameters objectForKey:@"id_token"];
credentialsProvider.logins = @{ @(AWSCognitoLoginProviderKeyGoogle): idToken };
}
```
## iOS - Swift
**Note**
If your app uses Google and is available on multiple mobile platforms, configure Google as an [OpenID Connect Provider](open-id.md). Add all created client IDs as additional audience values for better integration. To learn more about Google's cross-client identity model, see [Cross-client Identity](https://developers.google.com/accounts/docs/CrossClientAuth).
**Setting up Google**
To enable Google Sign-in for iOS, create a Google Developers console project for your application.
1. Go to the [Google Developers console](https://console.developers.google.com/) and create a new project.
1. Choose **APIs & Services**, then **OAuth consent screen**. Customize the information that Google shows to your users when Google asks for their consent to share their profile data with your app.
1. Choose **Credentials**, then **Create credentials**. Choose **OAuth client ID**. Select **iOS** as the **Application type**. Create a separate client ID for each platform where you develop your app.
1. From **Credentials**, choose **Manage service accounts**. Choose **Create service account**. Enter your service account details, and choose **Create and continue**.
1. Grant the service account access to your project. Grant users access to the service account as your app requires.
1. Choose your new service account, choose the **Keys** tab, and **Add key**. Create and download a new JSON key.
For more information about how to use the Google Developers console, see [Creating and managing projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects) in the Google Cloud documentation.
For more information about how to integrate Google into your iOS app, see [Google Sign-In for iOS](https://developers.google.com/identity/sign-in/ios/start-integrating) in the Google Identity documentation.
Choose **Manage Identity Pools** from the [Amazon Cognito Console home page](https://console.aws.amazon.com/cognito/home):
**Configuring the external provider in the Amazon Cognito Console**
1. Choose the name of the identity pool where you want to enable Google as an external provider. The **Dashboard** page for your identity pool appears.
1. In the top-right corner of the **Dashboard** page, choose **Edit identity pool**. The Edit identity pool page appears.
1. Scroll down and choose **Authentication providers** to expand the section.
1. Choose the **Google** tab.
1. Choose **Unlock**.
1. Enter the Google Client ID that you obtained from Google, and then choose **Save Changes**.
**Use Google**
To enable login with Google in your application, follow the [Google documentation for iOS](https://developers.google.com/identity/sign-in/ios/start/). Successful authentication results in an OpenID Connect authentication token that Amazon Cognito uses to authenticate the user and generate a unique identifier.
Successful authentication results in a `GTMOAuth2Authentication` object that contains an `id_token`. Amazon Cognito uses this token to authenticate the user and generate a unique identifier:
```
func finishedWithAuth(auth: GTMOAuth2Authentication!, error: NSError!) {
if error != nil {
print(error.localizedDescription)
}
else {
let idToken = auth.parameters.objectForKey("id_token")
credentialsProvider.logins = [AWSCognitoLoginProviderKey.Google.rawValue: idToken!]
}
}
```
## JavaScript
**Note**
If your app uses Google and is available on multiple mobile platforms, you should configure Google as an [OpenID Connect Provider](open-id.md). Add all created client IDs as additional audience values for better integration. To learn more about Google's cross-client identity model, see [Cross-client Identity](https://developers.google.com/accounts/docs/CrossClientAuth).
**Setting up Google**
To enable Google Sign-in for a JavaScript web app, create a Google Developers console project for your application.
1. Go to the [Google Developers console](https://console.developers.google.com/) and create a new project.
1. Choose **APIs & Services**, then **OAuth consent screen**. Customize the information that Google shows to your users when Google asks their consent to share their profile data with your app.
1. Choose **Credentials**, then **Create credentials**. Choose **OAuth client ID**. Select **Web application** as the **Application type**. Create a separate client ID for each platform where you develop your app.
1. From **Credentials**, choose **Manage service accounts**. Choose **Create service account**. Enter your service account details, and choose **Create and continue**.
1. Grant the service account access to your project. Grant users access to the service account as your app requires.
1. Choose your new service account, choose the **Keys** tab, and **Add key**. Create and download a new JSON key.
For more information about how to use the Google Developers console, see [Creating and managing projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects) in the Google Cloud documentation.
