AWS Partner Network (APN) Blog

Managing SaaS Users with Amazon Cognito

User management is one of those fundamental concepts that must be tackled by every software as a service (SaaS) provider. There are a handful of approaches that are commonly used to address this need. Some teams prefer to build out their own user management services while others rely on third-party identity providers to fill this void. Now, with the beta release of Amazon Cognito Identity user pools, you have another option to consider.

Amazon Cognito provides SaaS providers with a cost efficient and secure tool for managing your user information at scale (millions of users). This feature provides you with an end-to-end experience that allows you to customize the attributes of your user data and the policies that will be applied to user authentication. It also supports hooks for introducing your own code to customize the authentication and registration workflow.

The fully managed nature of Amazon Cognito’s user pools represents a compelling model, eliminating the need for SaaS providers to build, manage, and maintain their own identity infrastructure. Offloading this responsibility to AWS can reduce the complexity of your identity footprint and free you up to focus more of your attention on the core capabilities of your SaaS solution.

For this blog post, we’ll look at the key capabilities of the Amazon Cognito Identity user pools feature. The goal is to touch on the main concepts and provide an introduction to some of the fundamental capabilities of this new feature.

A Multi-Tenant View

While there’s nothing inherently SaaS-centric about user pools, the way they are managed and scoped aligns nicely with the needs of multi-tenant environments. In Amazon Cognito, each user pool represents a grouping of users that are owned by that pool. This ability to have many user pools under a single AWS account provides SaaS developers with the option of having separate user management experiences for each tenant.

You can configure a handful of options with each user pool, including user attributes, verification policies, and triggers. User pools also support fundamental concepts like password recovery. Collectively, these features allow you to easily address any one-off changes that may be needed for a given tenant. You may even choose to surface these options to your tenants to enable more control over how their users might be managed.

The sections that follow provide a bit more insight into the specific options you can configure for a user pool.

Configuring User Attributes

Each SaaS system has its own distinct set of attributes it may want to collect and manage for users. To support this, user pools allow you to define a custom footprint for your user, selecting those attributes that best align with the needs of your application.

When you look at the AWS console, you can get a clear picture of how attributes are managed for a user pool. The following screen illustration provides a view of the attribute configuration experience in Amazon Cognito:

You’ll notice that Amazon Cognito provides you with a core set of attributes that are commonly associated with users. If you don’t find the attribute you’re looking for here, you can also introduce your own custom attributes.

You can optionally designate an attribute as required by choosing that checkbox next to the attribute. If you enable this setting, you must provide a value for the attribute before it can be stored. Once this option has been set for a user pool, it cannot be changed.

User pools also support the idea of an alias. By choosing the alias checkbox for one or more attributes, you can use those attributes as an alternate way for a user to log in to the system. Essentially, any alias attribute can be used in combination with a user’s password to successfully authenticate a user’s access to your application. You might, for example, designate an email address or a phone number as an alias attribute.

Configuring Verification

Almost every SaaS user sign-up process supports some mechanism for verifying a user’s identity. This is essential to ensuring that new or existing users are providing valid identity information. With Amazon Cognito, you can offload the implementation and management of these verification policies to AWS.

The verification functionality supported by Amazon Cognito matches the models that are commonly found in other SaaS applications. The supported verification options include:

  • Multi-factor authentication (MFA) – You can choose whether users must provide a secondary form of authentication, or whether this is optional.
  • Verification emails and phone numbers – You can choose this option to determine if and how emails and phone numbers will be used to confirm user accounts. You can enable email or phone verification, or both, and you can customize the text of the verification message that is delivered to users.

Pushing management of these options to Amazon Cognito takes one more burden off your SaaS application and puts in you a good position to embrace new options that may emerge in the future.

Customizing User Events

Even as you push more responsibility to Amazon Cognito, it may still be necessary to introduce custom processing into the overall management lifecycle for your users. To support these types of customizations, Amazon Cognito includes the ability to trigger Amazon Lambda functions based on different user events. These triggers fall into the following categories:

  • Pre sign-up – Invoked before a new user is added to the user pool.
  • Pre authentication – Allows for custom validation before a user is authenticated.
  • Post authentication – Allows for custom processing after a user is authenticated.
  • Post confirmation – Allows for custom processing after a user is verified.
  • Custom message – Supports dynamic processing of verification messages.

These custom processing features may be of particular interest to SaaS providers who may have integrations or provisioning activities that would need to be triggered at different steps in the registration process. You might, for example, have third-party integration with a billing system that must be called each time a new user is being added to the system. Or, you might want to trigger the collection of analytics data whenever a user is authenticated.

Provisioning User Pools

Assuming you were to associate a single user pool with each tenant, you would need to introduce provisioning automation that would create a tenant’s user pool during the sign-up process. This would also require automation that configures all the other moving parts of Amazon Cognito to declare and associate the user pools with the other Amazon Cognito constructs and security policies.

The basic steps here would be to first create a user pool for the tenant and apply any tenant-specific customizations or policies (these would typically be the same for all tenants). Then, you’d need your automation to provision and configure an identity pool. Finally, you’d have to associate the identity pool with your newly created user pool. The process is a bit more involved than that, but these are the key concepts you need to have in mind as you think about how to add this automation to your tenant creation lifecycle.

AWS provides a series of APIs that you can use to implement your provisioning automation model. These APIs are available for a number of different languages and environments.

Another Provider Option

Amazon Cognito has a well-defined model for how it integrates with other public identity providers. It already supports integration with Google, Facebook, Twitter, and so on. Amazon Cognito user pools plug directly into this pattern, serving as one more identity provider that’s available to developers. This model makes adoption and management of user pools a very natural experience.

Within the AWS console, you’ll notice that user pools are configured with the same flow that is used for other providers. The following screen illustration provides a snapshot of this experience:

This image represents a portion of the overall setup process that is used to configure an Amazon Cognito identity pool. You’ll notice that the Cognito tab lives alongside all the other available providers. Here you can populate the details associated with any user pool that you’ve created.

Making The Shift

While many teams rely on their own custom solutions for managing user data, it’s becoming increasingly compelling to leverage third-party solutions to address this need. The ability to offload responsibility of this functionality to someone else frees your team up to focus more on the core features of your SaaS application.

Overall, it seems likely that the authentication, verification, and registration capabilities of SaaS solutions will continue to evolve. By adopting a solution like Amazon Cognito, you’ll be in a better position to take advantage of these new capabilities as the service evolves. To learn more, visit the Amazon Cognito webpage.