4 mins read

Set Up Identity Pool for Authentication

The Identity Pool Identity Provider is a link between the Identity Pool and a specific workspace, allowing the users from a particular pool to log in to applications in the workspace where the IDP is registered.

Identity Pool IDP in a Nutshell

The Identity Pool authentication & identity provider is a Cloudentity-native IDP, allowing the Cloudentity Identity Pool users within a Cloudentity tenant to authenticate and confirm their identity. Identity Pool IDPs are always a unique representation of exactly one Identity Pool in the workspace - you cannot connect multiple IDPs to the same Identity Pool.

Identity Pool APIs are used in Cloudentity in the following way:

  • Self-registration by the user

    sequenceDiagram autonumber participant userInactive as Inactive User participant Cloudentity participant userActive as Active User userInactive-->>Cloudentity: /createUser status: new userInactive-->>Cloudentity: /sendActivationMessage Cloudentity-->>userInactive: Activation message with OTP userInactive-->>Cloudentity: /activateSelfRegisteredUser with OTP Cloudentity-->>userInactive: Activate (set status: active) userInactive-->>userActive: Change status
  • Registration of user by administrator as performed by Cloudentity. Administrators can either register an inactive user who then must activate their account with an OTP, or set the password for the user directly.

    sequenceDiagram participant userInactive as Inactive User participant userActive as Active User participant admin as Administrator participant Cloudentity alt Registration of inactive user admin-->>Cloudentity: /createUser status: new admin-->>Cloudentity: /sendActivationMessage Cloudentity-->>userInactive: Activation message with OTP userInactive-->>Cloudentity: /activateSelfRegisteredUser Cloudentity-->>userInactive: Activate (status: active) userInactive-->>userActive: Change status else Registration of active user with password admin-->>Cloudentity: /createUser status: active Cloudentity-->>userActive: Active user with password set end

Users registered in Identity Pools have the possibility to change their password from the client application. If they do, the following flow is triggered:

sequenceDiagram autonumber User-->>Cloudentity: /changePassword Cloudentity-->>User: Request old and new password User-->>Cloudentity: Provide old and new password Cloudentity-->>User: Password changed, log out

The Identity API, however, can be used differently if necessary. For more details, please check Identity Administration API reference.


At least one Identity Pool must be created in your tenant.

Connect Identity Pool IDP

Basic Configuration

  1. In your workspace, go to Identity Providers > Create Connection.

  2. Under Cloudentity Providers, select Identity Pool > Next.

  3. From Available pools, select a user pool to be associated with this Identity Provider. Enter the Identity Provider Name to show the users who try to log in with this IDP and select Create.


    Your new IDP connection is created and the configuration page opens for advanced configuration. Users can now authenticate with this Identity Pool Provider.

  4. You can now configure the advanced settings for this IDP.

Configure Advanced Settings

Advanced settings contain optional features which may be necessary to use in specific cases.

  1. Go to Identity Providers > YOUR_IDP > Configuration page

  2. Optionally, enable Authentication context caching.


    You can enable the authentication context caching if you want Cloudentity to store the user’s authentication data. If you do, specify the cache Time To Live as well. Learn more by reading Stateful authorization with Cloudentity.

  3. Go to Advanced settings

    Property Description
    Authentication Method Reference Authentication method to be written into the amr object returned by the IDP. The amr object is created if it doesn’t exist. If it exists, its values are replaced with the items selected in this field.Hidden
    Reload Claims at Refresh Token Refresh access token claims when issuing access token based on a refresh token.
  4. Select Save.

Configure Attributes and Mapping

In case of the Identity Pool IDP, please stick to the predefined configuration for attributes and mapping in case you have used the pre-defined schema for a given pool. If you have applied a custom schema for a given identity pool, then make sure the new schema attributes are mapped correctly, to ensure the attributes are made available to the Cloudentity authentication context on successful authentication.

Connect Extensions to your IDP

  1. Go to Identity Providers > YOUR_IDP > Extensions.

  2. Assign a Post Authentication script to the IDP. This script will be executed upon user authentication via this IDP.

  3. Connect your application to the IDP in the Post Authentication application field. Users will be redirected to this application upon authentication via this IDP.

    Feature flag

    Post Authentication applications must be explicitly enabled in your tenant using the custom_apps feature flag.

Test Identity Pool IDP

  1. Open the user portal (to get the URL, go to Applications > Clients > User portal and copy the Redirect URL).

  2. Select your configured IDP (if you only have one IDP configured, this IDP is used by default and selection is not necessary). You have the following features at your disposal:

    • If you already have an active account, you can authenticate with your credentials, OTP or Passkey (depending on which method is configured for the underlying Identity Pool).

    • You can register a new account if public registration is allowed by the underlying Identity Pool. You will be asked to provide data in accordance with the Payload Schema assigned to the Identity Pool.

    • You can send OTPs or reset your password

If you want to add users as an administrator, check the Configuring Identity Pools documentation, as this is done from the Identity Pool level.

Updated: Feb 14, 2023