IAM Identity Center vs Cognito: Workforce SSO vs Customer Auth on AWS

<div class="quick-answer">

**Quick Answer:** IAM Identity Center is for your workforce — staff, admins, support engineers — federating to AWS accounts, Q Business, Redshift, QuickSight. Cognito is for your customers — end users of your SaaS, sign-up and sign-in, JWT issuance. They are not interchangeable; most platforms run both.

</div>

The single most common identity question on AWS is "do we use Identity Center or Cognito?" — and the answer is usually "both, for different audiences." Confusing them leads to one of two wrong calls: trying to put customer end users in Identity Center (it does not scale that way), or trying to use Cognito for AWS console access (it does not federate IAM that way).

This comparison is written for SaaS architects designing identity for multi-tenant platforms.

## The Core Distinction: Audience

**IAM Identity Center** (formerly AWS Single Sign-On) is the AWS-native workforce identity service. Audience: your employees, contractors, support engineers, and admins who need access to AWS accounts and identity-aware AWS services. It federates from your corporate IdP (Okta, Microsoft Entra ID, Google Workspace, Ping, JumpCloud) via SAML 2.0 + SCIM, and propagates the human identity into Q Business, Q Developer, Redshift, QuickSight, S3 Access Grants, and Athena.

**Amazon Cognito** is a customer-facing user directory. Audience: the end users of your SaaS — your tenants, your application's signups, the people who pay for your product. Cognito provides hosted sign-up and sign-in flows, MFA, social and SAML federation (so your enterprise customers can SSO into your product), JWT issuance for API authentication, and customizable Lambda triggers for auth event logic.

The right way to think about it: **Identity Center is for the people who work on your product; Cognito is for the people who use your product.**

## What Each Service Does

**IAM Identity Center:**

- Federates from your IdP (SAML 2.0 + SCIM provisioning)
- Issues short-lived AWS credentials via permission sets (up to 12-hour session)
- AWS access portal (one URL for staff to access every AWS account they have rights to)
- AWS CLI v2 integration (`aws configure sso`)
- Identity propagation into Q Business, Redshift, QuickSight, S3 Access Grants, Athena
- Multi-account ABAC via SCIM attribute mapping → permission set session tags
- CloudTrail logs the human identity, not just the role ARN

**Amazon Cognito:**

- Hosted UI for sign-up, sign-in, MFA, password reset
- User pool with custom attributes, password policy, MFA enforcement
- SAML 2.0 and OIDC federation (your enterprise customers SSO with their IdP)
- Social federation (Google, Apple, Facebook, Amazon)
- JWT (access token + ID token + refresh token) for API authentication
- Lambda triggers for custom auth challenges, sign-up validation, post-confirmation actions
- Adaptive auth and compromised credentials check (Essentials and Plus tiers)
- Identity Pools (separate but related): exchange tokens for AWS IAM credentials

## Cost Comparison (2026)

**IAM Identity Center** is **free**. AWS does not charge for Identity Center itself; you pay only for the AWS services your workforce uses (the credentials Identity Center issues are normal IAM credentials with normal CloudTrail billing). The cost is on the IdP side (Okta, Entra ID seat licenses) and the engineering time to wire SCIM and permission sets correctly.

**Cognito** (2024 reprice):

- **Lite:** $0.005 per MAU — basic user pool, no advanced features
- **Essentials:** $0.015 per MAU — includes adaptive auth, compromised credentials, MFA
- **Plus:** $0.020 per MAU — includes feature-rich token customization, advanced security

50K MAU on Essentials: ~$750/month. 500K MAU on Essentials: ~$7,500/month. Federation (SAML, OIDC, social) is included; SMS MFA bills separately at SNS rates (typically $0.01–$0.10 per SMS depending on region).

**Combined typical SaaS spend:** Identity Center is free for your 50–500 staff; Cognito scales with your customer count. A 100K-MAU SaaS on Essentials sits at ~$1,500/month for customer auth.

## Decision Framework

Use **IAM Identity Center** when:

- Audience is your workforce (employees, contractors, internal support)
- Use case is AWS console access, AWS CLI access, or identity-aware AWS service access (Q Business, Redshift, QuickSight)
- You have a corporate IdP (Okta, Entra ID, Google Workspace) and want to federate it
- You need identity propagation for compliance audit logs (CloudTrail by human, not by role)

Use **Cognito** when:

- Audience is your customers (SaaS end users, tenants, app users)
- Use case is application authentication, JWT issuance, sign-up flows
- You need social or SAML federation for tenant SSO
- You need MFA for customer accounts

Use **both** when (the common case for B2B SaaS):

- Identity Center for your engineering, support, and admin teams to access AWS
- Cognito for your tenant end users to authenticate into your product
- Verified Permissions on top of Cognito for tenant authorization (row-level security, RBAC, delegation)

## Multi-Tenant SaaS Architecture We Use

For typical B2B SaaS with hundreds of tenants:

1. **One Cognito user pool**, with `tenant_id` as a custom attribute on every user
2. **Per-tenant SAML federation** via Cognito identity providers — your enterprise tenants bring their Okta / Entra and SSO into your product without touching their users
3. **JWT claims include `tenant_id`** — your application enforces tenant scoping on every API call
4. **Verified Permissions for authorization** — Cedar policies define role-based and ABAC access; AppSync `BatchIsAuthorized` for graph queries
5. **API Gateway / AppSync authorizer** integrates Cognito for authentication + Verified Permissions for authorization
6. **CloudWatch and Cognito user-event logs** feed Security Hub for audit evidence

For workforce access into AWS (operating the SaaS):

1. **IAM Identity Center connected to Okta / Entra** via SAML + SCIM
2. **Permission sets per role** (Engineer, SRE, Support, Read-Only-Auditor) assigned via groups
3. **Identity-aware Q Business workspace** for internal data Q&A — propagates the human identity into the LLM context
4. **CloudTrail logs the human** — auditors see "user@yourcompany.com performed s3:GetObject" instead of an anonymous role ARN

## When You Outgrow Native AWS Identity

For Identity Center: most workforces stay on it indefinitely — it integrates well with major IdPs and AWS-side services. You leave only if your IdP demands a feature Identity Center cannot mediate (rare).

For Cognito: you outgrow it when:

- You need very custom JavaScript-heavy sign-up flows (Auth0 / Stytch / WorkOS / Clerk)
- You need passwordless / magic-link / passkey-first auth at scale (Stytch, Clerk, AWS support exists but is more DIY)
- You need a customer-facing identity admin product (B2B platforms often pick WorkOS for this)
- You operate at very large MAU counts (>5M) where Cognito pricing becomes meaningful and the alternative platforms compete

For most regulated SaaS, healthtech, and fintech building on AWS, the Identity Center + Cognito + Verified Permissions trio is the right call.

## Related Reading

- [Choosing an AWS identity service](https://docs.aws.amazon.com/decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.html) — official AWS decision guide (workforce vs customer vs workload identity)
- [AWS Cloud Security service](/services/aws-cloud-security/) — IAM hardening included
- [IAM & Access Control subtopic hub](/security-compliance/iam-access-control/)
- [IAM Identity Center workforce SSO guide](/blog/aws-iam-identity-center-workforce-sso-identity-propagation/)
- [Cognito for SaaS guide](/blog/aws-cognito-authentication-for-saas-applications/)
- [Verified Permissions / Cedar guide](/blog/amazon-verified-permissions-cedar/)
- [Security & Compliance hub](/security-compliance/)