For more information about how to integrate Google into your web app, see [Sign in With Google](https://developers.google.com/identity/gsi/web/guides/overview) in the Google Identity documentation.
**Configure the External Provider in the Amazon Cognito Console**
**To add a Google identity provider (IdP)**
1. Choose **Identity pools** from the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). Select an identity pool.
1. Choose the **User access** tab.
1. Select **Add identity provider**.
1. Choose **Google**.
1. Enter the **Client ID** of the OAuth project you created at [Google Cloud Platform](https://console.cloud.google.com/). For more information, see [Setting up OAuth 2.0](https://support.google.com/cloud/answer/6158849) in *Google Cloud Platform Console Help*.
1. To set the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, configure **Role settings**.
1. You can assign users from that IdP the **Default role** that you set up when you configured your **Authenticated role**, or you can **Choose role with rules**.
1. If you chose **Choose role with rules**, enter the source **Claim** from your user's authentication, the **Operator** that you want to compare the claim by, the **Value** that will cause a match to this role choice, and the **Role** that you want to assign when the **Role assignment** matches. Select **Add another** to create an additional rule based on a different condition.
1. Choose a **Role resolution**. When your user's claims don't match your rules, you can deny credentials or issue credentials for your **Authenticated role**.
1. To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, configure **Attributes for access control**.
1. To apply no principal tags, choose **Inactive**.
1. To apply principal tags based on `sub` and `aud` claims, choose **Use default mappings**.
1. To create your own custom schema of attributes to principal tags, choose **Use custom mappings**. Then enter a **Tag key** that you want to source from each **Claim** that you want to represent in a tag.
1. Select **Save changes**.
**Use Google**
To enable login with Google in your application, follow the [Google documentation for Web](https://developers.google.com/identity/gsi/web/guides/overview).
Successful authentication results in a response object that contains an `id_token` that Amazon Cognito uses to authenticate the user and generate a unique identifier:
```
function signinCallback(authResult) {
if (authResult['status']['signed_in']) {
// Add the Google access token to the Amazon Cognito credentials login map.
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'IDENTITY_POOL_ID',
Logins: {
'accounts.google.com': authResult['id_token']
}
});
// Obtain AWS credentials
AWS.config.credentials.get(function(){
// Access AWS resources here.
});
}
}
```
# Setting up Sign in with Apple as an identity pool IdP
Amazon Cognito identity pools work with Sign in with Apple to provide federated authentication for your mobile application and web application users. This section explains how to register and set up your application using Sign in with Apple as an identity provider (IdP).
To add Sign in with Apple as an authentication provider to an identity pool, you must complete two procedures. First, integrate Sign in with Apple in an application, and then configure Sign in with Apple in identity pools. For the most up-to-date information about setting up Sign in with Apple, see [Configuring Your Environment for Sign in with Apple](https://developer.apple.com/documentation/signinwithapple/configuring-your-environment-for-sign-in-with-apple) in the Apple Developer documentation.
## Set up Sign in with Apple
To configure Sign in with Apple as an IdP, register your application with the Apple to receive client ID.
1. Create a [developer account with Apple](https://developer.apple.com/programs/enroll/).
1. [Sign in](https://developer.apple.com/account/#/welcome) with your Apple credentials.
1. In the left navigation pane, choose **Certificates, IDs & Profiles**.
1. In the left navigation pane, choose **Identifiers**.
1. On the **Identifiers** page, choose the **\$1**icon.
1. On the **Register a New Identifier** page, choose **App IDs**, and then choose **Continue**.
1. On the **Register an App ID** page, do the following:
1. Under **Description**, type a description.
1. Under **Bundle ID,** type an identifier. Make a note of this **Bundle ID** as you need this value to configure Apple as a provider in the identity pool.
1. Under **Capabilities**, choose **Sign In with Apple**, and then choose **Edit**.
1. On the **Sign in with Apple: App ID Configuration** page, select the appropriate setting for your app. Then choose **Save**.
1. Choose **Continue**.
1. On the **Confirm your App ID** page, choose **Register**.
1. Proceed to step 10 if you want to integrate Sign in with Apple with a native iOS application. Step 11 is for applications that you want to integrate with Sign in with Apple JS.
