Reputation: 2243
AWS Cognito: Restrict users to a single domain
I'm using cognito federated login with google as identity provider. The requirement is to only allow the users of my company (with domain as [email protected]).
Any ideas on how and where to configure such rules would be much appreciated. Or kindly point me to the right documentation.
Thank you,
Upvotes: 15
Views: 6020
Answers (3)
Reputation: 129
Lambda triggers only work for Cognito User Pool, not Cognito Identity Pool.
This question has been answered here: Restrict login to Enterprise Google Domain for AWS Federated Identity Pool
Upvotes: 1
Reputation: 18824
I was able to achieve that with pre-signup lambda trigger, couldn't find a way to restrict access using configuration only.
This is my lambda function code
exports.handler = (event, context, callback) => {
console.log ("Trigger function =", event.triggerSource);
// Send post authentication data to Cloudwatch logs
if (event.request.userAttributes.email.endsWith('@mydomain.com')) {
console.log ("Authentication successful: ", event.request);
callback(null, event);
} else {
console.log ("Authentication failed: ", event.request);
callback("can't connect to admin", event)
}
};
Upvotes: 14
Reputation: 5775
You could reasonably build this validation into one of the lambda hooks that gets triggered during the user's registration/sign in flow.
Upvotes: 1
Related Questions
- How to restrict AWS Cognito users from taking certain actions?
- AWS Cognito: Restrict users to a one login at a time
- Specifying User Access Control with Amazon Cognito
- AWS cognito: allowing only a certain users (identities) to get credentials
- AWS Cognito app client to restrict so it can't register users
- Amazon Cognito Domain and CORS
- AWS Cognito: Restrict users to a single domain using lambda function - receiving error
- Restrict IAM user to access specific Cognito user pool(s)
- In AWS Cognito - how to allow only specific email addresses from signing up?
- How can i limit access to the aws-cognito service?