When using an external service provider (Azure AD) to log into my user pool, my Cognito migrate user lambda never executes


I'm having the problem described above. Here are a few things to note:

  • There's no permissions issue. I've validated that the lambda will fire and execute as a post-auth trigger (when testing with a different function handler).
  • My app client is set to use USER_PASSWORD_AUTH instead of SRP.
  • The lambda fires when making an AdminInitiateAuth() call directly from my C# app or the console using (aws cognito-idp admin-initiate-auth) and succeeds.
  • I can see a user being created in the pool after I authenticate, but the lambda just doesn't fire.

I'm out of options. I need to know whether this will work as configured above. If not, I need a possible alternative (post auth trigger to grab some important data from my existing pool)? As it turns out, I don't need the passwords from the existing pool, just some of the attributes.

One thing I noticed: The username displayed in Cognito is always pre-pended with the provider name specified in the UI. I don't know if this matters, but it's not the desired behavior. I want the username to reflect the NAMEID in my SAML, but Cognito doesn't seem to care and throws the provider name in front of it automatically.

1 Answer
Accepted Answer

I figured this out. Federated login with Cognito does not support the user migration lambda trigger at all, and you have to use a different trigger (like post confirmation). This was not clear without a deep dive into the documentation.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions