We've used both dm.zope.saml2 and authticket for SSO between two Plones. authticket is built into Plone and is the cheats way out. It requires both plones to run on the same domain. SAML2 involves a bit more redirects during login but otherwise works pretty seamlessly.
dm.zope.saml2 works by installing some zope objects in the ZMI and configuring them differently on Identity provider (where the password is kept) vs the service provider (the one you never log into).
I documented all this in https://github.com/collective/collective.saml2 (which adds a few things to make installation easier also).
As far as I know dieters package is the only one that has both sides of the SSO to allow Plone to Plone SSO, at least with SAML2 (a SSO standard that Active directory federated services and office365 used for example). There are other Plone SP/client implimentations but not the IdP part I believe.
The other thing about SAML2 is that in addition allowing your users to not have to login again, it does this without having to setup any VPN or direct connection between the two Plone sites. It's all done in the browser via redirects. This is unlike integrating LDAP with Plone.
But none of this answers the original question. Cognito isn't saml2 but seems like you can hook it up to one so you could have: app -> cognito -> plone (saml2 IdP) but I don't think thats what you are after. You seem to want Plone -> cognito -> .... whatever FB, saml2 etc etc. or seems like cognito can just store users and passwords itself.
Like others have said. Writing a PASPlugin is not hard and there is plenty of examples out there to copy. Where it has to interact with the user in the browser could be tricky if you are using Volto. dm.zope.saml2 for example would not work with volto. I don't know how they intend to deal with these cases.