Amazon Cognito

The Cognito connector integrates the Maverics Orchestrator with Amazon Cognito — enabling OIDC-based single sign-on for applications that authenticate against Cognito user pools.

Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The Cognito connector uses OpenID Connect to federate authentication with Amazon Cognito. It uses type: cognito in the connector configuration (OIDC-based internally) and supports standard OIDC flows — allowing you to bridge Cognito user pools with applications that don’t natively support modern identity protocols.

Use Cases

SSO with Cognito user pools — Extend Cognito authentication to legacy applications that don’t support OIDC natively
Migration from Cognito — Gradually migrate users from Cognito to another identity provider without downtime
Hybrid AWS/other cloud identity — Orchestrate authentication across Cognito and enterprise identity providers like Azure AD or Okta

Configuration

Console UI
Configuration

Console UI documentation is coming soon. This section will walk you through configuring this component using the Maverics Console’s visual interface, including step-by-step screenshots and field descriptions.

Cognito configuration screen in Maverics Console

connectors:
  - name: cognito
    type: cognito
    oidcWellKnownURL: "https://cognito-idp.{{ env.AWS_REGION }}.amazonaws.com/{{ env.COGNITO_USER_POOL_ID }}/.well-known/openid-configuration"
    oauthClientID: "{{ env.COGNITO_CLIENT_ID }}"
    oauthClientSecret: <vault.cognito_client_secret>
    oauthRedirectURL: "https://app.example.com/oidc/callback"
    scopes: "openid profile email"

The Cognito well-known URL follows the pattern: cognito-idp.{region}.amazonaws.com/{user-pool-id}/. Replace the region and user pool ID with your Cognito configuration values from the AWS Console.

Configuration Reference

Key	Type	Required	Description
`name`	string	Yes	Unique connector identifier referenced in app policies
`type`	string	Yes	Must be `cognito`
`oidcWellKnownURL`	string	Yes	OIDC discovery endpoint URL (Cognito user pool-specific)
`oauthClientID`	string	Yes	OAuth 2.0 app client ID from the Cognito user pool
`oauthClientSecret`	string	Yes	OAuth 2.0 app client secret (use secret reference syntax)
`oauthRedirectURL`	string	Yes	Callback URL registered with the Cognito app client
`scopes`	string	No	Space-separated OAuth scopes (default: `openid profile email`)
`oauthExtraParams`	map	No	Additional query parameters for the authorization request
`tls`	string	No	Named TLS profile for provider communication

For the complete field reference including health checks, offline access, and PKCE settings, see Identity Fabric.

Troubleshooting

Verify the oidcWellKnownURL is accessible from the Orchestrator host — ensure the AWS region and user pool ID are correct
Ensure the oauthRedirectURL matches exactly what is registered in the Cognito app client under Allowed callback URLs
Check that the client secret reference resolves correctly via your secret provider — ensure the Cognito app client is configured to generate a client secret

Identity Fabric

Overview of all identity providers

Custom OIDC

Generic OpenID Connect connector

Identity Fabric

Full field-level reference for all connector types

Console Administration

Orchestration

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Identity Fabric

Custom OIDC

Identity Fabric

Console Administration

Orchestration

​Overview

​Use Cases

​Configuration

​Configuration Reference

​Troubleshooting

​Related Pages

Identity Fabric

Custom OIDC

Identity Fabric

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Related Pages