I also need to add the created/updated user into a users-table of an RDS-database, and the described workflow does not describe such a scenario at all.
--
In the docs of AWS Cognito in the Chapter "SAML user pool IdP authentication flow" there is following part written:
6. After verifying the SAML assertion and collecting the user attributes (claims) from the assertion,
Amazon Cognito internally creates or updates the user's profile in the user pool.
Amazon Cognito returns OIDC tokens to the app for the now signed-in user.
this part does not seem to recognize the scenario i described in my question, and there is no link/hint to such a solution given.
In order to perform additional actions to customize the Cognito user pool workflow, you can use Lambda triggers.
In your particular situation, there are triggers and triggerSource values you should look for regarding Sign Up and Sign In for federated users, as per documentation, namely:
For SignUp:
PreSignUp_ExternalProvider this is called before the user is created in Cognito, allowing to perform some additional actions, normally validations.PostConfirmation_ConfirmSignUp is invoked after the user has been created and confirmed in Cognito. This would be where you'd create it at the RDS Database.For SignIn:
PreAuthentication_Authentication similarly to PreSignUp, useful for additional validations, but for Sign In.PostAuthentication_Authentication called after a successful authentication. This is where you would update the User at your Database.Also keep in mind that the Updated date of the user will change at each new sign-in due to this (source) :
Amazon Cognito must be able to update your mapped user pool attributes when users sign in to your application. When a user signs in through an IdP, Amazon Cognito updates the mapped attributes with the latest information from the IdP. Amazon Cognito updates each mapped attribute, even if its current value already matches the latest information.