I'm trying to understand the relationship between Cognito user pools, and external identity providers via SAML.
I have ReactJS application which uses the Amplify library, backed by AWS Cognito. The application is multi-tenanted, and users from different tenants belong in the same user pool. They are separated by their group, and a custom attribute. I use CloudFormation and serverless framework to deploy my stack.
Currently, I have custom login forms, which communicate with the Amplify library to log in the user.
In addition to giving clients the option to make their own accounts on my platform, I want to provide an option to authenticate via SAML from an external identity provider. The goal is to allow each client to log the web-application using their own Single Sign On.
Is it possible to attach each of these external identity providers to the same user pool, or will I have to deploy a new user pool for each new client I want to onboard?
Thank you very much
Yes, it is possible to add multiple external IDPs to a user pool. But, there is upper limit of 1000 Identity providers per user pool. So you can add up to 1000 customers. And if you are go with user pool per customer, then there is limit of 10 000 user pools per AWS account.
So we can consider those limits when you are choosing an option.
One other option is to support login with IDPs like Google, Microsoft and etc. So companies(customers) who use them as their IDPs, can rely on that, without specifically configuring SSO. (You can group the users based on the domain).