使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Mass Import of Users to Cognito User Pool

0

A customer is planning to migrate their existing 5.4 million user base to Cognito(using doorkeeper gem for authentication currently) and would like their current users to be able to retain their existing passwords.

  1. Is there a way to do a batch user import and retain all existing passwords? - I found the following blog post on this, would they need to follow the one-at-a-time user migration process or is there a better way? (https://aws.amazon.com/blogs/mobile/migrating-users-to-amazon-cognito-user-pools/)

  2. How long would a migration like this take (reasonable timeline?)/ how long would it require both authentication systems to be up and running?

  3. What happens to any duplicate user info during the migration over to Cognito?

  4. The customer was also curious if at any point they needed to move their user pool out, is there a process to export their user pool?

Thank you so much!

主题
安全、身份和合规性
标签
Amazon Cognito
语言
English
AWS
AWS-User-9199726
已提问 4 年前2329 查看次数
1 回答
0
已接受的回答

  1. In addition to what is described in the blog, Cognito added support for a Migration Lambda trigger that allows an easier setup for a one-by-one migration, basically replacing the "migration microservice" described in the blog. This is the only way to retain passwords transparently for the user, as the user will not know the backing IdP has changed. This process will take some time to execute as it requires that each user logs in at least once, and it is important that the implementation follows the advices given in our documentation in regard to which auth flow to use.

  2. This is up to the customer to decide, and depends on when the users log in the first time. The customer can decide on a given threshold (eg 70% of user migrated) before shutting down his existing auth. This would mean that the remaining users will have to use the forgotten password flow to set the password in the new system (explained in the doc above)

  3. If the user already exists in Cognito, the migration lambda is not called and the user logs in directly into Cognito

  4. The customer can export the content of the pool using the ListUser API. Cognito does not stores the user passwords in recoverable format hence they cannot be exported. A process similar to the one used to migrate into Cognito can be also used to migrate user out of Cognito

AWS
专家
MassimilianoAWS
已回答 4 年前
profile picture
专家
Sedat Salman
已审核 10 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容