How can you add a second IdP without losing roles logic?

[chrispaynter]

I'm checking out this reference app in order to start figuring out how to piece together my own application. It's a great start.

If you wanted to allow sign in with Facebook as well, how are you supposed to be able to associate that login with the groups that are being used for role logic in the application?

Am I right to say that this would require rearchitecting so that the groups are stored on the Identity in the Identity Pool?

Otherwise, how does having the ability to federate identities help here if such pertinent logic to the security of the application is strongly tied to a single IdP (i.e. the Cognito User Pool)?

Thanks!