How does AWS Cognito work?

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily.

Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.

So how does it actually work? The diagram below provides a basic illustration for our understanding.

Step 1: User login with their own credentials (such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect).

Step 2: AWS Cognito authenticate with the respective identity providers and if the credentials are valid, returns the AWS credentials tied to the relevant IAM role.

Step 3: With this AWS credential and IAM role, the user can access the relevant resources.

Voila!