Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS Identity Centre with Azure AD -"Looks like this code isn't right"

0

I am trying to connects AWS Identity Centre for SSO with Azure AD.

I have configured as per the docs, and for authenticated Azure users I get re-directed to AWS but the error message I get is "Looks like this code isn't right. Please try again."

I have Automatic provisioning enable and working, so only valid users from AzureAD exist in AWS Identity Centre

Can anyone suggest where I can look next?

Themen
Sicherheit, Identität & Konformität
Tags
AWS Identity and Access Management
Sprache
English
Indy Bains
gefragt vor einem Jahr2074 Aufrufe
3 Antworten
0
Akzeptierte Antwort

this was resolved for me with the below resolution

If you have allowed Guest Users for your Azure AD and you would like to use those users to authenticate to AWS : This creates a mismatch between the username received in the SAML response from the AD and the actual username in AWS IAM Identity Center.

Resolution

To resolve this issue, may you kindly consider modifying the user claims sent with the SAML response to AWS SSO from Azure, so that, you can send the correct attribute for your guest AD users [1][2]. Please follow the following steps:

1. Login to your Azure portal and navigate to Azure AD Directory
2. Select Enterprise application from the left pane and select the required AWS application
3. Navigate to "Single Sign on" tab from the left pane
4. Click on Edit button next to "User Attributes & Claims"
5. Select the "Unique User Identifier (Name ID)" under Required Claims.
6. Now we would need to create two claim conditions (present at the bottom the screen), one for your AD users and other for your Guest users as follows.

	Members    		-   Attribute    -     user.userprincipalname
	Guests        	-   Attribute    -     user.mail

7. Save the edits and try the login process again and you should be able to log in. You might need to clear your browser cache completely.
Indy Bains
beantwortet vor einem Jahr
profile picture
EXPERTE
Sedat Salman
überprüft vor 4 Monaten
0

Hi,

Thank you for reaching out to us! This error might usually occur if there is a mis-match between the user information carried in the SAML request, and the information for the user in IAM Identity Center. Please refer to the following documentation for common reasons for this issue and expectations from Identity Center:

If you need assistance with troubleshooting this issue, I recommend opening a support case so we are able to look into your resource configurations and assist in detail. re:Post is a public platform, and therefore, for security and privacy reasons please refrain from sharing any resource configuration details over this platform.

AWS
SUPPORT-TECHNIKER
Sumukhi_P
beantwortet vor einem Jahr
0

Hello Team,

I've tried applying the claim configuration and yet it doesn't work.

Also, on the suggestion which stats "mis-match between the user information carried in the SAML request, and the information for the user in IAM Identity Center", I have set the Source Type as "External Identity Provider" in which I am not allowed to create the users. If that's the case, how do I resolve the issue?

Thanks!

Regards, Jay.

Mouyse
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt