If you’re already using AWS, chances are you’re using Cognito for authentication.It fits well with the rest of your stack, supports the basics out of the box, and keeps everything inside your AWS boundary.
When your first enterprise customer asks for SSO, be it with Okta, Entra ID, or Google Workspace, you can technically support it with Cognito. But doing that means wiring up each connection yourself, managing metadata, and becoming the go-to support person for every enterprise IT team you sell to.
That’s exactly where Scalekit comes in and helps you add SSO to your Cognito setup.
It connects to your customer’s identity provider, handles the login flow (SAML or OIDC), and returns control to Cognito, so your sessions, tokens, and users stay exactly where they are.
In this guide, you’ll integrate Scalekit with AWS Cognito and go live with your first SSO connection, without rebuilding your login flow or wiring up federation from scratch.
Scalekit integrates with AWS Cognito just for enterprise SSO.
You still use Cognito to manage sessions, tokens, and users—just like before. But instead of configuring a new SAML or OIDC provider for every customer inside Cognito, you point them all to Scalekit.
Here’s what Scalekit adds:
Here’s how you’ll connect Scalekit to Cognito and go live with your first SSO login—without federation scripts or rewriting your auth flow.
In your Cognito User Pool, add a new OIDC provider using the credentials from your Scalekit dashboard.
This one provider handles every customer while Scalekit takes care of routing based on the login hint.
Map standard OIDC claims like sub, email, and name to your Cognito user pool fields.
This ensures Cognito knows how to create or link users once Scalekit completes the login.
Copy Cognito’s callback URL and add it to your Scalekit Redirect URIs. This lets Scalekit return the user to Cognito after successful SSO.
Set up a new org for your customer.
Share the hosted portal link so their IT team can configure their IdP (SAML or OIDC) themselves—no need to exchange metadata manually.
When a user clicks “Sign in with SSO” on your app’s login screen, you redirect them to Cognito’s /authorize endpoint. Then, Scalekit uses this to find the right connection and start the SSO handshake.
After login, Scalekit redirects back to Cognito.
Cognito handles the token exchange, applies the attribute mapping, and starts the session like it always does.
That’s it. You’ve added SSO to your Cognito setup, without federation logic, Lambda triggers, or a new IdP per customer.
Adding Scalekit doesn’t change how you use AWS Cognito.
Cognito still manages your sessions, tokens, user pools, and everything tied into your AWS stack. Scalekit steps in only to handle the SSO handshake—so you don’t have to build and maintain that part yourself.
Here’s how it breaks down:
Enterprise SSO always sounds simple until you try to build it yourself.
Cognito gives you a solid foundation for authentication, including enterprise SSO. But without a way for customers to self-serve, you’re still the one setting up every IdP, managing configs, and unblocking IT teams on their timeline.
Scalekit takes that work off your plate. You support SSO at scale without rewriting anything and without losing control. You just hand off the part you don’t want to manage.
That’s enough to close your next enterprise deal, without breaking your flow or piling more work on your team.
Get started with the Cognito + Scalekit integration →