Copyright | (c) 2013-2023 Brendan Hay |
---|---|
License | Mozilla Public License, v. 2.0. |
Maintainer | Brendan Hay |
Stability | auto-generated |
Portability | non-portable (GHC extensions) |
Safe Haskell | Safe-Inferred |
Language | Haskell2010 |
Links an existing user account in a user pool (DestinationUser
) to an
identity from an external IdP (SourceUser
) based on a specified
attribute name and value from the external IdP. This allows you to
create a link from the existing user account to an external federated
user identity that has not yet been used to sign in. You can then use
the federated user identity to sign in as the existing user account.
For example, if there is an existing user with a username and password, this API links that user to a federated user identity. When the user signs in with a federated user identity, they sign in as the existing user account.
The maximum number of federated identities linked to a user is five.
Because this API allows a user with an external federated identity to sign in as an existing user in the user pool, it is critical that it only be used with external IdPs and provider attributes that have been trusted by the application owner.
This action is administrative and requires developer credentials.
Synopsis
- data AdminLinkProviderForUser = AdminLinkProviderForUser' {}
- newAdminLinkProviderForUser :: Text -> ProviderUserIdentifierType -> ProviderUserIdentifierType -> AdminLinkProviderForUser
- adminLinkProviderForUser_userPoolId :: Lens' AdminLinkProviderForUser Text
- adminLinkProviderForUser_destinationUser :: Lens' AdminLinkProviderForUser ProviderUserIdentifierType
- adminLinkProviderForUser_sourceUser :: Lens' AdminLinkProviderForUser ProviderUserIdentifierType
- data AdminLinkProviderForUserResponse = AdminLinkProviderForUserResponse' {
- httpStatus :: Int
- newAdminLinkProviderForUserResponse :: Int -> AdminLinkProviderForUserResponse
- adminLinkProviderForUserResponse_httpStatus :: Lens' AdminLinkProviderForUserResponse Int
Creating a Request
data AdminLinkProviderForUser Source #
See: newAdminLinkProviderForUser
smart constructor.
AdminLinkProviderForUser' | |
|
Instances
newAdminLinkProviderForUser Source #
Create a value of AdminLinkProviderForUser
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
AdminLinkProviderForUser
, adminLinkProviderForUser_userPoolId
- The user pool ID for the user pool.
$sel:destinationUser:AdminLinkProviderForUser'
, adminLinkProviderForUser_destinationUser
- The existing user in the user pool that you want to assign to the
external IdP user account. This user can be a native (Username +
Password) Amazon Cognito user pools user or a federated user (for
example, a SAML or Facebook user). If the user doesn't exist, Amazon
Cognito generates an exception. Amazon Cognito returns this user when
the new user (with the linked IdP attribute) signs in.
For a native username + password user, the ProviderAttributeValue
for
the DestinationUser
should be the username in the user pool. For a
federated user, it should be the provider-specific user_id
.
The ProviderAttributeName
of the DestinationUser
is ignored.
The ProviderName
should be set to Cognito
for users in Cognito user
pools.
All attributes in the DestinationUser profile must be mutable. If you have assigned the user any immutable custom attributes, the operation won't succeed.
$sel:sourceUser:AdminLinkProviderForUser'
, adminLinkProviderForUser_sourceUser
- An external IdP account for a user who doesn't exist yet in the user
pool. This user must be a federated user (for example, a SAML or
Facebook user), not another native user.
If the SourceUser
is using a federated social IdP, such as Facebook,
Google, or Login with Amazon, you must set the ProviderAttributeName
to Cognito_Subject
. For social IdPs, the ProviderName
will be
Facebook
, Google
, or LoginWithAmazon
, and Amazon Cognito will
automatically parse the Facebook, Google, and Login with Amazon tokens
for id
, sub
, and user_id
, respectively. The
ProviderAttributeValue
for the user must be the same value as the
id
, sub
, or user_id
value found in the social IdP token.
