Creating a Cognito user pool to enable S3 bucket access via IDP credentials
This guide walks through the process of setting up an AWS Cognito user pool to enable your enterprise’s users to download directly from the S3 bucket that stores secure document request data using their enterprise identity provider (IDP) credentials. This approach allows the document request feature to function without requiring Confidencial to store credentials that are capable of downloading objects from your S3 bucket.
If you have not already done so, follow the instructions in Connecting your identity provider to Confidencial to connect your enterprise’s IDP before continuing with the steps below
While this document recommends specific values for configuration options, administrators that are comfortable with AWS Cognito may opt to choose different configuration options. Please consult with an AWS security expert and/or Confidencial technical staff If deviating from the options prescribed below.
Creating the user pool
- Open Cognito in the AWS Web Console
- Click Create user pool
- Under Provider types, check the Federated identity providers option
- Under Cognito user pool sign-in options, check the User name option
- Under Federated sign-in options, check the OpenID Connect (OIDC) option
- Click Next
- Under the Configure security requirements page, configure the following options:
- Password policy: Leave default values (this will not be used since your users will be using their enterprise credentials, and not Cognito-managed credentials, to authenticate)
- Multi-factor authentication: No MFA (Cognito-based MFA is not recommended as you may enforce MFA through your IDP instead)
- Enable self-service account recovery: Uncheck (Cognito account recovery is not needed because account recovery will be managed through your IDP)
- Click Next
- Under the Configure sign-up experience page, configure the following options:
- Enable self-registration: Uncheck (new account creation will be managed through your IDP)
- Allow Cognito to automatically send messages to verify and confirm: Uncheck (new account creation will be managed through your IDP)
- Click Next
- Under the Configure message delivery page, select Send email with Cognito (note that these settings are not relevant since Cognito will not need to send emails to your enterprise users)
- Click Next
- Under the Set up OpenID Connect federation with this user pool section, enter the following values that can be obtained from the Confidencial application configuration in your IDP:
- Provider name: Enter a name to refer to your IDP instance (e.g.
Entra ID - Production
orOkta - Sandbox
) - Client ID: Enter the client ID from your IDP’s Confidencial application
- Client Secret: Enter the client secret from your IDP’s Confidencial application
- Authorized scopes:
openid profile email offline_access
- Attribute request method: GET
- Retrieve OIDC endpoints / Setup method: Auto fill through issuer URL
- Issuer URL: Enter the issuer URL from your IDP’s Confidencial application
- User pool attribute / email:
email
See Connecting your identity provider to Confidencial for the steps that were taken to create the Confidencial application in your IDP
- Click Next
- Under the Integrate your app page, enter the following values:
- User pool name:
confidencial
- Domain type: Use a Cognito domain
- Cognito domain: Enter a globally-unique name for your domain (e.g.
confidencial-yourenterprisename
) - App type: Public client
- App client name:
confidencial
- Client secret: Don't generate a client secret
- Allowed callback URLs:
https://my.confidencial.io/auth?ref=cognito
NOTE: This URL will be different if you are operating in a sandbox environment. Please contact your Confidencial technical support representative if you are using a sandbox environment.
- Under Advanced app client settings / Identity providers, click the “X” to remove the Cognito user pool option, leaving only the identity provider you named earlier
- Under Advanced app client settings / OpenID Connect scopes, click the “X” to remove the Phone option, leaving only the OpenID and Email options
- Click Next
- Review that your configuration is correct and click Create user pool
Creating the identity pool
- Open Cognito in the AWS Web Console
- Click Identity pools in the left sidebar menu
- Click Create identity pool
- For User access, select Authenticated access
- For Authenticated identity sources, select Amazon Cognito user pool
- Click Next
- For IAM role, select Create a new IAM role
- For IAM role name, enter
confidencial-users
- Click Next
- Under the Connect identity providers page, enter the following values:
- User pool ID: Select the ID of the user pool that you created in the previous section
- App client ID: Select the ID of the application you created in the previous section
- Role selection: Use default authenticated role
- Claim mapping: Inactive
- Click Next
- Under the Configure properties page, enter the following values:
- Name:
confidencial-users
- Click Next
- Review that your configuration is correct and click Create identity pool