Amazon Cognito introduces inbound federation Lambda triggers that enable you to transform and customize federated user attributes during the authentication process. You can now modify responses from external SAML and OIDC providers before they are stored in your user pool, providing complete programmatic control over the federation flow without requiring changes to your identity provider configuration..
Inbound federation Lambda trigger addresses current limitations in federated authentication workflows, particularly issues caused by attribute size limits and the need for selective attribute storage from external identity providers. For example, large group attributes from external SAML or OIDC identity providers that exceed Cognito’s 2,048 character limit per attribute can block the authentication flow. This capability allows you to add, override, or suppress attribute values, such as modifying large group attributes, before creating new federated users or updating existing federated user profiles in Cognito.
The new inbound federation Lambda trigger is available through hosted UI (classic) and managed login in all AWS Regions where Amazon Cognito is available. To get started, configure the trigger using the AWS Management Console, AWS Command Line Interface (CLI), AWS Software Development Kits (SDKs), Cloud Development Kit (CDK), or AWS CloudFormation by adding the new parameter to your User Pool LambdaConfig. To learn more, see the Amazon Cognito Developer Guide for implementation examples and best practices.
Categories: general:products/amazon-cognito,marketing:marchitecture/security-identity-and-compliance
Source: Amazon Web Services
