I'm having the problem described above. Here are a few things to note:
- There's no permissions issue. I've validated that the lambda will fire and execute as a post-auth trigger (when testing with a different function handler).
- My app client is set to use USER_PASSWORD_AUTH instead of SRP.
- The lambda fires when making an AdminInitiateAuth() call directly from my C# app or the console using (aws cognito-idp admin-initiate-auth) and succeeds.
- I can see a user being created in the pool after I authenticate, but the lambda just doesn't fire.
I'm out of options. I need to know whether this will work as configured above. If not, I need a possible alternative (post auth trigger to grab some important data from my existing pool)? As it turns out, I don't need the passwords from the existing pool, just some of the attributes.
One thing I noticed: The username displayed in Cognito is always pre-pended with the provider name specified in the UI. I don't know if this matters, but it's not the desired behavior. I want the username to reflect the NAMEID in my SAML, but Cognito doesn't seem to care and throws the provider name in front of it automatically.
AWS OFFICIALAktualisiert vor einem Jahr