1. On the **Identifiers** page, choose the **App IDs** menu, then **Services IDs**. Choose the **\$1** icon.
1. On the **Register a New Identifier** page, choose **Services IDs**, and then choose **Continue**.
1. On the **Register a Services ID** page, do the following:
1. Under **Description**, type a description.
1. Under **Identifier**, type an identifier. Make a note of the services ID as you need this value to configure Apple as a provider in your identity pool.
1. Select **Sign In with Apple** and then choose **Configure**.
1. On the **Web Authentication Configuration** page, choose a **Primary App ID**. Under **Website URLs**, choose the **\$1 **icon. For **Domains and Subdomains**, enter the domain name of your app. In **Return URLs,** enter the callback URL where the authorization redirects the user after they authenticate through Sign in with Apple.
1. Choose **Next**.
1. Choose **Continue**, and then choose **Register**.
1. In the left navigation pane, choose **Keys**.
1. On the **Keys** page, choose the **\$1** icon.
1. On the **Register a New Key** page, do the following:
1. Under **Key Name**, type a key name.
1. Choose **Sign In with Apple**, and then choose **Configure**.
1. On the **Configure Key** page, choose a **Primary App ID** and then choose **Save**.
1. Choose **Continue**, and then choose **Register**.
**Note**
To integrate Sign in with Apple with a native iOS application, see [Implementing User Authentication with Sign in with Apple. ](https://developer.apple.com/documentation/authenticationservices/implementing-user-authentication-with-sign-in-with-apple)
To integrate Sign in with Apple in a platform other than native iOS, see [ Sign in with Apple JS.](https://developer.apple.com/documentation/signinwithapplejs/)
## Configure the external provider in the Amazon Cognito federated identities console
Use the following procedure to configure your external provider.
**To add a Sign in with Apple identity provider (IdP)**
1. Choose **Identity pools** from the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). Select an identity pool.
1. Choose the **User access** tab.
1. Select **Add identity provider**.
1. Choose **Sign in with Apple**.
1. Enter the **Services ID** of the OAuth project you created with [Apple Developer](https://developer.apple.com). For more information, see [Authenticating users with Sign in with Apple](https://developer.apple.com/documentation/signinwithapple/authenticating-users-with-sign-in-with-apple) in *Sign in with Apple Documentation*.
1. To set the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, configure **Role settings**.
1. You can assign users from that IdP the **Default role** that you set up when you configured your **Authenticated role**, or you can **Choose role with rules**.
1. If you chose **Choose role with rules**, enter the source **Claim** from your user's authentication, the **Operator** that you want to compare the claim by, the **Value** that will cause a match to this role choice, and the **Role** that you want to assign when the **Role assignment** matches. Select **Add another** to create an additional rule based on a different condition.
1. Choose a **Role resolution**. When your user's claims don't match your rules, you can deny credentials or issue credentials for your **Authenticated role**.
1. To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, configure **Attributes for access control**.
1. To apply no principal tags, choose **Inactive**.
1. To apply principal tags based on `sub` and `aud` claims, choose **Use default mappings**.
1. To create your own custom schema of attributes to principal tags, choose **Use custom mappings**. Then enter a **Tag key** that you want to source from each **Claim** that you want to represent in a tag.
1. Select **Save changes**.
## Sign in with Apple as a provider in the Amazon Cognito federated identities CLI examples
This example creates an identity pool named `MyIdentityPool` with Sign in with Apple as an IdP.
`aws cognito-identity create-identity-pool --identity-pool-name MyIdentityPool --supported-login-providers appleid.apple.com="sameple.apple.clientid"`
For more information, see [Create identity pool](https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/create-identity-pool.html)
**Generate an Amazon Cognito identity ID**
This example generates (or retrieves) an Amazon Cognito ID. This is a public API so you don't need any credentials to call this API.
`aws cognito-identity get-id --identity-pool-id SampleIdentityPoolId --logins appleid.apple.com="SignInWithAppleIdToken"`
For more information, see [get-id.](https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-id.html)
**Get credentials for an Amazon Cognito identity ID**
This example returns credentials for the provided identity ID and Sign in with Apple login. This is a public API so you don't need any credentials to call this API.
`aws cognito-identity get-credentials-for-identity --identity-id SampleIdentityId --logins appleid.apple.com="SignInWithAppleIdToken" `
For more information, see [get-credentials-for-identity](https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-credentials-for-identity.html)
## Use Sign in with Apple: Android
Apple doesn't provide an SDK that supports Sign in with Apple for Android. You can use the web flow in a web view instead.
