Integrating Amazon Cognito Authentication with SFTP Gateway v3.4.0

Integrating Amazon Cognito authentication with SFTP Gateway

With SFTP Gateway version 3.004.00, you can now integrate Amazon Cognito authentication with SFTP Gateway’s web admin portal. In other words, web admins can leverage their existing Amazon Cognito credentials instead of managing another account just for SFTP Gateway access.

What is Amazon Cognito?

Amazon Cognito is a managed service from Amazon Web Services (AWS) that provides user authentication, authorization, and user management capabilities for mobile and web applications. It allows developers to easily add user sign-up, sign-in, and access control to their applications without having to build and maintain their own authentication infrastructure. With Amazon Cognito, developers can quickly and securely authenticate users using popular identity providers, such as Facebook, Google, and Amazon, or their own user pools.

The process for integrating Amazon Cognito authentication with SFTP Gateway

Configuring Amazon Cognito authentication is a process. At a high level, you will be performing three steps:
  • Create and configure a User Pool in Cognito
  • Create users in Amazon Cognito
  • Point SFTP Gateway to the User Pool
Note: Amazon Cognito cannot be used for SFTP authentication.


Create a User Pool in Cognito

Open the AWS Management Console and search for Cognito.



Note: If you already have a User pool configured with users, you can skip to the Get the User Pool IDs section.


In Cognito, click Create user pool. You will see the following screen:



Configure the User Pool Steps 1 – 4 as needed for your environment requirements and preferences.

Step 5, Integrate your app, is where you will make the majority of the important configurations.

Configure a name for your user pool and under the Hosted authentication pages section, check the box for Use the Cognito Hosted UI. Configure the domain to your liking, I will be using



Under the Initial app client section, configure a name for your app client and choose to Generate a client secret.



For the callback URL enter in this value:
https://<sftp-gateway-hostname>/backend/login/oauth2/code/<custom name>
The custom name can be any value you’d like, but make sure to remember it, as you’ll need it later on.


Next, you will need to configure the sign-out URL. Click the drop down for Advanced app client settings and navigate to the bottom where you will see the Allowed sign-out URLs section.



Set the sign-out URL to this value:
Once everything has been configured, click Next. Review your configurations and once you’re finished, click Create user pool at the bottom.


Add users in Cognito


Enter into your newly created Cognito user pool and under the Users tab, click Create user.
Configure a User name and password for your user.



Once your user has been created, you will now need to get the User pool IDs.

Get the User Pool IDs


In Cognito, go to the User pool overview, then copy and store the User pool ID.


Next, under the App integration tab for the user pool, scroll down until you see your App client.

Enter into your App client, then copy and store the Client ID and Client secret.

Also, if you scroll down you will see the Hosted UI section with the callback URL you configured earlier. Copy and store the custom name you used at the end of the URL.

Configure the Identity Provider on SFTP Gateway


In the SFTP Gateway web admin portal, go to Settings. Under Identity Providers, click Add new IdP.


For the new Identity Provider, fill in the following fields:
  • Identity Provider Display Name: This is the name for the Identity Provider that will be displayed at the login screen for Web Admin Users.
  • Issuer URI: Paste in this text, https://cognito-idp.{REGION}{USER_POOL_ID}. Replace the first placeholder value with your AWS region and the second placeholder value at the end with the User pool ID you copied earlier from the overview page of your user pool.
  • Client ID: Paste in the client ID you copied earlier from your app client page.
  • Client Secret: Paste in the client secret value you copied earlier from your app client page.
  • Name Attribute: Set this value to cognito:username, this will use the username of your Cognito users as the name for their respective Web Admin User.
  • Registration ID: Use the custom name you made for the callback URL when creating the App client.


Test the changes in the web browser


If you are logged into the web admin UI, click the logout button on the top right and then refresh the browser.


On the login page, you should see the following link toward the bottom with the Display name you configured.


You will then be redirected to your Cognito domain to enter your Cognito credentials.

Once logged in, you will be authenticated to the SFTP Gateway web admin portal. You’ve now completed the process for integrating Amazon Cognito authentication with SFTP Gateway’s web admin portal. 

For more help with Amazon Cognito and SFTP Gateway, check out the Knowledge Base or our YouTube channel and the video below.

Get insights on SFTP Gateway, cloud computing and more, in your inbox.

Get smarter about all things tech. Sign up now!

Scroll to Top