## Configure user pools with different providers

Creating user pools in Frontegg—either from external sources or via Identity Providers (IdPs)—provides flexibility and control over user management. External pools integrate user data from external databases or custom code, ensuring smooth migration. IdP pools leverage existing credentials for authentication through trusted providers, enhancing security without requiring user migration. This topic outlines use cases for setting up user pools via external sources or IdPs like Auth0, Amazon Cognito, and Google Firebase.

### External user pools

#### Auth0

When creating an Auth0 user pool, you must perform several actions on your Auth0 account to ensure proper configuration and sync of this pool with Frontegg:

1. Go to your Auth0 account and to your **Applications** view.


![providers-1](/assets/providers-1.3863047d6bd63015edd433c258a12f85f38afd26f98d4ef23c1c16a4ff2df733.0b588a8d.png)

1. Go to your app → **Credentials** tab → and choose the **Client Secret (Post)** Method.


![providers-2](/assets/providers-2.bd9276d167bb6695de7fc02a68f14c6deaf2f13015081ae06529aa049919fc14.0b588a8d.png)

1. Go to your **Advanced Settings** →  **Grant Types** tab, and check the box next to the **Password** option


![providers-3](/assets/providers-3.33de6bae4d8f3b9805aeffa4f9e481c9e7d8ab2b512c3ad68f78661a42dd5128.0b588a8d.png)

1. Go to Applications → APIs → Auth0 Management API → Machine to Machine Applications tab and Authorize your app via the toggle.


![providers-4](/assets/providers-4.4fcac817f5789aef23373ef52d0c6a48fcdbfc7c80671b2cf707ad289bc67c19.0b588a8d.png)

1. Open the dropdown menu and select the permissions you want to give the app. Check the `read:users` and `read:roles` permissions' boxes. Click the **Update** button to finalize the configuration.


![providers-5](/assets/providers-5.cdc4a1dcf20aaae84731d8f48ab9f61458a4eeb6ae38cd699fc16051e0361791.0b588a8d.png)

1. Users Page → [USER] → app_metadata → `tenantId`: `frontegg_tenant_id`


![providers-6](/assets/providers-6.9ad6fe76bf465c81941ffac7e4ab7eeaebb0e6689d27fd8542d87b08362f058f.0b588a8d.png)

1. To map user roles, add the role on Auth0 - set the name of the role as the same `key`of the corresponding  Frontegg role.


![providers-7](/assets/providers-7.fa306028742570266a6b1fbcf183e27db7155b23c69f67e2baaab4de68687e3f.0b588a8d.png)

#### Custom code

You can choose to fetch user pools from external resources via custom code, which is available under the *Other* Source option.

![providers-8](/assets/providers-8.2db11929a589c4273066d74d07f978f4aaab2b0bcb72414349a5681054ed262b.0b588a8d.png)

#### Amazon Cognito

You can create user pools originating in your Amazon Cognito account. To allow proper synching of your Cognito users into Frontegg's user pool, you will need to adhere to the following guidelines:

1. Each user on Amazon Cognito's side should have a custom attribute where the *Name* of the attribute should be identical to the value of the `custom:<tenantIdFieldName>` that was used in the pool’s configuration.


![providers-9](/assets/providers-9.d2940a0184edab8a7383cc06a7dea6b7a6afd417b94253f667e0e135e5f973d2.0b588a8d.png)

1. Next, in the **Edit User** section (Amazon Cognito > User Pools) , under the *Optional attributes* section, then enter the  ID of the relevant Frontegg tenant as the Value of the `custom:tenantId` :


![providers-10](/assets/providers-10.f93cafc7dae8f259244858237c0acc77995ea955ff8322ac9eb91fe6d679a7ae.0b588a8d.png)

1. Go to the **Edit app client information** to enable the `ALLOW_USER_PASSWORD_AUTH` authentication flow, like so:


![providers-11](/assets/providers-11.7f614535fac1029bb2c275901a1b874b5e923734210295da88c527b958964ac3.0b588a8d.png)

1. If your Cognito app is using a `client secret`, you should include it when configuring the pool (the Frontegg `clientSecret` field).


br

```json
{
  "region": "<AWS_REGION>",
  "clientId": "...", // the client id of the cognito application
  "userPoolId": "...", // the id of the cognito pool
  "clientSecret": "...", //optional
  "tenantIdFieldName": "...",
  "accessKeyId": "...",
  "secretAccessKey": "..."
 }
```

br
1. Each user should have a custom attribute as such:


Cognito IAM user
We recommend creating an IAM user with read-only permission in Cognito. Subsequently, you should create an access key for this account and provide it when configuring the user pool on Frontegg (i.e., include the `accessKeyId, secretAccessKey` attributes).

#### Google Firebase

1. To create a user pool from your Google Firebase account, you will need to get a **Web API Key** and a **Private key** from your Firebase project.


Go to your Firebase project and copy your **Web API Key** from the *General* tab:

![providers-12](/assets/providers-12.8fa61a3d693f2c5d5d023b5cbb6ee27dd3e4f57b5fd126e4614a87a635dda069.0b588a8d.png)

1. Then, go to the *service account* tab and press the *Generate new private key* button. Open the downloaded file with your text editor and copy the key.


![providers-13](/assets/providers-13.faf6b0adf6c6b174f4a9cc2e5b1f2f05c20191bb39819defcda34c5ce9e32e55.0b588a8d.png)

1. Then, head over to the **Frontegg portal** → [ENVIRONMENT] → Management → User pools. Click on **Create user pool**.
Select the **External** User pool type.


![providers-14](/assets/providers-14.913770be13320035a3ec6ce4a23de72a5da6b094ab1266fd079fa0918a5538bc.0b588a8d.png)

1. Select the *Firebase* option and paste the **API key** and **Private key** from your Firebase account into the *API Key* and *Firebase service account* fields, respectively.


![providers-15](/assets/providers-15.caad81abc1ca820f32ae77f08cfd8783e06236063e7e9123a6933df73e1148da.0b588a8d.png)

### IdP user pools

#### Auth0

To create an IdP user pool with **Auth0**, please complete the following steps:

1. **To properly create a user pool from Auth0, we expect the `tenantId` to be part of the `idToken`**. To do that, you will need to include your `tenantId` from the user's Metadata within your app's `app_metadata`, like so:


![providers-16](/assets/providers-16.137526aa1195a9c682d4807af09b07e92b3c5491ab07c9affbcd52a3e8e987fe.0b588a8d.png)

1. Next, go to your Auth0 account, Go to the Actions → Flows tab, and choose the *Login* option.


![providers-17](/assets/providers-17.b8315e62a7900b32d32dbc45b4d2e89221ad0590ad15c0aa2fffaefd79e2664f.0b588a8d.png)

Once the required configuration on Auth0 is completed, proceed to create a new user pool in Frontegg by following the requirements listed in the [External User Pools](#external-user-pools) section.