The answer is 'Yes'.
About Federation Under federation, your 3rd IdPs provide authentication while your cognito user pool acts as a bridge between multiple service providers and your app. To your IdP, Amazon Cognito is a service provider (SP).
About Authorization Your IdPs pass an OIDC ID token or a SAML assertion to Amazon Cognito. Amazon Cognito reads the claims about your user in the token or assertion and maps those claims to a new user profile in your user pool directory. Amazon Cognito then creates a user profile for your federated user in its own directory.
After Amazon Cognito creates a profile for your federated user, it changes its function and presents itself as the IdP to your app, which is now the SP. Amazon Cognito is a combination OIDC and OAuth 2.0 IdP. It generates access tokens, ID tokens, and refresh tokens.
Therefore, in order to avoid someone accessing to enterprise accounts, you'd try to control the Authorization in access tokens. Meanwhile, you can also use the user "group" of Cognito user pool. Users inherit group permissions, which are written to their access tokens, and "group" could be associate with an IAM role to get relative Authorization in AWS.
More details:  https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html?icmpid=docs_cognito_console_help_panel  https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html  https://docs.aws.amazon.com/cognito/latest/developerguide/accessing-resources.html
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 7 days ago