How Does HAQM Cognito Relate to Existing Web Identity Federation?

As you might have seen, AWS recently released HAQM Cognito, a user identity and data synchronization service that helps you securely manage and synchronize app data for your users across their mobile devices. If you develop mobile apps that call AWS services, you definitely want to check out HAQM Cognito.

What is HAQM Cognito?

HAQM Cognito simplifies the task of authorizing your users to access resources in your AWS account without the need to embed long-term AWS credentials in your app. It works with the AWS Security Token Service to uniquely identify a user and to give the user a consistent identity throughout the lifetime of an app. In addition, HAQM Cognito offers a synchronization service that enables you to save app data locally on users’ devices. This allows your app to work even when the device is offline or when the same user accesses the app on a different device. 

How does HAQM Cognito relate to web identity federation?

Web identity federation was released in May of 2013. You can use web identity federation in your mobile apps to enable users to sign in using supported identity providers (Login with HAQM, Facebook, or Google), and to trade an authentication token from these providers for temporary AWS security credentials. The advantage is that you can build mobile apps without writing any backend code to integrate with these identity providers. Moreover, as with HAQM Cognito, you don’t have to embed long-term AWS credentials in your app.

So how does the new HAQM Cognito service relate to web identity federation? The short answer is that HAQM Cognito is a superset of the functionality provided by web identity federation. It supports the same providers, and you configure your app and authenticate with those providers in the same way. But HAQM Cognito includes a variety of additional features. For example, it enables your users to start using the app as a guest user and later sign in using one of the supported identity providers. User data that’s saved when the user is running unauthenticated is preserved when the user signs in, allowing you to offer a seamless personalization experience. As noted, HAQM Cognito also enables you to synchronize app data for your users across their mobile devices.

Should I use HAQM Cognito or web identity federation?

We recommend using HAQM Cognito for all mobile apps that call AWS services. If you have an existing app that uses web identity federation it will continue to work, but you might want to consider modifying it to use HAQM Cognito to take advantage of the additional benefits.

For more information, check out AWS SDK for Android Developer Guide or AWS SDK for iOS Developer Guide.

If you have questions, comments, or suggestions you can start a thread in the HAQM Cognito forum or the IAM forum.

– Shon