+ To configure Sign in with Apple in your application, follow [Configuring Your Web page for Sign In with Apple](https://developer.apple.com/documentation/signinwithapple/configuring-your-webpage-for-sign-in-with-apple) in the Apple documentation.
+ To add a **Sign in with Apple** button to your Android user interface, follow [Displaying Sign in with Apple buttons on the web](https://developer.apple.com/documentation/signinwithapple/displaying-sign-in-with-apple-buttons-on-the-web) in the Apple documentation.
+ To securely authenticate users with Sign in with Apple, follow [Authenticating Users with Sign in with Apple](https://developer.apple.com/documentation/signinwithapple/authenticating-users-with-sign-in-with-apple) in the Apple documentation.
Sign in with Apple uses a session object to track its state. Amazon Cognito uses the ID token from this session object to authenticate the user, generate the unique identifier, and, if needed, grant the user access to other AWS resources.
```
@Override
public void onSuccess(Bundle response) {
String token = response.getString("id_token");
Map logins = new HashMap();
logins.put("appleid.apple.com", token);
credentialsProvider.setLogins(logins);
}
```
## Use Sign in with Apple: iOS - Objective-C
Apple provided SDK support for Sign in with Apple in native iOS applications. To implement user authentication with Sign in with Apple in native iOS devices, follow [Implementing User Authentication with Sign in with Apple](https://developer.apple.com/documentation/authenticationservices/implementing-user-authentication-with-sign-in-with-apple) in the Apple documentation.
Amazon Cognito uses the ID token to authenticate the user, generate the unique identifier, and, if needed, grant the user access to other AWS resources.
```
(void)finishedWithAuth: (ASAuthorizationAppleIDCredential *)auth error: (NSError *) error {
NSString *idToken = [ASAuthorizationAppleIDCredential objectForKey:@"identityToken"];
credentialsProvider.logins = @{ "appleid.apple.com": idToken };
}
```
## Use Sign in with Apple: iOS - Swift
Apple provided SDK support for Sign in with Apple in native iOS applications. To implement user authentication with Sign in with Apple in native iOS devices, follow [Implementing User Authentication with Sign in with Apple](https://developer.apple.com/documentation/authenticationservices/implementing-user-authentication-with-sign-in-with-apple) in the Apple documentation.
Amazon Cognito uses the ID token to authenticate the user, generate the unique identifier, and, if needed, grant the user access to other AWS resources.
For more information about how to set up Sign in with Apple in iOS, see [Set up Sign in with Apple](https://docs.amplify.aws/sdk/auth/federated-identities/q/platform/ios#set-up-sign-in-with-apple)
```
func finishedWithAuth(auth: ASAuthorizationAppleIDCredential!, error: NSError!) {
if error != nil {
print(error.localizedDescription)
}
else {
let idToken = auth.identityToken,
credentialsProvider.logins = ["appleid.apple.com": idToken!]
}
}
```
## Use Sign in with Apple: JavaScript
Apple doesn’t provide an SDK that supports Sign in with Apple for JavaScript. You can use the web flow in a web view instead.
+ To configure Sign in with Apple in your application, follow [Configuring Your Web page for Sign In with Apple](https://developer.apple.com/documentation/signinwithapple/configuring-your-webpage-for-sign-in-with-apple) in the Apple documentation.
+ To add a **Sign in with Apple** button to your JavaScript user interface, follow [Displaying Sign in with Apple buttons on the web](https://developer.apple.com/documentation/signinwithapple/displaying-sign-in-with-apple-buttons-on-the-web) in the Apple documentation.
+ To securely authenticate users with Sign in with Apple, follow [Authenticating Users with Sign in with Apple](https://developer.apple.com/documentation/signinwithapple/authenticating-users-with-sign-in-with-apple) in the Apple documentation.
Sign in with Apple uses a session object to track its state. Amazon Cognito uses the ID token from this session object to authenticate the user, generate the unique identifier, and, if needed, grant the user access to other AWS resources.
```
function signinCallback(authResult) {
// Add the apple's id token to the Amazon Cognito credentials login map.
