Confidencial Documentation
HomepageLog In
  • Getting Started
    • Sending secure PDFs with Confidencial
    • Viewing secure PDFs with Confidencial
    • Sending secure Word docs with Confidencial
    • Viewing secure Word docs with Confidencial
    • Sending secure Excel workbooks with Confidencial
    • Viewing secure Excel workbooks with Confidencial
    • Sending secure images with Confidencial
    • Viewing secure images with Confidencial
    • Sending secure messages with Confidencial
    • Viewing secure messages with Confidencial
    • Protecting content with Confidencial
    • Re-encrypting and changing who can see protected content
  • General
    • How Confidencial Works
      • What is End-to-End Protection
      • In-doc encryption
      • The Confidencial Public Key Registry
      • The Confidencial Private Key Server
      • The Confidencial Log Server
    • Account types
      • Individual
      • Organization
      • Organization administrator
    • File types
    • Key types
      • Cloud-stored keys
      • Device-stored keys
      • Temporary keys
      • Enterprise keys
      • Recovery keys
    • Logging in to the desktop or web app
    • Logging in to Confidencial
    • Encryption policies
    • Selecting encryption recipients
    • Inviting other users to Confidencial
    • Accepting an invite to Confidencial
    • Creating a Confidencial individual account
    • Re-encrypting and changing who can see protected content
    • Confidencial organizations
  • Web App
    • Encrypting a message
    • Decrypting a message
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
    • Re-encrypting a Confidencial-protected file or file bundle and changing who can see them
  • Desktop App
    • Installing the desktop app
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
  • Microsoft Office Add-ins
    • Installing the Microsoft Office add-ins
    • Opening the task pane
    • Logging in from an Office application
    • Encrypting an entire Word document
    • Encrypting parts of a Word document
    • Decrypting a Word document
    • Re-encrypting a Word document and changing who can see protected content
    • Installing Microsoft Add-ins via the Admin Center
  • Advanced Features
    • Storing keys on your device
    • Loading a key from your device
    • Creating a machine token
    • Obtaining public-private key pairs for use with the Confidencial SDK
  • How to Use Secure Document Request (SDR)
  • Secure Document Send
    • Sending Documents with Secure Document Send
    • Viewing Historical Document Sends
    • Creating a Persistent Share Link
    • Receiving a Persistent Share Link
  • Cloud Protector
    • Connecting AWS S3
    • Connecting Box
    • Connecting Dropbox
    • Connecting Google Cloud
    • Connecting Google Drive
    • Connecting Microsoft Azure Blob
    • Connecting Microsoft OneDrive
    • Connecting Microsoft SharePoint
    • Connecting Server Message Block
    • Connecting Wasabi
    • Connecting On-Premises Storage
  • Enterprise Deployment
    • Connecting your identity provider to Confidencial
    • Creating an S3 bucket for document requests
    • Creating a Cognito user pool to enable S3 bucket access via IDP credentials
    • Deploying the Confidencial Key Server in your environment
      • Configuring an AWS Elastic Container Service (ESC) instance
    • Running a database migration
    • Pushing a container image to your AWS container registry
    • Connecting your identity provider to the Confidencial Key Server
    • Deploying the Confidencial Desktop App to your enterprise users
    • Deploying the Confidencial Office Add-ins to your enterprise users
    • Setting up Microsoft Entra to use an Exchange account to send email notifications
  • Organization Administration
    • Adding members to an organization
    • Pre-loading members into your organization
    • Designating a member as an administrator
    • Creating a recovery key for an organization
    • Monitoring Confidencial usage within an organization
    • Organization-level policies
    • Administrator permissions
  • Command-Line Interface (CLI)
  • Software Development Kit (SDK)
  • Contact Us
  • System Requirements
  • Legal/Licensing
  • How to Access Confidencial Documents for First Time Recipients
Powered by GitBook
On this page
  • Creating the user pool
  • Creating the identity pool
Export as PDF
  1. Enterprise Deployment

Creating a Cognito user pool to enable S3 bucket access via IDP credentials

PreviousCreating an S3 bucket for document requestsNextDeploying the Confidencial Key Server in your environment

Last updated 1 month ago

ℹ️ This guide walks through the process of setting up an AWS Cognito user pool to enable your enterprise’s users to download directly from the S3 bucket that stores data using their enterprise identity provider (IDP) credentials. This approach allows the document request feature to function without requiring Confidencial to store credentials that are capable of downloading objects from your S3 bucket.

