Working with custom identity providers - Amazon Transfer Family
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with custom identity providers

To authenticate your users, you can use your existing identity provider with Amazon Transfer Family. You integrate your identity provider using an Amazon Lambda function, which authenticates and authorizes your users for access to Amazon S3 or Amazon Elastic File System (Amazon EFS). For details, see Using Amazon Lambda to integrate your identity provider. You can also access CloudWatch graphs for metrics such as number of files and bytes transferred in the Amazon Transfer Family Management Console, giving you a single pane of glass to monitor file transfers using a centralized dashboard.

Alternatively, you can provide a RESTful interface with a single Amazon API Gateway method. Transfer Family calls this method to connect to your identity provider, which authenticates and authorizes your users for access to Amazon S3 or Amazon EFS. Use this option if you need a RESTful API to integrate your identity provider or if you want to use Amazon WAF to leverage its capabilities for geo-blocking or rate-limiting requests. For details, see Using Amazon API Gateway to integrate your identity provider.

In either case, you can create a new server using the Amazon Transfer Family console or the CreateServer API operation.


We have a workshop that you can attend, in which you can build a file transfer solution. This solution leverages Amazon Transfer Family for managed SFTP/FTPS endpoints and Amazon Cognito and DynamoDB for user management. You can view the details for this workshop here.

Amazon Transfer Family provides the following options for working with custom identity providers.

For either option, you can also specify how to authenticate.

  • Password OR Key – users can authenticate with either their password or their key. This is the default value.

  • Password ONLY – users must provide their password to connect.

  • Key ONLY – users must provide their private key to connect.

  • Password AND Key – users must provide both their private key and their password to connect. The server checks the key first, and then if the key is valid, the system prompts for a password. If the private key provided does not match the public key that is stored, authentication fails.

Using multiple authentication methods to authenticate with your custom identity provider

The Transfer Family server controls the AND logic when you use multiple authentication methods. Transfer Family treats this as two separate requests to your custom identity provider: however, their effect is combined.

Both requests must return successfully with the correct response to allow the authentication to complete. Transfer Family requires the two responses to be complete, meaning they contain all of the required elements (role, home directory, policy and the POSIX profile if you're using Amazon EFS for storage). Transfer Family also requires that the password response must not include public keys.

The public key request must have a separate response from the identity provider. That behavior is unchanged when using Password OR Key or Password AND Key.

The SSH/SFTP protocol challenges the software client first with a public key authentication, then requests a password authentication. This operation mandates both are successful before the user is allowed to complete the authentication.