libZSservicesZSamazonka-cognito-idpZSamazonka-cognito-idp
Copyright(c) 2013-2021 Brendan Hay
LicenseMozilla Public License, v. 2.0.
MaintainerBrendan Hay <brendan.g.hay+amazonka@gmail.com>
Stabilityauto-generated
Portabilitynon-portable (GHC extensions)
Safe HaskellNone

Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

Description

Links an existing user account in a user pool (DestinationUser) to an identity from an external identity provider (SourceUser) based on a specified attribute name and value from the external identity provider. This allows you to create a link from the existing user account to an external federated user identity that has not yet been used to sign in, so that the federated user identity can be used to sign in as the existing user account.

For example, if there is an existing user with a username and password, this API links that user to a federated user identity, so that when the federated user identity is used, the user signs in as the existing user account.

The maximum number of federated identities linked to a user is 5.

Because this API allows a user with an external federated identity to sign in as an existing user in the user pool, it is critical that it only be used with external identity providers and provider attributes that have been trusted by the application owner.

This action is enabled only for admin access and requires developer credentials.

Synopsis

Creating a Request

data AdminLinkProviderForUser Source #

See: newAdminLinkProviderForUser smart constructor.

Constructors

AdminLinkProviderForUser' 

Fields

  • userPoolId :: Text

    The user pool ID for the user pool.

  • destinationUser :: ProviderUserIdentifierType

    The existing user in the user pool to be linked to the external identity provider user account. Can be a native (Username + Password) Cognito User Pools user or a federated user (for example, a SAML or Facebook user). If the user doesn't exist, an exception is thrown. This is the user that is returned when the new user (with the linked identity provider attribute) signs in.

    For a native username + password user, the ProviderAttributeValue for the DestinationUser should be the username in the user pool. For a federated user, it should be the provider-specific user_id.

    The ProviderAttributeName of the DestinationUser is ignored.

    The ProviderName should be set to Cognito for users in Cognito user pools.

  • sourceUser :: ProviderUserIdentifierType

    An external identity provider account for a user who does not currently exist yet in the user pool. This user must be a federated user (for example, a SAML or Facebook user), not another native user.

    If the SourceUser is a federated social identity provider user (Facebook, Google, or Login with Amazon), you must set the ProviderAttributeName to Cognito_Subject. For social identity providers, the ProviderName will be Facebook, Google, or LoginWithAmazon, and Cognito will automatically parse the Facebook, Google, and Login with Amazon tokens for id, sub, and user_id, respectively. The ProviderAttributeValue for the user must be the same value as the id, sub, or user_id value found in the social identity provider token.

    For SAML, the ProviderAttributeName can be any value that matches a claim in the SAML assertion. If you wish to link SAML users based on the subject of the SAML assertion, you should map the subject to a claim through the SAML identity provider and submit that claim name as the ProviderAttributeName. If you set ProviderAttributeName to Cognito_Subject, Cognito will automatically parse the default unique identifier found in the subject from the SAML token.

Instances

Instances details
Eq AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

Read AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

Show AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

Generic AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

Associated Types

type Rep AdminLinkProviderForUser :: Type -> Type #

NFData AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

Hashable AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

ToJSON AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

AWSRequest AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

ToHeaders AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

ToPath AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

ToQuery AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

type Rep AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

type Rep AdminLinkProviderForUser = D1 ('MetaData "AdminLinkProviderForUser" "Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser" "libZSservicesZSamazonka-cognito-idpZSamazonka-cognito-idp" 'False) (C1 ('MetaCons "AdminLinkProviderForUser'" 'PrefixI 'True) (S1 ('MetaSel ('Just "userPoolId") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text) :*: (S1 ('MetaSel ('Just "destinationUser") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 ProviderUserIdentifierType) :*: S1 ('MetaSel ('Just "sourceUser") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 ProviderUserIdentifierType))))
type AWSResponse AdminLinkProviderForUser Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

newAdminLinkProviderForUser Source #

Create a value of AdminLinkProviderForUser with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:userPoolId:AdminLinkProviderForUser', adminLinkProviderForUser_userPoolId - The user pool ID for the user pool.

$sel:destinationUser:AdminLinkProviderForUser', adminLinkProviderForUser_destinationUser - The existing user in the user pool to be linked to the external identity provider user account. Can be a native (Username + Password) Cognito User Pools user or a federated user (for example, a SAML or Facebook user). If the user doesn't exist, an exception is thrown. This is the user that is returned when the new user (with the linked identity provider attribute) signs in.

