Getting started with user pools
Frontegg's User Pools offer a high level of control and flexibility, enabling seamless integration with existing apps and IdPs without the need for extensive migrations. This feature allows organizations to manage user permissions and access more granularly, enhancing security and compliance with regulatory requirements. This topic will outline the need for user pools and the differences between pools created via external resources and those created with IdPs.
Why using user pools
User pools give you the flexibility to control your users' journey in multiple aspects:
- Seamless integration with existing identities: Creating user pools allows you to use all of Frontegg's features like Entitlements and Security Rules without needing to migrate your external user bases to Frontegg.
- Segmentation and granular management: With user pools, you can better manage your users' lifecycle, permissions, and accessibility.
- Minimal disruption to users: User pools allow you to enhance your offering and application capabilities with minimal disruption to your users' experience. Your users continue interacting with their existing authentication systems while the migration occurs behind the scenes without disrupting their ongoing operation.
Difference between external and IdP user pools
Before Creating and configuring your first user pool, here's an overview of the key diffrences and use cases:
External user pools:
External user pools are designed to manage users who are authenticated through external sources or databases. When configuring an external user pool, you have the option to either sync user attributes upon each login or perform a Just in Time (JIT) migration. The sync option ensures that user details are updated every time they log in, which is crucial for maintaining up-to-date user information from the external source. Additionally, external user pools support various authentication methods, including social logins, enterprise SSO, and passwordless options, provided these are configured in the original user pool source.IdP user pools:
IdP (Identity Provider) user pools, on the other hand, are configured to authenticate users through their IdP's identification page. This means that users are always authenticated via their IdP, and JIT migration is not applicable for these pools. When setting up an IdP user pool, you need to specify the federation source URL and include settings such as ClientID and Secret associated with the customer's IdP account. It's important to note that certain authentication features like One Time Code (OTC), Single Sign-On (SSO), and log in with SMS are not available for users stored externally but are included in a user pool.
Parameter | External user pool | IdP user pool |
---|---|---|
Authentication Method | Users can authenticate via various methods, including social logins, enterprise SSO, and passwordless options. | Users are authenticated exclusively through their IdP's identification page. |
User Data Sync | User attributes can be synced upon each login or migrated JIT. | JIT migration is not possible; user data is managed by the IdP. |
Feature Availability | Supports a broader range of authentication features. | Limited in terms of certain authentication features like OTC and SSO. |
Creating and configuring user pools
User pool configuration is comprised of the following steps:
- Create a new user pool
- Choose user pool type -
External sources refer to user pools originating in external resources or databases, which can either be imported and become Frontegg users or maintain authentication via the external resource while syncing with Frontegg upon each login.
In the case of IdP federation user pools, users are always authenticated via their IdP's identification page and thus cannot become Frontegg users (Just in Time migration is not applicable for this user pool).
Note about tenant ID in IdP user pools
Note about tenant ID in IdP user pools
Federation expects to see a tenantId
field with the same name of the tenantIdFieldName
you set in your user pool settings in Frontegg. This topic covers Auth0's use case. For other IdPs, please contact [support@frontegg.com].
User pool sync
User pool sync
If the user pool sync is turned on, the user details and metadata in the user pool isn’t editable. In case the user pool’s sync is turned off - the user data can be edited.
- Configure settings
Next, you will need to configure your user pool settings. The settings differ slightly between the External and IdP pools, as shown below.
External user pools
User pool settings are customized via the User pool settings tab. For External user pools, you can choose from one of the common sources (see screenshot below) or write your own custom code to create user pools from additional external sources. Note that for Auth0 and Cognito pools, you will need to implement several actions in your account on their end to ensure the user pool creation on Frontegg's side is done properly. You can choose the Sync user attributes option, meaning that user attributes will be synced upon every time a user performs login — Or alternatively opt for Just in time migration option, upon which users are migrated to Frontegg ad-hoc, and thus become permanent Frontegg users. Note that the latter option is irreversible (i.e., migrated users will be authenticated from the Frontegg user pool from that point onwards).
Tenant ID source
Tenant ID source
- For each user pool, you can decide whether to derive the tenant ID from the user's properties, use a predefined value, or automatically create a new tenant ID for each new users.
- Note that this applies to new users only and will not apply to users retroactively.
- Tenant ID resolving options vary netween user pool sources.
IdP federation pools
When creating user pools from an IdP Federation source, make sure you include the following settings:
- The URL of your federation source must be specified.
- Enter your Pool settings, such as ClientID and Secret— that are associated with the customer’s IdP account.
- Important : Just in Time migration is not possible for IdP user pools.
- You can decide how to implemnt the tenant ID for your user pool. You can either derive it from the user properties, use a predefined value, or automatically create a new tenant for new users
User pool limitations
User pool limitations
When users are stored externally - but are included in a user pool - the following authentication features will not be available for them:
- One Time Code (OTC)
- Single sign in (SSO)
- Login with SMS
We advise to keep these limitations in mind when enabling users these options in your self-service portal.
User pool authentication via social login
You can allow users added to Frontegg from external user pools to authenticate with their social/enterprise SSO / passwordless login credentials. To enable this option, user pools must be configured, and social, SSO, and passwordless options (whichever you're using) must be enabled in the builder.
Updating user metadata with custom data
When creating users from external resources, you may wish to customize the information within your user’s Metadata on Frontegg’s side with custom data. You can do so in multiple ways:
Frontegg Dashboard: