Account Linking Dilemma

Hi there,

I want my users to be able to link IDP accounts to their local cognito account, be able to sign up with IDP accounts and so on. (Identity provider accounts)

My dilemma is that an account that gets created MUST be linked to an existing account, because it must have two custom attributes to work properly.

custom:organizationId custom:permissionLevel

Here is why this is challenging, and all my attempts have failed.

We cannot pass any parameters into the pre-sign up lambda trigger. If I could, I would pass the local accounts email, and get its user sub, along with organizationId and permissionLevel, so I can MOST IMPORTANTLY LINK the account to the local account, THEN update its custom attributes of organizationId and permissionLevel.

The issue arrises when the user uses a different email than the local account to log in or register with.

I'll give an example: The users local email address is haibert@inva.dev. When the user wants to lets say connect their google account, and chooses a different email lets say haibertdev@gmail.com. I cannot match this email to an existing user to make sure I join it to the correct organization and link it to the local account.

Once the user is created and authenticated, I cannot even link the accounts.

After countless work around attempts my final one and closest one was this.

During sign up, check if the email exists in the DB. if it doesnt, create the account but do an if check in the pre token generation trigger to make sure the user has a organizationId and accessLevel, if they dont send an email with a link and a token to that email that they can click on to enter an EXISTING users email address. We send a code to the existing email address and if they return that code back to us successfully we link the accounts..

This is so complicated and cumbersome, but its the only solution I came up with and I havent even tested it yet.

Is there a better way to get this accomplished? Im always in a catch 22 situation because of the not being able to pass any custom parameters to the lambda triggers, and not being able to link accounts once they've signed in.

Topics

Security, Identity, & Compliance

Relevant content

Root User account linked to IAM user's account
awsitsix
asked a year ago
IDP authentication and map users in IAM Management account .
arjunmld
asked a year ago
If I enable IAM Identity center with an external IDP will I still be able (in case I need ) to sign in with the root acount using the MFA that is allready set up ?
Accepted Answer
kate
asked 10 months ago
Linking IAM Identity center accounts to existing Quicksight users
Lucas
asked a year ago
How do I set up my Application Load Balancer to authenticate users through an Amazon Cognito user pool in another AWS account?
AWS OFFICIALUpdated 9 months ago
How do I sign in to my AWS account if my credentials don't work?
AWS OFFICIALUpdated 23 days ago
How do I get IdP-issued OIDC or social identity tokens for Amazon Cognito user pools?
AWS OFFICIALUpdated 2 months ago
How do I integrate a multi-Region and multi-account Amazon Cognito user pool with an Amazon Cognito identity pool?
AWS OFFICIALUpdated a year ago
How to Rotate your External IdP Certificates in AWS IAM Identity Center (successor to AWS Single Sign-On) with Zero Downtime
EXPERT
Matt-B
published a year ago
Automating the account linking process in VMware Cloud on AWS
EXPERT
Patrick Kremer
published 7 months ago