I am working on configuring a multi-tenant web application. Each tenant will have their own User Pool in AWS Cognito, along with their own Idp configurations. In some cases we’ll use the Cognito User Pool as the primary Idp, and in other cases we’ll use a federated Idp, likely using SAML.
My question is: are there any concerns with directly integrating a 3rd party tenant’s designated User Pool with an Idp that they own and manage? Or is it preferable for us to manage an Idp on their behalf, but for which we provide a UI to add users and adjust permissions?
Regardless of who owns the Idp, we will integrate the User Pool with AWS Verified Permissions on our end to handle authorization.