I've been digging into setting up custom auth for AWS SFTP and it's one hell of a black hole. There's lot's of references to being able to use a custom idp, but no concrete examples.
We're using Active Directory and currently have AWS SSO setup so federating with SAML seems possible, in theory. For my test instance, I have a Microsoft AD set up in Directory Services with SSO enabled.
Amazon's example provides a cloud formation template that is largely based on a lambda function. The lambda function is very simple and validates a password hardcoded into the lambda against Amazon Secrets. Obviously, that isn't practical.
Has anyone done this? How were you able to get it working?
I guess an alternate question would be has anyone used a lambda to authenticate against AD?
Here are some resources I've looked at. Only the one on Cognito User Pools provides a detailed walk through of any sort of alternate set up. We may be able to use Cognito Identity Pools, but user pools are not something that will work in our use case.
AWS Docs on Custom Auth for SFTP
Integrate SFTP with Cognito User Pools