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'IDENTITY_POOL_ID',
Logins: {
'appleid.apple.com': authResult['id_token']
}
});
// Obtain AWS credentials
AWS.config.credentials.get(function(){
// Access AWS resources here.
});
}
```
# Setting up an OIDC provider as an identity pool IdP
[OpenID Connect](http://openid.net/connect/) is an open standard for authentication that a number of login providers support. With Amazon Cognito, you can link identities with OpenID Connect providers that you configure through [AWS Identity and Access Management](http://aws.amazon.com/iam/).
**Adding an OpenID Connect provider**
For information about how to create an OpenID Connect provider, see [Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/identity-providers-oidc.html) in the *AWS Identity and Access Management User Guide*.
**Associating a provider with Amazon Cognito**
**To add an OIDC identity provider (IdP)**
1. Choose **Identity pools** from the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). Select an identity pool.
1. Choose the **User access** tab.
1. Select **Add identity provider**.
1. Choose **OpenID Connect (OIDC)**.
1. Choose an **OIDC identity provider** from the IAM IdPs in your AWS account. If you want to add a new SAML provider, choose **Create new provider** to navigate to the IAM console.
1. To set the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, configure **Role settings**.
1. You can assign users from that IdP the **Default role** that you set up when you configured your **Authenticated role**, or you can **Choose role with rules**.
1. If you chose **Choose role with rules**, enter the source **Claim** from your user's authentication, the **Operator** that you want to compare the claim by, the **Value** that will cause a match to this role choice, and the **Role** that you want to assign when the **Role assignment** matches. Select **Add another** to create an additional rule based on a different condition.
1. Choose a **Role resolution**. When your user's claims don't match your rules, you can deny credentials or issue credentials for your **Authenticated role**.
1. To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, configure **Attributes for access control**.
1. To apply no principal tags, choose **Inactive**.
1. To apply principal tags based on `sub` and `aud` claims, choose **Use default mappings**.
1. To create your own custom schema of attributes to principal tags, choose **Use custom mappings**. Then enter a **Tag key** that you want to source from each **Claim** that you want to represent in a tag.
1. Select **Save changes**.
You can associate multiple OpenID Connect providers with a single identity pool.
**Using OpenID Connect**
Refer to your provider's documentation for how to sign in and receive an ID token.
After you have a token, add the token to the logins map. Use the URI of your provider as the key.
**Validating an OpenID Connect token**
When you first integrate with Amazon Cognito, you might receive an `InvalidToken` exception. It is important to understand how Amazon Cognito validates OpenID Connect (OIDC) tokens.
**Note**
As specified here ([https://tools.ietf.org/html/rfc7523](https://tools.ietf.org/html/rfc7523)), Amazon Cognito provides a grace period of 5 minutes to handle any clock skew between systems.
1. The `iss` parameter must match the key that the logins map uses (such as login.provider.com).
1. The signature must be valid. The signature must be verifiable via an RSA public key.
**Note**
Identity pools maintain a cache of the OIDC IdP signing key for a brief period. If your provider changes their signing key, Amazon Cognito might return a `NoKeyFound` error until this cache refreshes. If you encounter this error, wait about ten minutes for your identity pool to refresh the signing key.
1. The fingerprint of the certificate public key matches the fingerprint that you set in IAM when you created your OIDC provider.
1. If the `azp` parameter is present, check this value against listed client IDs in your OIDC provider.
1. If the `azp` parameter isn't present, check the `aud` parameter against listed client IDs in your OIDC provider.
The website [jwt.io](http://jwt.io/) is a valuable resource that you can use to decode tokens and verify these values.
## Android
```
Map logins = new HashMap();
logins.put("login.provider.com", token);
credentialsProvider.setLogins(logins);
```
## iOS - Objective-C
```
credentialsProvider.logins = @{ "login.provider.com": token }
```
## JavaScript
```
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'IDENTITY_POOL_ID',
Logins: {
'login.provider.com': token
}
});
```
# Setting up a SAML provider as an identity pool IdP
With Amazon Cognito identity pools, you can authenticate users with identity providers (IdPs) through SAML 2.0. You can use an IdP that supports SAML with Amazon Cognito to provide a simple onboarding flow for your users. Your SAML-supporting IdP specifies the IAM roles that your users can assume. This way, different users can receive different sets of permissions.
## Configuring your identity pool for a SAML IdP
The following steps describe how to configure your identity pool to use a SAML-based IdP.
