Creating a Cognito user pool to enable S3 bucket access via IDP credentials
PreviousCreating an S3 bucket for document requestsNextDeploying the Confidencial Key Server in your environment
Last updated
Last updated
ℹ️ This guide walks through the process of setting up an AWS Cognito user pool to enable your enterprise’s users to download directly from the S3 bucket that stores data using their enterprise identity provider (IDP) credentials. This approach allows the document request feature to function without requiring Confidencial to store credentials that are capable of downloading objects from your S3 bucket.
⚠️ If you have not already done so, follow the instructions in to connect your enterprise’s IDP before continuing with the steps below
🔒 While this document recommends specific values for configuration options, administrators that are comfortable with AWS Cognito may opt to choose different configuration options. Please consult with an AWS security expert and/or Confidencial technical staff If deviating from the options prescribed below.
Open Cognito in the AWS Web Console
Click Create user pool
Under Provider types, check the Federated identity providers option
Under Cognito user pool sign-in options, check the User name option
Under Federated sign-in options, check the OpenID Connect (OIDC) option
Click Next
Under the Configure security requirements page, configure the following options:
Password policy: Leave default values (this will not be used since your users will be using their enterprise credentials, and not Cognito-managed credentials, to authenticate)
Multi-factor authentication: No MFA (Cognito-based MFA is not recommended as you may enforce MFA through your IDP instead)
Enable self-service account recovery: Uncheck (Cognito account recovery is not needed because account recovery will be managed through your IDP)
Click Next
Under the Configure sign-up experience page, configure the following options:
Enable self-registration: Uncheck (new account creation will be managed through your IDP)
Allow Cognito to automatically send messages to verify and confirm: Uncheck (new account creation will be managed through your IDP)
Click Next
Under the Configure message delivery page, select Send email with Cognito (note that these settings are not relevant since Cognito will not need to send emails to your enterprise users)
Click Next
Under the Set up OpenID Connect federation with this user pool section, enter the following values that can be obtained from the Confidencial application configuration in your IDP:
ℹ️ See for the steps that were taken to create the Confidencial application in your IDP
Provider name: Enter a name to refer to your IDP instance (e.g. Entra ID - Production or Okta - Sandbox)
Client ID: Enter the client ID from your IDP’s Confidencial application
Client Secret: Enter the client secret from your IDP’s Confidencial application
Authorized scopes: openid profile email offline_access
Attribute request method: GET
Retrieve OIDC endpoints / Setup method: Auto fill through issuer URL
Issuer URL: Enter the issuer URL from your IDP’s Confidencial application
User pool attribute / email: email
Click Next
Under the Integrate your app page, enter the following values:
User pool name: confidencial
Domain type: Use a Cognito domain
Cognito domain: Enter a globally-unique name for your domain (e.g. confidencial-yourenterprisename)
App type: Public client
App client name: confidencial
Client secret: Don't generate a client secret
Allowed callback URLs: https://my.confidencial.io/auth?ref=cognito
⚠️ NOTE: This URL will be different if you are operating in a sandbox environment. Please contact your Confidencial technical support representative if you are using a sandbox environment.
Under Advanced app client settings / Identity providers, click the “X” to remove the Cognito user pool option, leaving only the identity provider you named earlier
Under Advanced app client settings / OpenID Connect scopes, click the “X” to remove the Phone option, leaving only the OpenID and Email options
Click Next
Review that your configuration is correct and click Create user pool
Open Cognito in the AWS Web Console
Click Identity pools in the left sidebar menu
Click Create identity pool
For User access, select Authenticated access
For Authenticated identity sources, select Amazon Cognito user pool
Click Next
For IAM role, select Create a new IAM role
For IAM role name, enter confidencial-users
Click Next
Under the Connect identity providers page, enter the following values:
User pool ID: Select the ID of the user pool that you created in the previous section
App client ID: Select the ID of the application you created in the previous section
Role selection: Use default authenticated role
Claim mapping: Inactive
Click Next
Under the Configure properties page, enter the following values:
Name: confidencial-users
Click Next
Review that your configuration is correct and click Create identity pool