> ## Documentation Index
> Fetch the complete documentation index at: https://ona.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Amazon Cognito

You can set up Single Sign-on (SSO) with Amazon Cognito for your team.

This section helps you to create an OIDC application with Amazon Cognito. The *Client ID*, *Client Secret*, and *Issuer URL* of this OIDC application are required to setup SSO in Ona. See the [step-by-step guide](/ona/sso/overview#setting-up-single-sign-on) for the general instructions.

## Prerequisites

As prerequisites you will need the following:

* Access to set up a new [Amazon Cognito application](https://console.aws.amazon.com/cognito/home) in your AWS account.

## Create an OIDC application

1. Navigate to [Amazon Cognito](https://console.aws.amazon.com/cognito/home) service page, then select `Set up your application`.

2. Configure the application by filling out the form:

   * **Application type**: `Traditional web application`
   * **Name**: `Ona`
   * **Options for sign-in identifiers**:
     * `Email`
   * **Required attributes for sign-up**:
     * `email`
     * `name`
   * **Return URL**: `https://app.gitpod.io/auth/oidc/callback`

   Click the *Create* button.

3. Obtain *Client ID*, *Client Secret* from the Overview page

   Upon creation of the application, you will be redirected to the then created user pool. Learn more about [Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools.html?icmpid=docs_cognito_console_help_panel).

   * Feel free to rename the user pool before proceeding!
   * Obtain **Issuer URL**
     * You'll find the **User pool ID** here
     * The pattern for the *Issuer URL* is:
       `https://cognito-idp.<awsregion>.amazonaws.com/<user-pool-id>`
     * Verify to use the correct URL by opening the OIDC Discovery location `<Issuer URL>/.well-known/openid-configuration` in your browser, i.e. open `https://cognito-idp.<awsregion>.amazonaws.com/<user-pool-id>/.well-known/openid-configuration`.
   * Then navigate to *Applications > App clients > Ona* to find the details of the newly created application, and copy the information you'll need in Ona:
     * **Client ID**
     * **Client secret**

4. Configure OIDC Scopes

   The default selection of OIDC scopes in Amazon Cognito doesn't meet the requirements for Ona. Navigate to *App client > Login pages > Edit* and ensure the `Profile` scope is selected.

5. Adjust **Sign-up** settings to your needs

   * Disable **Self-registration** if you want to limit access to your application.
   * With Sign-up disabled, you may need to manage users under *User management* manually.

6. Continue with the SSO configuration in Ona: [Clicking *Save & Test*](/ona/sso/overview#setting-up-single-sign-on)