SPIKE: Investigate ways to provide a group-management feature in Cognito

[ConradBoydElliottGustafson]

As a customer, I want authorization capabilities so that I can manage user group membership and trigger business logic based on "roles" for my client.

AC: PARENT-CHILD FOR IdP REUSE

1. Find out what's possible in Cognito and what are the limitations
2. A solution should not require us to set up the IDPs over and over again (unless we can re-use the same SAML connection)
3. There is isolation between app clients so they can't read group membership information belonging to another app client
4. Cost? If a user logs into a "child" user pool through a "parent" user pool, do we get charged twice? Or is it one AMU (active monthly user). ACCESS MANAGEMENT
5. How could we allow app client administrators to assign users to groups? Maybe giving them access directly to Cognito is not secure?

Ideas: Can we chain user pools like we do on KeyCloak in order to re-use IDPs in multiple contexts What about multiple user pools: one per app? one per Ministry or sector? Is Multi-tenancy features a thing that we can leverage?

[junminahn]

• based on exploring the feature, it is totally possible just to add an OIDC IDP in other user pools.