Last updated

Getting started with user pools

Frontegg's User Pools offer a high level of control and flexibility, enabling seamless integration with existing apps and IdPs without the need for extensive migrations. This feature allows organizations to manage user permissions and access more granularly, enhancing security and compliance with regulatory requirements. This topic will outline the need for user pools and the differences between pools created via external resources and those created with IdPs.


Why using user pools

User pools give you the flexibility to control your users' journey in multiple aspects:

  • Seamless integration with existing identities: Creating user pools allows you to use all of Frontegg's features like Entitlements and Security Rules without needing to migrate your external user bases to Frontegg.
  • Segmentation and granular management: With user pools, you can better manage your users' lifecycle, permissions, and accessibility.
  • Minimal disruption to users: User pools allow you to enhance your offering and application capabilities with minimal disruption to your users' experience. Your users continue interacting with their existing authentication systems while the migration occurs behind the scenes without disrupting their ongoing operation.

Difference between external and IdP user pools

Before Creating and configuring your first user pool, here's an overview of the key diffrences and use cases:

  • External user pools:
    External user pools are designed to manage users who are authenticated through external sources or databases. When configuring an external user pool, you have the option to either sync user attributes upon each login or perform a Just in Time (JIT) migration. The sync option ensures that user details are updated every time they log in, which is crucial for maintaining up-to-date user information from the external source. Additionally, external user pools support various authentication methods, including social logins, enterprise SSO, and passwordless options, provided these are configured in the original user pool source.

  • IdP user pools:
    IdP (Identity Provider) user pools, on the other hand, are configured to authenticate users through their IdP's identification page. This means that users are always authenticated via their IdP, and JIT migration is not applicable for these pools. When setting up an IdP user pool, you need to specify the federation source URL and include settings such as ClientID and Secret associated with the customer's IdP account. It's important to note that certain authentication features like One Time Code (OTC), Single Sign-On (SSO), and log in with SMS are not available for users stored externally but are included in a user pool.


ParameterExternal user poolIdP user pool
Authentication MethodUsers can authenticate via various methods, including social logins, enterprise SSO, and passwordless options.Users are authenticated exclusively through their IdP's identification page.
User Data SyncUser attributes can be synced upon each login or migrated JIT.JIT migration is not possible; user data is managed by the IdP.
Feature AvailabilitySupports a broader range of authentication features.Limited in terms of certain authentication features like OTC and SSO.

Creating and configuring user pools

User pool configuration is comprised of the following steps:

  1. Create a new user pool

multi-apps-1

  1. Choose user pool type -

External sources refer to user pools originating in external resources or databases, which can either be imported and become Frontegg users or maintain authentication via the external resource while syncing with Frontegg upon each login.

In the case of IdP federation user pools, users are always authenticated via their IdP's identification page and thus cannot become Frontegg users (Just in Time migration is not applicable for this user pool).


Note about tenant ID in IdP user pools

Federation expects to see a tenantId field with the same name of the tenantIdFieldName you set in your user pool settings in Frontegg. This topic covers Auth0's use case. For other IdPs, please contact [support@frontegg.com].


multi-apps-1


User pool sync

If the user pool sync is turned on, the user details and metadata in the user pool isn’t editable. In case the user pool’s sync is turned off - the user data can be edited.


  1. Configure settings

Next, you will need to configure your user pool settings. The settings differ slightly between the External and IdP pools, as shown below.

External user pools

User pool settings are customized via the User pool settings tab. For External user pools, you can choose from one of the common sources (see screenshot below) or write your own custom code to create user pools from additional external sources. Note that for Auth0 and Cognito pools, you will need to implement several actions in your account on their end to ensure the user pool creation on Frontegg's side is done properly. You can choose the Sync user attributes option, meaning that user attributes will be synced upon every time a user performs login — Or alternatively opt for Just in time migration option, upon which users are migrated to Frontegg ad-hoc, and thus become permanent Frontegg users. Note that the latter option is irreversible (i.e., migrated users will be authenticated from the Frontegg user pool from that point onwards).


multi-apps-1


Tenant ID source

  • For each user pool, you can decide whether to derive the tenant ID from the user's properties, use a predefined value, or automatically create a new tenant ID for each new users.
  • Note that this applies to new users only and will not apply to users retroactively.
  • Tenant ID resolving options vary netween user pool sources.


multi-apps-1

IdP federation pools

When creating user pools from an IdP Federation source, make sure you include the following settings:

  • The URL of your federation source must be specified.
  • Enter your Pool settings, such as ClientID and Secret— that are associated with the customer’s IdP account.
  • Important : Just in Time migration is not possible for IdP user pools.
  • You can decide how to implemnt the tenant ID for your user pool. You can either derive it from the user properties, use a predefined value, or automatically create a new tenant for new users

multi-apps-1

User pool limitations

When users are stored externally - but are included in a user pool - the following authentication features will not be available for them:

  • One Time Code (OTC)
  • Single sign in (SSO)
  • Login with SMS

We advise to keep these limitations in mind when enabling users these options in your self-service portal.

User pool authentication via social login

You can allow users added to Frontegg from external user pools to authenticate with their social/enterprise SSO / passwordless login credentials. To enable this option, user pools must be configured, and social, SSO, and passwordless options (whichever you're using) must be enabled in the builder.

Updating user metadata with custom data

When creating users from external resources, you may wish to customize the information within your user’s Metadata on Frontegg’s side with custom data. You can do so in multiple ways:

  • Via the [ENVIRONMENT] → Management → Users tab.
  • Via API
  • Via Prehooks - [ENVIRONMENT] → Prehooks

Frontegg Dashboard:


multi-apps-1