Learn how to use Amazon Cognito to build the user identity management workflows, including user on-boarding, sign-up, and sign-on for mobile and web applications. Learn how to customize the look and feel of the UI and UX of the screens and pages, integrate with third-party social identity providers such as Facebook, Google, and Twitter, and use SAML to federate with enterprise directory services.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Implement User Onboarding,
Sign-up, and Sign-in for Mobile and
Web Applications with Amazon
Cognito
A d r i a n H a l l , A W S S e n i o r D e v e l o p e r A d v o c a t e , A W S M o b i l e A p p l i c a t i o n s
T i m H u n t , A W S S r . P r o d u c t M a n a g e r , T e c h , A W S M o b i l e
M B L 3 0 5
N o v e m b e r 2 9 , 2 0 1 7
AWS re:INVENT

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security and access Customer ownership Experience Customer relationships
Why identity is important for your app

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Minimize user friction Prepare for success (scale)Put security first
Getting identity right

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS credentials and access control OpenID Connect and OAUth 2.0
Managed user directory Sign in with existing identities (federation) Customizable, hosted UI or SDK
Amazon Cognito

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Cognito: Identity scenarios
Business to consumer Business to business
Business to employee IoT scenarios
Enterprise
directoryEnterprise
directory
SAML
Enterprise
directory
SAML
AWS IoT

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Cognito User Pools
Easily add user sign-up and
sign-in to your mobile and
web apps without worrying
about server infrastructure
Serverless authentication
and user management
Verify phone numbers and
email addresses and offer
multifactor authentication
Enhanced security
features
Launch a simple, secure,
low-cost, and fully managed
service to create and
maintain a user directory
that scales to hundreds of
millions of users
Managed user directory
1 2 3

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Comprehensive user flows
Email or phone
number verification
Forgot password
User sign-up and
sign-in
Require users to verify their email address or phone number before activating
their account with a one-time password challenge
Provide users the ability to change their forgotten password with a one-time
password challenge
Allow users to sign up and sign in using an email address, phone number, or
username (and password) for your application
User profile data Enable users to view and update their profile data—including custom attributes
SMS multifactor
authentication
Require users to complete a second factor of authentication by inputting a
security code received via SMS as part of the sign-in flow
Customize these user flows using AWS Lambda
Token-based
authentication
Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth
2.0 standards for user authentication in your backend

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Custom user flows using Lambda
Category Lambda hook Example scenarios
Custom
authentication
flow
Define auth challenge Determines the next challenge in a custom auth flow
Create auth challenge Creates a challenge in a custom auth flow
Verify auth challenge response Determines whether a response is correct in a custom auth flow
Authentication
events
Pre-authentication Custom validation to accept or deny the sign-in request
Post-authentication Event logging for custom analytics
Pre-token generation Customize claims in the Id token
Sign up
Pre-sign-up Custom validation to accept or deny the sign-up request
Post-confirmation Custom welcome messages or event logging for custom analytics
Messages Custom message Advanced customization and localization of messages
NEW

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Extensive admin capabilities
Define custom
attributes
Set per-app
permissions
Set up password
policies
Create and manage
user pools
Define custom attributes for your user profiles
Set read and write permissions for each user attribute on a per-app basis
Enforce password policies such as minimum length and requirement of
certain types of characters
Create, configure, and delete multiple user pools across AWS regions
Require submission
of attribute data
Select which attributes must be provided by the user before completion of
the sign-up process
Search users
Search users based on a full match or a prefix match of their attributes
through the console or admin API
Manage users
Conduct admin actions, such as reset user password, confirm user, enable
MFA, delete user, and global sign-out

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customize our built-in UI or create your
own
Upload your own
logo and adjust CSS
properties to fit
your style and
branding
Integrate your
native UI with
our SDKs

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Federation with Cognito user pools
• Built-in integrations with identity
providers
• Social: Facebook, Google, log in with
Amazon
• Corporate via SAML 2.0
• Map user attributes into user pool
profiles
• Universal directory with common set
of profiles and tokens for all users
CUP
token
Cognito user pool

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Support for OAuth 2.0 in Cognito user
pools
• OAuth 2.0 flows:
• Authorization code grant
• Implicit flow
• Client credentials
• Custom scopes defined for resource
servers

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cognito Federated Identities
(identity pools)
• Exchanges tokens from
authenticated users for AWS
credentials to access resources such
as Amazon S3 or Amazon
DynamoDB
• You can define rules for mapping
users to different IAM roles to
manage permissions
• Provides an identity pool ID to
uniquely identify users
Cognito
identity pool
AWS credentials
/ / etc
token
Mobile or web app
DynamoDB
Amazon S3
API GW
Access backend
resources
—tied to IAM role
1
3
2

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Cognito for authentication &
access
Get AWS
credentials
Cognito
identity pool
DynamoDB Amazon S3
Access AWS services
Federating
IdP
Cognito user
pool
• User pools authenticate
users and return standard
tokens
• User pool tokens are used
to access backend
resources
• Identity pools provide AWS
credentials to access AWS
services
Authenticate
3
CUP
token1
IdP
token
2
Redirect/
post back
CUP
token
5
6
Access serverless backendCUP
token
API Gateway
4
Lambda

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Cognito: Authorization scenarios
Standalone Identity Provider Amazon API Gateway AWS credentials
Resources
• OIDC and OAuth 2.0 tokens
from user pools can be used
directly to access backend
resources
CUP
token
CUP
token
CUP
token
CUP
token
AWS IAM
AWS
credentials
AWS Services
Amazon S3DynamoDBLambda
• User pool tokens authorize
requests via API Gateway
• Token claims can be inspected
• Temporary AWS credentials
provide access to AWS
services
• Users can be mapped to
different roles and policies
API
Gateway

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Pinpoint and Amazon Cognito
Amazon Pinpoint Amazon Cognito
Integration
Enriches user data for Pinpoint campaigns
Provides analytics for Cognito User Pool activities

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced security features Beta
Protections against
1. Compromised credentials
2. Anomalous sign-in attempts

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced security: Compromised
credentials
Detect, in real time, the reuse of
compromised credentials as users sign-up,
sign-in, or change their password
Choose whether to block users from reusing
compromised credentials

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced security: Adaptive
authentication
Detect anomalies during sign-in events including:
o Sign-in from previously unseen or atypical location, from
previously unknown device
o Sign-in from IP addresses with a high number of failed
sign-in attempts
o Sign-in from malicious IP addresses
Choose factors to secure sign-in requests for a
given risk level
o Factors include SMS and TOTP (e.g., Google
Authenticator)
Alert users to suspicious sign-in attempts

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced security: Reporting
View aggregate metrics on the threats detected
by each feature
List users against whom threats were detected,
and recent sign-in activity for users

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting started with Amazon Cognito
Visit aws.amazon.com/cognito/dev-resources/ for links to:
 Getting started guides
 Documentation, SDKs, and sample apps
 Videos
 Presentation slides
 Blog posts
 Developer forums

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ask questions/Tweet/Get a T-shirt
Visit the AWS Mobile booth Wednesday between
noon and 6 p.m. to ask questions of the Amazon
Cognito Engineering team
Be among the first 25 to show a tweet
about how you are using or will use
Amazon Cognito with #amazoncognito
and get a T-shirt!

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
P l e a s e r e m e m b e r t o c o m p l e t e t h e s u r v e y
M B L 3 0 5