Configure authentication methods for managed login - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure authentication methods for managed login

You can invoke managed login pages when you want users to sign in, sign out, or reset their password. In this model, your application imports OIDC libraries to process browser-based authentication attempts with user pool managed login pages. The forms of authentication that are available to your users are dependent on the configuration of your user pool and your app client. Implement the ALLOW_USER_AUTH flow in your app client, and Amazon Cognito prompts users to select a sign-in method from the available options. Implement ALLOW_USER_PASSWORD_AUTH and assign a SAML provider, and your login pages prompt users with the option to enter their username and password or to connect with their IdP.

The Amazon Cognito user pools console can get you started with setting up managed login authentication for your application. When you create a new user pool, specify the platform you're developing for and the console gives you examples for implementation of OIDC and OAuth libraries with starter code to implement sign-in and sign-out flows. You can build managed login with many OIDC relying-party implementations. We recommend that you work with certified OIDC relying party libraries where possible. For more information, see Getting started with user pools.

Typically, OIDC relying party libraries preiodically check the .well-known/openid-configuration endpoint of your user pool to determine issuer URLs like the token endpoint and authorization endpoint. As a best practice, implement this automatic-discovery behavior where you have to option to. Manual configuration of issuer endpoints introduces potential for error. For example, you might change your user pool domain. The path to openid-configuration isn't linked to your user pool domain, so applications that autodiscover service endpoints will automatically pick up your domain change.

User pool settings for managed login

You might want to allow sign in with multiple providers for your application, or you might want to use Amazon Cognito as an independent user directory. You might also want to collect user attributes, set up and prompt for MFA, or require email addresses as usernames. You can't directly edit the fields in managed login and the hosted UI. Instead, the configuration of your user pool automatically sets the handling of managed-login authentication flows.

The following user pool configuration items determine the authentication methods that Amazon Cognito presents to users in managed login and the hosted UI.

User pool options (Sign-in menu)

The following options are in the Sign-in menu of a user pool in the Amazon Cognito console.

Cognito user pool sign-in options

Has options for usernames. Your managed login and hosted UI pages only accept usernames in the formats that you select. When you, for example, set up a user pool with Email as the only sign-in option, your managed login pages only accept usernames in an email format.

Required attributes

When you set an attribute as required in your user pool, managed login prompts users for a value for that attribute when they sign up.

Options for choice-based sign-in

Has settings for authentication methods in Choice-based authentication. Here, you can turn on or off authentication methods like passkey and passwordless. These methods are only available to user pools with managed login domains and feature plans above the Lite tier.

Multi-factor authentication

Managed login and the hosted UI handle registration and authentication operations for MFA. When MFA is required in your user pool, your sign-in pages automatically prompt users to set up their additional factor. They also prompt users who have an MFA configuration to complete authentication with an MFA code. When MFA is off or optional in your user pool, your sign-in pages don't prompt to set up MFA.

User account recovery

The self-service account recovery setting of your user pool determines whether your sign-in pages display a link where users can reset their password.

User pool options (Domain menu)

The following options are in the Domain menu of a user pool in the Amazon Cognito console.

Domain

Your choice of a user pool domain sets the path for the link that users open when you invoke their browsers for authentication.

Branding version

Your choice of a branding version determines whether your user pool domain displays managed login or the hosted UI.

User pool options (Social and external providers menu)

The following option is in the Social and external providers menu of a user pool in the Amazon Cognito console.

Providers

The identity providers (IdPs) that you add to your user pool can be left active or inactive for each app client in the user pool.

App client options

The following options are in the App clients menu of a user pool in the Amazon Cognito console. To review these options, select an app client from the list.

Quick setup guide

The quick setup guide has code examples for a variety of developer environments. They contain the libraries necessary to integrate managed login authentication with your application.

App client information

Edit this configuration to set assigned IdPs for the application that's represented by the current app client. On the managed login pages, Amazon Cognito displays choices for users. These choices are determined from the assigned methods and IdP. For example, if you assign a SAML 2.0 IdP named MySAML and local user pool login, your managed login pages display authentication-method prompts and a button for MySAML.

Authentication settings

Edit this configuration to set authentication methods for your application. On the managed login pages, Amazon Cognito displays choices for users. These choices are determined from the availability of the user pool as an IdP, and from the methods that you assign. For example, if you assign choice-based ALLOW_USER_AUTH authentication, your managed login pages display available choices like entering an email address and signing in with a passkey. Managed login pages also render buttons for the assigned IdPs.

Login pages

Set the visual effect of your managed login or hosted UI user-interactive pages with the options available in this tab. For more information, see Apply branding to managed login pages.