:doc:`CognitoIdentityProvider <../../cognito-idp>` / Client / update_identity_provider

************************
update_identity_provider
************************



.. py:method:: CognitoIdentityProvider.Client.update_identity_provider(**kwargs)

  

  Modifies the configuration and trust relationship between a third-party identity provider (IdP) and a user pool. Amazon Cognito accepts sign-in with third-party identity providers through managed login and OIDC relying-party libraries. For more information, see `Third-party IdP sign-in <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html>`__.

   

  .. note::

    

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

     

    **Learn more**

     

    
    * `Signing Amazon Web Services API Requests <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html>`__
     
    * `Using the Amazon Cognito user pools API and user pool endpoints <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html>`__
    

    

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateIdentityProvider>`_  


  **Request Syntax**
  ::

    response = client.update_identity_provider(
        UserPoolId='string',
        ProviderName='string',
        ProviderDetails={
            'string': 'string'
        },
        AttributeMapping={
            'string': 'string'
        },
        IdpIdentifiers=[
            'string',
        ]
    )
    
  :type UserPoolId: string
  :param UserPoolId: **[REQUIRED]** 

    The Id of the user pool where you want to update your IdP.

    

  
  :type ProviderName: string
  :param ProviderName: **[REQUIRED]** 

    The name of the IdP that you want to update. You can pass the identity provider name in the ``identity_provider`` query parameter of requests to the `Authorize endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html>`__ to silently redirect to sign-in with the associated IdP.

    

  
  :type ProviderDetails: dict
  :param ProviderDetails: 

    The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here.

      OpenID Connect (OIDC)  

    Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer``: ``attributes_url``, ``authorize_url``, ``jwks_uri``, ``token_url``.

     

    Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }``

     

    Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }``

      SAML  

    Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }``

     

    Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }``

     

    The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes.

     

    Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }``

      LoginWithAmazon  

    Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"``

     

    Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }``

      Google  

    Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }``

     

    Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }``

      SignInWithApple  

    Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }``

     

    Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }``

      Facebook  

    Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }``

     

    Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``

    

  
    - *(string) --* 

    
      - *(string) --* 

      


  :type AttributeMapping: dict
  :param AttributeMapping: 

    A mapping of IdP attributes to standard and custom user pool attributes. Specify a user pool attribute as the key of the key-value pair, and the IdP attribute claim name as the value.

    

  
    - *(string) --* 

    
      - *(string) --* 

      


  :type IdpIdentifiers: list
  :param IdpIdentifiers: 

    An array of IdP identifiers, for example ``"IdPIdentifiers": [ "MyIdP", "MyIdP2" ]``. Identifiers are friendly names that you can pass in the ``idp_identifier`` query parameter of requests to the `Authorize endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html>`__ to silently redirect to sign-in with the associated IdP. Identifiers in a domain format also enable the use of `email-address matching with SAML providers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-naming.html>`__.

    

  
    - *(string) --* 

    

  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'IdentityProvider': {
              'UserPoolId': 'string',
              'ProviderName': 'string',
              'ProviderType': 'SAML'|'Facebook'|'Google'|'LoginWithAmazon'|'SignInWithApple'|'OIDC',
              'ProviderDetails': {
                  'string': 'string'
              },
              'AttributeMapping': {
                  'string': 'string'
              },
              'IdpIdentifiers': [
                  'string',
              ],
              'LastModifiedDate': datetime(2015, 1, 1),
              'CreationDate': datetime(2015, 1, 1)
          }
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **IdentityProvider** *(dict) --* 

        The identity provider details.

        
        

        - **UserPoolId** *(string) --* 

          The ID of the user pool associated with the IdP.

          
        

        - **ProviderName** *(string) --* 

          A friendly name for the IdP.

          
        

        - **ProviderType** *(string) --* 

          The type of IdP. Either SAML, OIDC, or a named social identity provider.

          
        

        - **ProviderDetails** *(dict) --* 

          The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here.

            OpenID Connect (OIDC)  

          Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer``: ``attributes_url``, ``authorize_url``, ``jwks_uri``, ``token_url``.

           

          Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }``

           

          Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }``

            SAML  

          Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }``

           

          Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }``

           

          The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes.

           

          Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }``

            LoginWithAmazon  

          Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"``

           

          Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }``

            Google  

          Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }``

           

          Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }``

            SignInWithApple  

          Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }``

           

          Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }``

            Facebook  

          Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }``

           

          Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``

          
          

          - *(string) --* 
            

            - *(string) --* 
      
    
        

        - **AttributeMapping** *(dict) --* 

          A mapping of IdP attributes to standard and custom user pool attributes.

          
          

          - *(string) --* 
            

            - *(string) --* 
      
    
        

        - **IdpIdentifiers** *(list) --* 

          A list of IdP identifiers. IdP identifiers are strings that represent friendly names or domain names of IdPs, for example ``MyIdP`` or ``auth.example.com``. You can choose to route user authorization requests to the right IdP with either IdP identifiers or IdP names. For more information, see ``identity_provider`` and ``idp_identifier`` at `Authorize endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html#get-authorize-request-parameters>`__.

          
          

          - *(string) --* 
      
        

        - **LastModifiedDate** *(datetime) --* 

          The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a human-readable format like ISO 8601 or a Java ``Date`` object.

          
        

        - **CreationDate** *(datetime) --* 

          The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a human-readable format like ISO 8601 or a Java ``Date`` object.

          
    
  
  **Exceptions**
  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.InvalidParameterException`

  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.UnsupportedIdentityProviderException`

  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.ResourceNotFoundException`

  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.ConcurrentModificationException`

  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.NotAuthorizedException`

  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.TooManyRequestsException`

  
  *   :py:class:`CognitoIdentityProvider.Client.exceptions.InternalErrorException`

  