For a native username + password user, the ProviderAttributeValue for the DestinationUser should be the username in the user pool. For a federated user, it should be the provider-specific user_id.

The ProviderAttributeName of the DestinationUser is ignored.

The ProviderName should be set to Cognito for users in Cognito user pools.

$sel:sourceUser:AdminLinkProviderForUser', adminLinkProviderForUser_sourceUser - An external identity provider account for a user who does not currently exist yet in the user pool. This user must be a federated user (for example, a SAML or Facebook user), not another native user.

If the SourceUser is a federated social identity provider user (Facebook, Google, or Login with Amazon), you must set the ProviderAttributeName to Cognito_Subject. For social identity providers, the ProviderName will be Facebook, Google, or LoginWithAmazon, and Cognito will automatically parse the Facebook, Google, and Login with Amazon tokens for id, sub, and user_id, respectively. The ProviderAttributeValue for the user must be the same value as the id, sub, or user_id value found in the social identity provider token.

For SAML, the ProviderAttributeName can be any value that matches a claim in the SAML assertion. If you wish to link SAML users based on the subject of the SAML assertion, you should map the subject to a claim through the SAML identity provider and submit that claim name as the ProviderAttributeName. If you set ProviderAttributeName to Cognito_Subject, Cognito will automatically parse the default unique identifier found in the subject from the SAML token.

Request Lenses

adminLinkProviderForUser_destinationUser :: Lens' AdminLinkProviderForUser ProviderUserIdentifierType Source #

The existing user in the user pool to be linked to the external identity provider user account. Can be a native (Username + Password) Cognito User Pools user or a federated user (for example, a SAML or Facebook user). If the user doesn't exist, an exception is thrown. This is the user that is returned when the new user (with the linked identity provider attribute) signs in.

For a native username + password user, the ProviderAttributeValue for the DestinationUser should be the username in the user pool. For a federated user, it should be the provider-specific user_id.

The ProviderAttributeName of the DestinationUser is ignored.

The ProviderName should be set to Cognito for users in Cognito user pools.

adminLinkProviderForUser_sourceUser :: Lens' AdminLinkProviderForUser ProviderUserIdentifierType Source #

An external identity provider account for a user who does not currently exist yet in the user pool. This user must be a federated user (for example, a SAML or Facebook user), not another native user.

If the SourceUser is a federated social identity provider user (Facebook, Google, or Login with Amazon), you must set the ProviderAttributeName to Cognito_Subject. For social identity providers, the ProviderName will be Facebook, Google, or LoginWithAmazon, and Cognito will automatically parse the Facebook, Google, and Login with Amazon tokens for id, sub, and user_id, respectively. The ProviderAttributeValue for the user must be the same value as the id, sub, or user_id value found in the social identity provider token.

For SAML, the ProviderAttributeName can be any value that matches a claim in the SAML assertion. If you wish to link SAML users based on the subject of the SAML assertion, you should map the subject to a claim through the SAML identity provider and submit that claim name as the ProviderAttributeName. If you set ProviderAttributeName to Cognito_Subject, Cognito will automatically parse the default unique identifier found in the subject from the SAML token.

Destructuring the Response

data AdminLinkProviderForUserResponse Source #

See: newAdminLinkProviderForUserResponse smart constructor.

Constructors

AdminLinkProviderForUserResponse' 

Fields

Instances

Instances details
Eq AdminLinkProviderForUserResponse Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

Read AdminLinkProviderForUserResponse Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

Show AdminLinkProviderForUserResponse Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

Generic AdminLinkProviderForUserResponse Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

Associated Types

type Rep AdminLinkProviderForUserResponse :: Type -> Type #

NFData AdminLinkProviderForUserResponse Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

type Rep AdminLinkProviderForUserResponse Source # 
Instance details

Defined in Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser

type Rep AdminLinkProviderForUserResponse = D1 ('MetaData "AdminLinkProviderForUserResponse" "Amazonka.CognitoIdentityProvider.AdminLinkProviderForUser" "libZSservicesZSamazonka-cognito-idpZSamazonka-cognito-idp" 'False) (C1 ('MetaCons "AdminLinkProviderForUserResponse'" 'PrefixI 'True) (S1 ('MetaSel ('Just "httpStatus") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Int)))

newAdminLinkProviderForUserResponse Source #

Create a value of AdminLinkProviderForUserResponse with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:httpStatus:AdminLinkProviderForUserResponse', adminLinkProviderForUserResponse_httpStatus - The response's http status code.

Response Lenses