**Note**
Before you configure your identity pool to support a SAML provider, first configure the SAML IdP in the [IAM console](https://console.aws.amazon.com/iam). For more information, see [Integrating third-party SAML solution providers with AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml_3rd-party.html) in the *IAM User Guide*.
**To add a SAML identity provider (IdP)**
1. Choose **Identity pools** from the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). Select an identity pool.
1. Choose the **User access** tab.
1. Select **Add identity provider**.
1. Choose **SAML**.
1. Choose a **SAML identity provider** from the IAM IdPs in your AWS account. If you want to add a new SAML provider, choose **Create new provider** to navigate to the IAM console.
1. To set the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, configure **Role settings**.
1. You can assign users from that IdP the **Default role** that you set up when you configured your **Authenticated role**, or you can **Choose role with rules**.
1. If you chose **Choose role with rules**, enter the source **Claim** from your user's authentication, the **Operator** that you want to compare the claim by, the **Value** that will cause a match to this role choice, and the **Role** that you want to assign when the **Role assignment** matches. Select **Add another** to create an additional rule based on a different condition.
1. Choose a **Role resolution**. When your user's claims don't match your rules, you can deny credentials or issue credentials for your **Authenticated role**.
1. To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, configure **Attributes for access control**.
1. To apply no principal tags, choose **Inactive**.
1. To apply principal tags based on `sub` and `aud` claims, choose **Use default mappings**.
1. To create your own custom schema of attributes to principal tags, choose **Use custom mappings**. Then enter a **Tag key** that you want to source from each **Claim** that you want to represent in a tag.
1. Select **Save changes**.
## Configuring your SAML IdP
After you create the SAML provider, configure your SAML IdP to add relying party trust between your IdP and AWS. With many IdPs, you can specify a URL that the IdP can use to read relying party information and certificates from an XML document. For AWS, you can use [https://signin.aws.amazon.com/static/saml-metadata.xml](https://signin.aws.amazon.com/static/saml-metadata.xml). The next step is to configure the SAML assertion response from your IdP to populate the claims that AWS needs. For details on the claim configuration, see [Configuring SAML assertions for authentication response](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html).
When your SAML IdP includes more than one signing certificate in SAML metadata, at sign-in your identity pool determines that the SAML assertion is valid if it matches any certificate in the SAML metadata.
## Customizing your user role with SAML
When you use SAML with Amazon Cognito Identity, you can customize the role for the end user. Amazon Cognito only supports the [enhanced flow](authentication-flow.md) with the SAML-based IdP. You don't need to specify an authenticated or unauthenticated role for the identity pool to use a SAML-based IdP. The `https://aws.amazon.com/SAML/Attributes/Role` claim attribute specifies one or more pairs of comma -delimited role and provider ARN. These are the roles that the user can assume. You can configure the SAML IdP to populate the role attributes based on the user attribute information available from the IdP. If you receive multiple roles in the SAML assertion, populate the optional `customRoleArn` parameter when you call `getCredentialsForIdentity`. The user assumes this `customRoleArn` if the role matches one in the claim in the SAML assertion.
## Authenticating users with a SAML IdP
To federate with the SAML-based IdP, determine the URL where the user initiates the login. AWS federation uses IdP-initiated login. In AD FS 2.0, the URL takes the form of `https:///adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices`.
To add support for your SAML IdP in Amazon Cognito, first authenticate users with your SAML identity provider from your iOS or Android application. The code that you use to integrate and authenticate with the SAML IdP is specific to SAML providers. After you authenticate your user, you can use Amazon Cognito APIs to provide the resulting SAML assertion to Amazon Cognito Identity .
You can't repeat, or *replay*, a SAML assertion in the `Logins` map of your identity pool API request. A replayed SAML assertion has an assertion ID that duplicates the ID of an earlier API request. API operations that can accept a SAML assertion in the `Logins` map include [GetId](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html), [GetCredentialsForIdentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html), [GetOpenIdToken](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html), and [GetOpenIDTokenForDeveloperIdentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html). You can replay a SAML assertion ID one time per API request in an identity pool authentication flow. For example, you can supply the same SAML assertion in a `GetId` request and a subsequent `GetCredentialsForIdentity` request, but not in a second `GetId` request.