15

I'm using cognito federated login with google as identity provider. The requirement is to only allow the users of my company (with domain as xxx@mycompany.com).

Any ideas on how and where to configure such rules would be much appreciated. Or kindly point me to the right documentation.

Thank you,

sowdri
  • 2,193
  • 5
  • 23
  • 36

3 Answers3

14

I was able to achieve that with pre-signup lambda trigger, couldn't find a way to restrict access using configuration only.

This is my lambda function code 

exports.handler = (event, context, callback) => {
    console.log ("Trigger function =", event.triggerSource);

    // Send post authentication data to Cloudwatch logs
    if (event.request.userAttributes.email.endsWith('@mydomain.com')) {
            console.log ("Authentication successful: ", event.request);
            callback(null, event);
    } else {
        console.log ("Authentication failed: ", event.request);
        callback("can't connect to admin", event)
    }

};
LiorH
  • 18,524
  • 17
  • 70
  • 98
  • thank you @LiorH, do you happen to know how to edit the error message (so you don't want it to be prefixed with "PreSignUp failed with error" (before your "can't connect to admin") – Andrew Apr 29 '22 at 20:35
1

You could reasonably build this validation into one of the lambda hooks that gets triggered during the user's registration/sign in flow.

Jeff Bailey
  • 5,655
  • 1
  • 22
  • 30
1

Lambda triggers only work for Cognito User Pool, not Cognito Identity Pool.

This question has been answered here: Restrict login to Enterprise Google Domain for AWS Federated Identity Pool

olidoodle
  • 89
  • 1
  • 3