User Pools

What Are User Pools?

User pools were designed to manage user access and permissions with the granularity required for complex operational and security needs. The addition of User Pools to Frontegg's CIAM capabilities gives you unparalleled control over user management, security, and access control. User Pools allow you to streamline your operation and customize your user's identity strategy to fit your unique organizational structure, especially when you need to sync and aggregate users from multiple sources and facilitate easy user migration, where needed. This topic will walk you through the configuration process of user pools from external sources or from an IdP (Identity Provider) of your choice.

๐Ÿ“˜

CSV migration

When creating a new user pool, you have three options: you can either create your user pool via an IdP (Identity Provider), via an External source, or by way of CSV migration. This topic will focus on the first two options.

Why Create User Pools?

User pools give you the flexibility to control your users' journey in multiple aspects:

  • Seamless Integration with Existing Identities: Creating user pools allows you to use all of Frontegg's features like Entitlements and Security Rules without needing to migrate your external user bases to Frontegg.
  • Segmentation and granular management With user pools, you can better manage your users' lifecycle, permissions, and accessibility.
  • Minimal disruption to users: User pools allow you to enhance your offering and application capabilities with minimal disruption to your users' experience. Your users continue interacting with their existing authentication systems while the migration occurs behind the scenes without disrupting their ongoing operation.

Creating and Configuring User Pools

User pool configuration is comprised of the following steps:

  1. Create a new user pool: The administrator accesses the User Pools section within the Frontegg portal and selects "Create User Pool."
  2. Configure User Pool Type: Choose the user pool source type (either IdP Federation or external).
  3. Configure Settings: Choose the desired behavior for your user poolโ€” options included are Sync User Attributes and Just in Time Migration (note that the latter is applicable only for external user pools).

Step 1: Create a new user pool

To create a new pool, go to your User Pools dashboard via the Portal > [Environment] > User Pools and press the Create button.

User Pools' Dashboard

User Pools' Dashboard


Step 2: Choose User Pool Type

Select the user pool type you wish to create.

External sources refer to user pools originating in external resources or databases, which can either be imported and become Frontegg users or maintain authentication via the external resource while syncing with Frontegg upon each login.

In the case of IdP federation user pools, users are always authenticated via their IdP's identification page and thus cannot become Frontegg users (Just in Time migration is not applicable for this user pool).

๐Ÿšง

Note about TenantId in IdP user pools

Federation expects to see a tenantId field with the same name of the tenantIdFieldName you set in your user pool settings in Frontegg. This topic covers Auth0's use case. For other IdPs, please contact [email protected].


Selecting a User Pool Type

Selecting a User Pool Type


๐Ÿšง

User pool sync

If the user pool sync is turned on, the user details and metadata in the user pool isnโ€™t editable. In case the user poolโ€™s sync is turned off - the user data can be edited.

Step 3: Configure Settings

Next, you will need to configure your user pool settings. Settings differ slightly between the External/IdP pools, as shown below.

External User Pools

User pool settings are customized via the User pool settings tab. For External user pools, you can choose from one of the common sources (see screenshot below) or write your own custom code to create user pools from additional external sources. Note that for Auth0 and Cognito pools, you will need to implement several actions in your account on their end to ensure the user pool creation on Frontegg's side is done properly. You can choose the Sync user attributes option, meaning that user attributes will be synced upon every time a user performs login โ€” Or alternatively opt for Just in time migration option, upon which users are migrated to Frontegg ad-hoc, and thus become permanent Frontegg users. Note that the latter option is irreversible (i.e., migrated users will be authenticated from the Frontegg user pool from that point onwards).

External User Pool Settings

External User Pool Settings

IdP Federation Pool

๐Ÿ“˜

IdP Federation Setting Specifics

When creating user pools from an IdP Federation source, make sure you include the following settings:

  • The URL of your federation source must be specified.
  • Enter your Pool settings, such as ClientID and Secretโ€” that are associated with the customerโ€™s IdP account.
  • Important : Just in Time migration is not possible for IdP user pools.
IdP Federation Setting

IdP Federation Setting

๐Ÿšง

User Pool Limitations

When users are stored externally - but are included in a user pool - the following authentication features will not be available for them:

  • One Time Code (OTC)
  • Single sign in (SSO)
  • Social Login authentication
  • Login with SMS

We advise to keep these limitations in mind when enabling users these options in your admin portal.


Specific Use Cases

External User Pool (Auth0)

When creating an OAuth user pool, you must perform several actions on your OAuth account to ensure proper configuration and sync of this pool with Frontegg:

  1. Go to your OAuth account and to your Applications view.

  1. Go to your app โ†’ Credentials tab โ†’ and choose the Client Secret (Post) Method.
  1. Go to your Advanced Settings โ†’ Grant Types tab, and check the box next to the Password option.
  • Go to Applications โ†’ APIs โ†’ Auth0 Management API โ†’ Machine to Machine Applications tab:

    1. Authorize your app via the toggle.
    • Open the dropdown menu and select the permissions you want to give the app. Check the read:users and read:roles permissions' boxes. Click the Update button to finalize the configuration.

  • Users Page โ†’ [USER] โ†’ app_metadata โ†’ <tenant_id_field_name>: <frontegg_tenant_id>

  • To map user roles, add the role on Auth0 - set the name of the role as the same keyof the corresponding Frontegg role.


External User Pool (Custom Code)

You can choose to fetch user pools from external resources via custom code, which is available under the Other Source option.



External User Pool (Cognito)


You can create user pools originating in your Amazon Cognito account. To allow proper synching of your Cognito users into Frontegg's user pool, you will need to adhere to the following guidelines:

  • Each user on Amazon Cognito's side should have a custom attribute where the Name of the attribute should be identical to the value of the custom:<tenantIdFieldName> that was used in the poolโ€™s configuration.



  • Next, in the Edit User section (Amazon Cognito > User Pools) , under the Optional attributes section, then enter the ID of the relevant Frontegg tenant as the Value of the custom:tenantId :


  • Go to the Edit app client information to enable the ALLOW_USER_PASSWORD_AUTH authentication flow, like so:

  • If your Cognito app is using a client secret, you should include it when configuring the pool (the Frontegg clientSecret field).
{
  "region": "<AWS_REGION>",
  "clientId": "...", // the client id of the cognito application
  "userPoolId": "...", // the id of the cognito pool
  "clientSecret": "...", //optional
  "tenantIdFieldName": "...",
  "accessKeyId": "...",
  "secretAccessKey": "..."
 }
  • Each user should have a custom attribute as such:

๐Ÿ“˜

Cognito IAM user

We recommend creating an IAM user with read only permission in Cognito. Subsequently, you should create an access key for this account and provide it when configuring the use pool on Frontegg (i.e., include the accessKeyId, secretAccessKey attributes).

IdP User Pool (Auth0)

To create an IdP user pool with Auth0, please complete the following steps:

  1. To properly create a user pool from Auth0, we expect the tenantId to be part of the idToken. To do that, you will need to innclude your tenantId from the user's Metadata within your app's app_metadata, like so:
  1. Next, go to your Auth0 account, Go to the Actions->Flows tab, and choose the Login option.

Once the required configuration on Auth0 is completed, proceed to create a new user pool in Frontegg by following the requirements listed in the External User Pools section.