⚠️ If you have not already done so, follow the instructions in to connect your enterprise’s IDP before continuing with the steps below

🔒 While this document recommends specific values for configuration options, administrators that are comfortable with AWS Cognito may opt to choose different configuration options. Please consult with an AWS security expert and/or Confidencial technical staff If deviating from the options prescribed below.

Creating the user pool

  1. Open Cognito in the AWS Web Console

  2. Click Create user pool

  3. Under Provider types, check the Federated identity providers option

  4. Under Cognito user pool sign-in options, check the User name option

  5. Under Federated sign-in options, check the OpenID Connect (OIDC) option

  6. Click Next

  7. Under the Configure security requirements page, configure the following options:

    1. Password policy: Leave default values (this will not be used since your users will be using their enterprise credentials, and not Cognito-managed credentials, to authenticate)

    2. Multi-factor authentication: No MFA (Cognito-based MFA is not recommended as you may enforce MFA through your IDP instead)

    3. Enable self-service account recovery: Uncheck (Cognito account recovery is not needed because account recovery will be managed through your IDP)

  8. Click Next

  9. Under the Configure sign-up experience page, configure the following options:

    1. Enable self-registration: Uncheck (new account creation will be managed through your IDP)

    2. Allow Cognito to automatically send messages to verify and confirm: Uncheck (new account creation will be managed through your IDP)

  10. Click Next

  11. Under the Configure message delivery page, select Send email with Cognito (note that these settings are not relevant since Cognito will not need to send emails to your enterprise users)

  12. Click Next

  13. Under the Set up OpenID Connect federation with this user pool section, enter the following values that can be obtained from the Confidencial application configuration in your IDP:

    ℹ️ See for the steps that were taken to create the Confidencial application in your IDP

    1. Provider name: Enter a name to refer to your IDP instance (e.g. Entra ID - Production or Okta - Sandbox)

    2. Client ID: Enter the client ID from your IDP’s Confidencial application

    3. Client Secret: Enter the client secret from your IDP’s Confidencial application

    4. Authorized scopes: openid profile email offline_access

    5. Attribute request method: GET

    6. Retrieve OIDC endpoints / Setup method: Auto fill through issuer URL

    7. Issuer URL: Enter the issuer URL from your IDP’s Confidencial application

    8. User pool attribute / email: email

  14. Click Next

  15. Under the Integrate your app page, enter the following values:

    1. User pool name: confidencial

    2. Domain type: Use a Cognito domain

    3. Cognito domain: Enter a globally-unique name for your domain (e.g. confidencial-yourenterprisename)

    4. App type: Public client

    5. App client name: confidencial

    6. Client secret: Don't generate a client secret

    7. Allowed callback URLs: https://my.confidencial.io/auth?ref=cognito

      ⚠️ NOTE: This URL will be different if you are operating in a sandbox environment. Please contact your Confidencial technical support representative if you are using a sandbox environment.

  16. Under Advanced app client settings / Identity providers, click the “X” to remove the Cognito user pool option, leaving only the identity provider you named earlier

  17. Under Advanced app client settings / OpenID Connect scopes, click the “X” to remove the Phone option, leaving only the OpenID and Email options

  18. Click Next

  19. Review that your configuration is correct and click Create user pool

Creating the identity pool

  1. Open Cognito in the AWS Web Console

  2. Click Identity pools in the left sidebar menu

  3. Click Create identity pool

  4. For User access, select Authenticated access

  5. For Authenticated identity sources, select Amazon Cognito user pool

  6. Click Next

  7. For IAM role, select Create a new IAM role

  8. For IAM role name, enter confidencial-users

  9. Click Next

  10. Under the Connect identity providers page, enter the following values:

    1. User pool ID: Select the ID of the user pool that you created in the previous section

    2. App client ID: Select the ID of the application you created in the previous section

    3. Role selection: Use default authenticated role

    4. Claim mapping: Inactive

  11. Click Next

  12. Under the Configure properties page, enter the following values:

    1. Name: confidencial-users

  13. Click Next

  14. Review that your configuration is correct and click Create identity pool

secure document request
Connecting your identity provider to Confidencial
Connecting your identity provider to Confidencial