How to automatically set email_verified to True after federated user signed up and linked to local user in Cognito?

Question

There is a user pool, a local user in it and some federated identity provider (in my case it's SAML for Azure). There is also some Lambda Function which is set on the Pre sign-up trigger which links the new federated user to the existing local one using admin_link_provider_for_user (with related permission provided). When the user is assigned regardless of the local user email_verified status it turns out to False. Is there a way to make it True automatically?

I've tried to set it with:

event['response']['autoVerifyEmail'] = True

and

event['request']['userAttributes']['email_verified'] = True

in the Lambda function and also used admin_update_user_attributes from the same Lambda to the email_verified but it didn't work with neither of these ways.

Any ideas how to make it working?

Answer 1

It is because for a Federated User, the value are coming from attribute mapping.

When you link a Federated Identity to a Native Cognito User, attributes are merged and:

• if an attribute is set in both identity, the more recent value take precedence.
• if an attribute is set in one identity, this value is the final one.

As a Federated User has no mapping to email_verified the value from the merge is coming from the Native Cognito User.

As for merging you used AdminLinkProviderForUser call, do right after an AdminUpdateUserAttributes call on the Native Cognito User bound to the federated identity to update the email_verified attribute to true.

As a justification, event['response']['autoVerifyEmail'] = True is meant for Native Cognito User sign-up control, not federated.