For SAML, the ProviderAttributeName
can be any value that matches a
claim in the SAML assertion. If you want to link SAML users based on the
subject of the SAML assertion, you should map the subject to a claim
through the SAML IdP and submit that claim name as the
ProviderAttributeName
. If you set ProviderAttributeName
to
Cognito_Subject
, Amazon Cognito will automatically parse the default
unique identifier found in the subject from the SAML token.
Request Lenses
adminLinkProviderForUser_userPoolId :: Lens' AdminLinkProviderForUser Text Source #
The user pool ID for the user pool.
adminLinkProviderForUser_destinationUser :: Lens' AdminLinkProviderForUser ProviderUserIdentifierType Source #
The existing user in the user pool that you want to assign to the external IdP user account. This user can be a native (Username + Password) Amazon Cognito user pools user or a federated user (for example, a SAML or Facebook user). If the user doesn't exist, Amazon Cognito generates an exception. Amazon Cognito returns this user when the new user (with the linked IdP attribute) signs in.
For a native username + password user, the ProviderAttributeValue
for
the DestinationUser
should be the username in the user pool. For a
federated user, it should be the provider-specific user_id
.
The ProviderAttributeName
of the DestinationUser
is ignored.
The ProviderName
should be set to Cognito
for users in Cognito user
pools.
All attributes in the DestinationUser profile must be mutable. If you have assigned the user any immutable custom attributes, the operation won't succeed.
adminLinkProviderForUser_sourceUser :: Lens' AdminLinkProviderForUser ProviderUserIdentifierType Source #
An external IdP account for a user who doesn't exist yet in the user pool. This user must be a federated user (for example, a SAML or Facebook user), not another native user.
If the SourceUser
is using a federated social IdP, such as Facebook,
Google, or Login with Amazon, you must set the ProviderAttributeName
to Cognito_Subject
. For social IdPs, the ProviderName
will be
Facebook
, Google
, or LoginWithAmazon
, and Amazon Cognito will
automatically parse the Facebook, Google, and Login with Amazon tokens
for id
, sub
, and user_id
, respectively. The
ProviderAttributeValue
for the user must be the same value as the
id
, sub
, or user_id
value found in the social IdP token.
For SAML, the ProviderAttributeName
can be any value that matches a
claim in the SAML assertion. If you want to link SAML users based on the
subject of the SAML assertion, you should map the subject to a claim
through the SAML IdP and submit that claim name as the
ProviderAttributeName
. If you set ProviderAttributeName
to
Cognito_Subject
, Amazon Cognito will automatically parse the default
unique identifier found in the subject from the SAML token.
Destructuring the Response
data AdminLinkProviderForUserResponse Source #
See: newAdminLinkProviderForUserResponse
smart constructor.
AdminLinkProviderForUserResponse' | |
|
Instances
Generic AdminLinkProviderForUserResponse Source # | |
Read AdminLinkProviderForUserResponse Source # | |
Show AdminLinkProviderForUserResponse Source # | |
NFData AdminLinkProviderForUserResponse Source # | |
Eq AdminLinkProviderForUserResponse Source # | |
type Rep AdminLinkProviderForUserResponse Source # | |
Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser type Rep AdminLinkProviderForUserResponse = D1 ('MetaData "AdminLinkProviderForUserResponse" "Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser" "amazonka-cognito-idp-2.0-D1ERgMvEVPG9z8cOLXdU2" 'False) (C1 ('MetaCons "AdminLinkProviderForUserResponse'" 'PrefixI 'True) (S1 ('MetaSel ('Just "httpStatus") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Int))) |
newAdminLinkProviderForUserResponse Source #
Create a value of AdminLinkProviderForUserResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:AdminLinkProviderForUserResponse'
, adminLinkProviderForUserResponse_httpStatus
- The response's http status code.
Response Lenses
adminLinkProviderForUserResponse_httpStatus :: Lens' AdminLinkProviderForUserResponse Int Source #
The response's http status code.