WHAT YOU'LL LEARN
  • what Cognito Federation is and when to use it
  • how to add external identity providers to the login screen
  • how federated users are synced into Webiny
  • how to customize identity mapping and login screen behavior

Overview
anchor

By default, Webiny uses a Cognito User Pool where admin users are created manually through the Admin app. Cognito Federation lets you connect external identity providers — Google, Microsoft Entra ID, Facebook, Apple, or any OIDC-compatible provider — so users can sign in with their existing corporate or social credentials.

Unlike switching to Okta or Auth0 (which replace Cognito entirely), federation keeps Cognito as your user pool. The external provider handles authentication; Cognito issues the tokens; Webiny manages the users.

What Happens When a Federated User Signs In
anchor

  1. The user clicks a provider button (e.g., “Sign in with Microsoft”) on the login screen.
  2. Cognito redirects to the external identity provider.
  3. After authentication, Cognito creates a session with an idToken that includes an identities claim.
  4. Webiny detects the identities claim and marks the user as external.
  5. On first login, the user is automatically created in Webiny with the roles and teams derived from token claims.
  6. On subsequent logins, the user profile is updated if claims have changed.

External users appear in the Admin app’s user management with a read-only badge — they cannot be edited or deleted through the UI since they are managed by the external identity provider.

Configuring Federation
anchor

Add a federation prop to the <Cognito /> extension in your webiny.config.tsx. This single declaration handles:

  • AWS infrastructure — creates the Cognito User Pool Domain, Identity Provider resources, and configures OAuth on the User Pool Client
  • Admin login screen — shows provider buttons and configures Amplify for the OAuth redirect flow
webiny.config.tsx

Federation Config Reference
anchor

FieldTypeRequiredDefaultDescription
domainstringYesCognito User Pool domain prefix
callbackUrlsstring[]YesOAuth callback URLs (localhost for dev, real domain for prod)
logoutUrlsstring[]Nosame as callbackUrlsOAuth logout redirect URLs
responseType"code" or "token"No"code"OAuth response type
allowCredentialsLoginbooleanNotrueWhether to show the email/password form alongside provider buttons
identityProvidersarrayYesList of external identity providers

Identity Provider Config
anchor

FieldTypeRequiredDescription
type"google", "facebook", "amazon", "apple", or "oidc"YesProvider type
namestringFor OIDCProvider name in Cognito (e.g., "EntraID")
labelstringYesButton text on the login screen
providerDetailsobjectYesAWS Cognito provider details — varies by type
attributeMappingobjectNoOverride default claim-to-attribute mapping

For OIDC providers, providerDetails must include client_id, client_secret, and oidc_issuer. For social providers (Google, Facebook, etc.), see the AWS documentationexternal link for the required fields.

SSO-Only Mode
anchor

To hide the email/password form and show only the federated provider buttons, set allowCredentialsLogin: false:

The login screen will display a description telling users they’ll be redirected to an external service.

Custom Identity Mapping
anchor

By default, federated users are created in Webiny with the full-access role. To control how token claims map to Webiny roles and teams, provide an apiConfig extension:

webiny.config.tsx
extensions/cognito/api.ts

You only need to return the fields you want to override. Default values for id, displayName, and profile are automatically derived from standard Cognito token claims (custom:id, given_name, family_name, email).

Custom Login Screen Behavior
anchor

For advanced login screen customization — such as IP-based credential whitelisting or custom provider buttons — provide an adminConfig extension that implements CognitoSignInConfig:

webiny.config.tsx
extensions/cognito/admin.tsx

Because getConfig() is async, you can perform runtime checks before returning the config:

extensions/cognito/admin.tsx

Setting It Up With AI
anchor

If you have the Webiny MCP server connected, you can configure federation with a single prompt:

Set up Cognito Federation with Microsoft Entra ID. My tenant ID is 0ae3d912-..., client ID is f62ee823-..., and client secret is ~Hp8Q~.... Use SSO-only mode — no password login. Map all federated users to the full-access role.

The AI assistant has access to the webiny-cognito-federation and webiny-configure-entraid skills and will generate the complete configuration.

Deploy Order
anchor

  1. Deploy Core — creates the Cognito User Pool Domain and Identity Provider resources

  2. Configure the external IdP — update the redirect URI in your identity provider’s settings to: https://{cognitoUserPoolDomain}/oauth2/idpresponse (get the domain from yarn webiny output core --env=dev)

  3. Deploy API + Admin