AWS Security Blog

How Does Amazon Cognito Relate to Existing Web Identity Federation?

by Shon Shah | on | in Announcements, Federation | | Comments

As you might have seen, AWS recently released Amazon Cognito, a user identity and data synchronization service that helps you securely manage and synchronize app data for your users across their mobile devices. If you develop mobile apps that call AWS services, you definitely want to check out Amazon Cognito.

What is Amazon Cognito?

Amazon Cognito simplifies the task of authorizing your users to access resources in your AWS account without the need to embed long-term AWS credentials in your app. It works with the AWS Security Token Service to uniquely identify a user and to give the user a consistent identity throughout the lifetime of an app. In addition, Amazon Cognito offers a synchronization service that enables you to save app data locally on users’ devices. This allows your app to work even when the device is offline or when the same user accesses the app on a different device. 

How does Amazon Cognito relate to web identity federation?

Web identity federation was released in May of 2013. You can use web identity federation in your mobile apps to enable users to sign in using supported identity providers (Login with Amazon, Facebook, or Google), and to trade an authentication token from these providers for temporary AWS security credentials. The advantage is that you can build mobile apps without writing any backend code to integrate with these identity providers. Moreover, as with Amazon Cognito, you don’t have to embed long-term AWS credentials in your app.

So how does the new Amazon Cognito service relate to web identity federation? The short answer is that Amazon Cognito is a superset of the functionality provided by web identity federation. It supports the same providers, and you configure your app and authenticate with those providers in the same way. But Amazon Cognito includes a variety of additional features. For example, it enables your users to start using the app as a guest user and later sign in using one of the supported identity providers. User data that’s saved when the user is running unauthenticated is preserved when the user signs in, allowing you to offer a seamless personalization experience. As noted, Amazon Cognito also enables you to synchronize app data for your users across their mobile devices.

Should I use Amazon Cognito or web identity federation?

We recommend using Amazon Cognito for all mobile apps that call AWS services. If you have an existing app that uses web identity federation it will continue to work, but you might want to consider modifying it to use Amazon Cognito to take advantage of the additional benefits.

For more information, check out AWS SDK for Android Developer Guide or AWS SDK for iOS Developer Guide.

If you have questions, comments, or suggestions you can start a thread in the Amazon Cognito forum or the IAM forum.

– Shon