About Us

Citrus Consulting Services is the Consulting and the Transformation Services arm of Redington Gulf.

Sunday – Thursday: 9:00AM–6:00PM (Sales), Sunday – Saturday: 24×7 / 365 (Support) E.O#3, Ground Floor, Building 01 Dubai Internet City, P.O Box 501 761 Dubai, UAE (+971) 04 516 1500
(+966) 11 462 5323
Citrus Consulting Services

Amazon Cognito and External Identity Providers

Problem Statement

For one the eCommerce portals that we were working on, one of the key requirements was to have third party identity service providers like Google, Microsoft etc. integrated. The customer wanted it because they wanted current users of these identity providers to have a seamless experience while signing-up and signing-on to their eCommerce site. In addition, the customer wanted their own Active Directory system to be another identity provider when it comes to authentication.

Additionally, the customer also wanted all standard functionalities like reset password, forgot password, email verification etc. to be not redeveloped and utilize existing cloud services.

Since it was a B2C eCommerce portal, the customer wanted to make sure that scalability factor is taken care of – it may start small but may grow up to thousands and later millions of users. The authentication infrastructure must be scalable.


Amazon Cognito is a service that enables user sign-up, sign-in and access control to web and mobile applications. Amazon Cognito can scale up to millions of users and allows sign-in with social identity providers like Facebook, Microsoft, Google etc. Also, it supports enterprise identity providers by utilizing SAML 2.0 protocol.



When a user visits the eCommerce portal for the first time, following is what happens (assuming a user that has already signed-up):

  • The web application through session management detects that the user is unauthenticated and redirects the user to Amazon Cognito and Amazon Cognito in turn sends a SAML request to the Identity Provider (IdP).
  • The IdP authenticates the user and sends a SAML response back to Amazon Cognito. The SAML response includes common attributes and a multi-value attribute for group membership.
  • Amazon Cognito handles the SAML response and maps the SAML attributes to a just-in-time user profile. The SAML groups attribute is mapped to a custom user pool attribute named custom:groups.
  • Amazon Cognito returns a JWT (JSON Web Token) token to the web application.

Ashok, is an IT professional having more than 18 years of experience specializing in the fields of IT Strategy Consulting, Enterprise Architecture, Next Gen. IT Solutions, Data Center Automation, DevOps, Cloud Computing and Technology Consulting. He has worked with large organizations like Microsoft, Cognizant, TCS and played a key role in building start-up organizations like Netmagic Solutions, Mumbai, India and GAVS Technologies, Chennai, India. He is quite adept at consulting on Microsoft Azure, Microsoft Sharepoint, AWS cloud technologies; Ansible, IPsoft and Ayehu based automation solutions; and Chef & Puppet based DevOps solutions.

Post a Comment

2 + 8 =