[drfritznunkie]

Cognito is one of the most frustrating AWS services I have to work with, it is almost, but not quite, entirely unlike an SP.

We're using it to federate customer IDPs through user pools, but this ends up with customer configs being region specific.

Has anyone figured out how to set up Cognito in multiple regions without the hijinx of having the customer setup trusts for each region? Not to mention, while multiple trusts are I think possible with ADFS (not that I've tested it), I'm pretty sure that Okta doesn't support multiple trusts, so regardless of how many regions, we'd still be SOL there...

[sk5t]

Eh? Brokering amongst multiple trusts (and managing protocol transition) is almost the raison d'etre for lifting token issuance out of your app and into ADFS, Okta, Auth0, etc.

Of course you'll have to deal with home realm discovery--really need to go in with open eyes on that one.

[drfritznunkie]

Yes, but cognito endpoints and pools ids are regional and globally unique, and there is no way that I know of to setup duplicate userpools in multiple regions and have requests served by either region. That means the customer IDP side would need to have two different SAML apps configured for each region...

[myleshenderson]

This was shared with me today: https://medium.com/@nealrp/aws-cross-region-cognito-replicat...

[paragraft]

That design raises the question as to what happens to passwords. Do they get replicated in the global table in plaintext? Or are you still forced to do a global user password reset if you want to failover to another user pool?

[sk5t]

Quite superficial don’t you think?

[sk5t]

Ah, I see what you mean. It does seem like you'd want a more complex arrangement of trusts to keep things simple on the leaves; or else avoid using a product that requires generating a hundred scattered security authorities.