In pondering building a new SaaS application on AWS, one of the first decisions is how to handle authentication — or more accurately which service to leverage. While Auth0 and Okta seem to be leading the pack for 3rd party authentication, AWS offers two options: Cognito and SSO.

This Stackoverflow reply is the most succinct summary of AWS authentication I’ve found:

…Amazon Cognito is our identity management solution for customers/developers building B2C or B2B apps for their customers—so a customer-targeted IAM and user directory solution. AWS SSO is focused on SSO for employees accessing AWS and business apps, initially with Microsoft AD as the underlying employee directory. We plan to integrate Cognito User Pools and AWS SSO as part of our roadmap.

This statement is nearly 2 years old at the time of writing, but afaik, authentication in general and Cognito specifically seem to be somewhat neglected at AWS. There are signs of activity — AWS SSO itself, AWS Amplify, issue chatter — though lack of attention is a common description when talking about Cognito with those in and around AWS.

Given the central nature of identity and authentication — quite literally the keys to the kingdom 1 — it seems curious that this does not receive more attention.

While data receives much love (S3, Dynamo, RDS, ML) and also compute (Fargate, EKS, Lambda) with both areas evolving and adding features at a pace, Auth and Identity feel NFI.

Why is this?

  1. While multi-cloud and / or cloud portability receives much derision as a strategy, the stickiest component is likely an applications identity store. It seems like a moat that the cloud providers would invest in more heavily.