Skip to content

feat(cognito): inbound federation Lambda trigger #37082

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
badmintoncryer wants to merge 10 commits into
base: main
Choose a base branch
from
Open

feat(cognito): inbound federation Lambda trigger #37082

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
d2b2619
feat(cognito): add inbound federation Lambda trigger support
badmintoncryer Feb 22, 2026
1c00488
Merge remote-tracking branch 'origin/main' into inbound-federation
badmintoncryer Feb 25, 2026
ff3cdad
fix(cognito): update lambda version assignment in UserPool class
badmintoncryer Feb 25, 2026
d5feb86
feat(cognito): add integration test for user pool inbound federation …
badmintoncryer Feb 25, 2026
cd3d486
feat(cognito): update README to include lambdaTriggers for inbound fe…
badmintoncryer Feb 25, 2026
453abbb
fix(cognito): suppress awslint prefer-ref-interface for inboundFedera…
badmintoncryer Feb 26, 2026
c6251ab
Merge remote-tracking branch 'origin/main' into inbound-federation
badmintoncryer Mar 18, 2026
7f9083e
fix: update integ test snapshot runtime from nodejs18.x to nodejs24.x
badmintoncryer Mar 24, 2026
dfd3d3c
Merge branch 'main' into inbound-federation
badmintoncryer Apr 1, 2026
ca71cd8
Merge branch 'main' into inbound-federation
badmintoncryer Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions packages/aws-cdk-lib/aws-cognito/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -623,6 +623,19 @@ declare const preTokenGenerationFn: lambda.Function;
userpool.addTrigger(cognito.UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG, preTokenGenerationFn, cognito.LambdaVersion.V2_0);
```

The inbound federation Lambda trigger allows you to transform and customize federated user attributes during authentication.
This is useful for modifying large group attributes from external SAML or OIDC providers that exceed Cognito's 2,048 character limit.
For details, see [Inbound Federation Lambda Trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-inbound-federation.html).

```ts
declare const userpool: cognito.UserPool;
declare const inboundFederationFn: lambda.Function;

userpool.addTrigger(cognito.UserPoolOperation.INBOUND_FEDERATION, inboundFederationFn);
```

Note: The inbound federation trigger only supports V1_0 lambda version.

The following table lists the set of triggers available, and their corresponding method to add it to the user pool.
For more information on the function of these triggers and how to configure them, read [User Pool Workflows with
Triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html).
Expand Down
32 changes: 30 additions & 2 deletions packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,13 @@ export interface UserPoolTriggers {
*/
readonly customSmsSender?: lambda.IFunction;

/**
* Amazon Cognito invokes this trigger to transform federated user attributes during authentication.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-inbound-federation.html
* @default - no trigger configured
*/
readonly inboundFederation?: lambda.IFunction;

/**
* Index signature.
*
Expand Down Expand Up @@ -280,6 +287,12 @@ export class UserPoolOperation {
*/
public static readonly CUSTOM_SMS_SENDER = new UserPoolOperation('customSmsSender');

/**
* Amazon Cognito invokes this trigger to transform federated user attributes during authentication.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-inbound-federation.html
*/
public static readonly INBOUND_FEDERATION = new UserPoolOperation('inboundFederation');

/** A custom user pool operation */
public static of(name: string): UserPoolOperation {
const lowerCamelCase = name.charAt(0).toLowerCase() + name.slice(1);
Expand Down Expand Up @@ -1173,12 +1186,21 @@ export class UserPool extends UserPoolBase {
throw new ValidationError('you must specify a KMS key if you are using customSmsSender or customEmailSender.', this);
}
trigger = props.lambdaTriggers[t];
const version = 'V1_0';
if (trigger !== undefined) {
this.addLambdaPermission(trigger as lambda.IFunction, t);
(this.triggers as any)[t] = {
lambdaArn: trigger.functionArn,
lambdaVersion: version,
lambdaVersion: LambdaVersion.V1_0,
};
}
break;
case 'inboundFederation':
trigger = props.lambdaTriggers[t];
if (trigger !== undefined) {
this.addLambdaPermission(trigger as lambda.IFunction, t);
(this.triggers as any)[t] = {
lambdaArn: trigger.functionArn,
lambdaVersion: LambdaVersion.V1_0,
};
}
break;
Expand Down Expand Up @@ -1327,6 +1349,12 @@ export class UserPool extends UserPoolBase {
lambdaVersion: lambdaVersion ?? LambdaVersion.V1_0,
};
break;
case 'inboundFederation':
(this.triggers as any)[operation.operationName] = {
lambdaArn: fn.functionArn,
lambdaVersion: LambdaVersion.V1_0,
};
break;
default:
(this.triggers as any)[operation.operationName] = fn.functionArn;
}
Expand Down
65 changes: 65 additions & 0 deletions packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -660,6 +660,71 @@ describe('User Pool', () => {
}).toThrow(/Only the `PRE_TOKEN_GENERATION_CONFIG` operation supports V2_0 and V3_0 lambda version./);
});

test('add inboundFederation trigger via addTrigger', () => {
// GIVEN
const stack = new Stack();
const inboundFederationFn = fooFunction(stack, 'InboundFederation');

// WHEN
const pool = new UserPool(stack, 'Pool');
pool.addTrigger(UserPoolOperation.INBOUND_FEDERATION, inboundFederationFn);

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', {
LambdaConfig: {
InboundFederation: {
LambdaArn: stack.resolve(inboundFederationFn.functionArn),
LambdaVersion: 'V1_0',
},
},
});

Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
Action: 'lambda:InvokeFunction',
FunctionName: stack.resolve(inboundFederationFn.functionArn),
Principal: 'cognito-idp.amazonaws.com',
});
});

test('add inboundFederation trigger via lambdaTriggers prop', () => {
// GIVEN
const stack = new Stack();
const inboundFederationFn = fooFunction(stack, 'InboundFederation');

// WHEN
new UserPool(stack, 'Pool', {
lambdaTriggers: {
inboundFederation: inboundFederationFn,
},
});

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', {
LambdaConfig: {
InboundFederation: {
LambdaArn: stack.resolve(inboundFederationFn.functionArn),
LambdaVersion: 'V1_0',
},
},
});
});

test('inboundFederation trigger does not support V2_0 or V3_0', () => {
// GIVEN
const stack = new Stack();
const inboundFederationFn = fooFunction(stack, 'InboundFederation');

// WHEN
const pool = new UserPool(stack, 'Pool');
expect(() => {
pool.addTrigger(
UserPoolOperation.INBOUND_FEDERATION,
inboundFederationFn,
LambdaVersion.V2_0,
);
}).toThrow('Only the `PRE_TOKEN_GENERATION_CONFIG` operation supports V2_0 and V3_0 lambda version.');
});

test('can use same lambda as trigger for multiple user pools', () => {
// GIVEN
const stack = new Stack();
Expand Down
Loading