Knowledge Base Home

Configuring an External Identity Provider & Logging into your Enterprise Org

A quick walkthrough configuring Google as the externally federated identity provider in an AWS Cognito User Pool. Note that Google Sign-In is simply used as an example. Alternative options such as Facebook, OpenID, SAML, etc… are available as well. The identity provider sign-in must simply resolve to a registered email within the Kaleido Enterprise Org. You can mirror this approach for different identity providers.


  1. Visit the Integrating Google Sign-In developer site.
  2. Click the CONFIGURE A PROJECT button and supply a name for your project. Click Next
  3. Configure your OAuth Client by providing a product name to be shown on the user consent screen. Click Next
  4. Select Web browser as the scope for the OAuth Client and enter your Amazon Cognito domain as the “Authorized Javascript Origin”. Click Create to provision the client configuration. Leave the window with the credentials open. You will need to configure a redirect URL in a later step.
  5. Within your Cognito User Pool, click the Identity providers tab in the lefthand navigation panel and select Google.
  6. Input the Client ID and secret from the previous step into the appropriate fields. For the “Authorize scope” field, enumerate profile email openid and click the Enable Google button to finish.
  7. Click the Attribute mapping tab at the bottom of the lefthand navigation panel and select Google as the external identity provider to map attributes from.
  8. Capture email as the Google attribute
  9. Expand the User pool attribute dropdown and select Email. Click the Save changes button at the bottom of the screen
  10. Next, click the App client settings and select Google as your Enabled Identity Provider.
  11. Add the callback URL from the Enterprise Org creation into the Callback URL(s) field
  12. In the Allowed OAuth Flows section enable the following: Authorization code grantemail and openid. Click the Save changes button at the bottom of the screen to configure the client.
  13. Now you’re ready to login. Follow the login URL for your new Enterprise Org. This will redirect you to Google Sign-In or whichever implementation you have selected.
  14. IMPORTANT: If using Google Sign-In, your first attempt will fail with the following error – Error: redirect_uri_mismatch. Copy the supplied redirect URL in the body of the error message and access the configuration for the OAuth client. With Google Sign-In this can be done by accessing the developers API console. The pop-up window exposing your OAuth client ID/secret also contains a hyperlink to the console. Click the Credentials tab in the lefthand navigation and select the OAuth client ID that has been configured in Cognito. Paste the redirect URL in the Authorized redirect URLs field and click Save.
  15. Now refresh your enterprise login window. Supply the email/password combination (alternatively supply a username/password combination that resolves to a registered email on the Kaleido Enterprise Org) and proceed to log into the new org. Note that the user with the first successful login will become the owner of the org.

Prev Generating an Enterprise Organization in the Kaleido Console