Amazon Cognito · Schema
AdminLinkProviderForUserRequest
AdminLinkProviderForUserRequest schema from Amazon Cognito
AuthenticationAuthorizationIdentityIdentity ProviderOAuth2OIDC
Properties
| Name | Type | Description |
|---|---|---|
| UserPoolId | object | |
| DestinationUser | object | |
| SourceUser | object |
JSON Schema
{
"type": "object",
"properties": {
"UserPoolId": {
"allOf": [
{
"$ref": "#/components/schemas/StringType"
},
{
"description": "The user pool ID for the user pool."
}
]
},
"DestinationUser": {
"allOf": [
{
"$ref": "#/components/schemas/ProviderUserIdentifierType"
},
{
"description": "<p>The existing user in the user pool that you want to assign to the external IdP user account. This user can be a native (Username + Password) Amazon Cognito user pools user or a federated user (for example, a SAML or Facebook user). If the user doesn't exist, Amazon Cognito generates an exception. Amazon Cognito returns this user when the new user (with the linked IdP attribute) signs in.</p> <p>For a native username + password user, the <code>ProviderAttributeValue</code> for the <code>DestinationUser</code> should be the username in the user pool. For a federated user, it should be the provider-specific <code>user_id</code>.</p> <p>The <code>ProviderAttributeName</code> of the <code>DestinationUser</code> is ignored.</p> <p>The <code>ProviderName</code> should be set to <code>Cognito</code> for users in Cognito user pools.</p> <important> <p>All attributes in the DestinationUser profile must be mutable. If you have assigned the user any immutable custom attributes, the operation won't succeed.</p> </important>"
}
]
},
"SourceUser": {
"allOf": [
{
"$ref": "#/components/schemas/ProviderUserIdentifierType"
},
{
"description": "<p>An external IdP account for a user who doesn't exist yet in the user pool. This user must be a federated user (for example, a SAML or Facebook user), not another native user.</p> <p>If the <code>SourceUser</code> is using a federated social IdP, such as Facebook, Google, or Login with Amazon, you must set the <code>ProviderAttributeName</code> to <code>Cognito_Subject</code>. For social IdPs, the <code>ProviderName</code> will be <code>Facebook</code>, <code>Google</code>, or <code>LoginWithAmazon</code>, and Amazon Cognito will automatically parse the Facebook, Google, and Login with Amazon tokens for <code>id</code>, <code>sub</code>, and <code>user_id</code>, respectively. The <code>ProviderAttributeValue</code> for the user must be the same value as the <code>id</code>, <code>sub</code>, or <code>user_id</code> value found in the social IdP token.</p> <p/> <p>For SAML, the <code>ProviderAttributeName</code> can be any value that matches a claim in the SAML assertion. If you want to link SAML users based on the subject of the SAML assertion, you should map the subject to a claim through the SAML IdP and submit that claim name as the <code>ProviderAttributeName</code>. If you set <code>ProviderAttributeName</code> to <code>Cognito_Subject</code>, Amazon Cognito will automatically parse the default unique identifier found in the subject from the SAML token.</p>"
}
]
}
},
"required": [
"UserPoolId",
"DestinationUser",
"SourceUser"
],
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://raw.githubusercontent.com/api-evangelist/aws-cognito/refs/heads/main/json-schema/cognito-idp-admin-link-provider-for-user-request-schema.json",
"title": "AdminLinkProviderForUserRequest",
"description": "AdminLinkProviderForUserRequest schema from Amazon Cognito"
}