# AWS Cognito Integration

Connect AWS Cognito as an identity provider to allow users to sign in to AccessIQ with their Cognito user pool credentials.

## Prerequisites

* An AWS account with permission to manage Cognito
* AccessIQ tenant with admin access

## Step 1: Create or Select a User Pool

1. Sign in to the [AWS Console](https://console.aws.amazon.com) and go to **Amazon Cognito**.
2. Create a new user pool or select an existing one.
3. Note the **User Pool ID** and **Region** (e.g., `us-east-1`).

## Step 2: Create an App Client

1. In your user pool, go to **App integration > App clients**.
2. Click **Create app client**.
3. Configure the following:

| Field                  | Value                                                          |
| ---------------------- | -------------------------------------------------------------- |
| App client name        | `AccessIQ`                                                     |
| Client type            | Confidential client                                            |
| Generate client secret | Yes                                                            |
| Allowed callback URLs  | `https://<your-tenant>.accessiq.app/api/auth/callback/cognito` |
| Allowed sign-out URLs  | `https://<your-tenant>.accessiq.app`                           |
| OAuth 2.0 grant types  | Authorization code grant                                       |
| OpenID Connect scopes  | `openid`, `email`, `profile`                                   |

4. Click **Create**.

## Step 3: Set Up a Domain

If you have not already, configure a Cognito domain:

1. Go to **App integration > Domain name**.
2. Choose a Cognito domain prefix (e.g., `yourcompany`) or add a custom domain.
3. Your Issuer URL will be: `https://cognito-idp.<region>.amazonaws.com/<user-pool-id>`

## Step 4: Collect Your Credentials

| Credential        | Where to find it                                            |
| ----------------- | ----------------------------------------------------------- |
| **Client ID**     | App clients > App client ID                                 |
| **Client Secret** | App clients > App client secret (click Show)                |
| **Issuer URL**    | `https://cognito-idp.<region>.amazonaws.com/<user-pool-id>` |

## Step 5: Add Cognito as a Provider in AccessIQ

1. In AccessIQ, go to **Identity > Providers**.
2. Click **Add Provider** and select **AWS Cognito**.
3. Enter the **Client ID**, **Client Secret**, and **Issuer URL**.
4. Click **Save**.

## Step 6: Test the Connection

1. Open your AccessIQ login page in a private browser window.
2. Click **Sign in with AWS Cognito**.
3. Authenticate and confirm you reach the AccessIQ dashboard.

## Troubleshooting

| Issue                   | Solution                                                        |
| ----------------------- | --------------------------------------------------------------- |
| Redirect mismatch error | Ensure the callback URL in Cognito matches AccessIQ exactly     |
| Invalid client error    | Verify the Client ID and Secret are from the correct app client |
| No hosted UI            | Make sure you have configured a Cognito domain in Step 3        |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://accessiq.gitbook.io/accessiq-docs/identity-and-single-sign-on/aws-cognito.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.