We are finalising our (University of Auckland) pipeline for sharing survey data as our in-kind contribution, and we would like to confirm that our authentication configuration is compatible.

Broadly, our workflow is:

1. User initiates login via AWS Cognito hosted UI.
2. Cognito federates authentication to the external IdP (Rubin / Gafaelfawr).
3. Rubin IdP will further delegate to CILogon to authenticate the user against their institutional credentials.
4. After successful authentication, Cognito issues JWTs to the user.

We would appreciate feedback about this. Thank you.