Follow these steps to add AWS Cognito as the OIDC SSO provider for your workspace:

  1. Open Buddy SSO settings in one browser tab and switch to Open ID connect.
  2. In another tab, sign in to Amazon Cognito
  3. Click Create user pool, select the provider type, and define your sign-in options.
Make sure to check email as the sign-in option as email address is the ID of the user in Buddy.

  1. Click Next and configure password policy, MFA, and account recovery method according to the requirements of your company.

  1. Proceed to the next step to configure the sign-up details. Here you define how users register in Cognito.
Make sure to select email as the required attribute.

  1. Proceed to the next step and configure Cognito's message delivery settings.

  1. Click Next to proceed to integration configuration details:

    • Enter the user pool name
    • Check Use the Cognito Hosted UI and enter the prefix for the sign-in domain
    • Set the app type to Confidential client and enter its name
    • Check Generate a client secret
    • Paste the callback URL from Buddy's SSO settings in the Allowed callback URL
    • In the advanced settings, set the following:
      • Identity provider → Cognito user pool
      • OAuth 2.0 grant type → Authorization code grant
      • OpenID connect scopes → OpenID, Email
    • In the Attribute read and write permissions ensure that email is set to 'Read' Hosted authentication pages

  1. Proceed to the next page and review the settings. If everything's okay, click Create new pool.
  2. Click the created pool to add the users.
  3. When done, click the created integration in the user pool and do the following:

    a. Copy Client ID and Client secret. You will need them in the next step. b. Ensure the allowed callback URL is the same as the callback URL in Buddy.

  1. Switch back to Buddy and fill the inputs with data from the top section:
  • Client ID → the client ID of the created app
  • Client secret → the client secret of the created app
  • Issuer URL → the base URL of the AWS OIDC server (see below how to obtain it)

  1. Click Test the configuration and enable the SSO on success.
  2. Sign in to your AWS account to save the SSO configuration.

Creating Issuer URL

The issuer URL is not provided by AWS and needs to be created according to this rule:



  • $ZONE – the availability zone in which the user pool was added. Example: eu-north-1
  • $POOLID – the User pool ID displayed on the pool's main page in AWS. Example: eu-north-1_WsvGfh1a9

Example issuer URL:

Last modified on May 29, 2023

Get Started

Sign up for free and deploy your project in less than 10 minutes.