Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

integrate AWS Cognito with Google Workspace using SAML integration

0

I have some applications served to my company users on EKS (i.e., Jenkins). In company we use Google Workspaces (GSuite) for email and stuff. So I want to allow users to login with Google creds to those applications I serve. I figured out I could use Cognito to achieve it but I cannot connect those and flow end with Google showing 403. Error: app_not_configured_for_user". In their documentation I can find:

Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.

but how do I debug it? I do not see a logs from both AWS and Google sides :/

I think I followed all possible guides and I cannot find what I'm doing wrong. I found that Google has this page but they do not provide exact scenario for AWS Cognito. Anyways all of those are very similar so I guess I shouldn't have problems, but I do have.

What I did:

  • In Google Admin (one for workspaces) I created "Web and mobile app" of SAML type
  • I downloaded metadata file
  • In AWS Cognito console I created User Pool
  • I created IdP provider and uploaded metadata file there
  • I created application client
  • Using those values I filled fields ACS URL and Entity ID in Google Admin using values:
    • ACS URL: https://my-domain-i-just-created.auth.us-east-1.amazoncognito.com/saml2/idpresponse
    • Entity ID: urn:amazon:cognito:sp:us-east-1_myPoolId
  • I also selected Name ID format to be Persisted
  • In attribute mapping I mapped email value to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
  • In AWS Cognito I enabled HostedUI and also created mapping of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to email field.

And now when I click View Hosted UI in AWS console it will redirect me to Google authentication and after it directly to before mentioned 403 app_not_configured_for_user page.

I tied it 3 times with slightly different configurations of mapping, signed responses, etc. but nothing gets me past that error.

Anyone tried to integrate it?

Themen
Sicherheit, Identität & Konformität
Tags
Amazon Cognito
Sprache
English
AWS-User-2452855
gefragt vor 2 Jahren307 Aufrufe
1 Antwort
0

To debug this issue, I suggest generating a HAR file.[1] It will contain the SAML request and response to allow you to dive deeper into any potential configuration issues. For additional help, I suggest opening a ticket with AWS Support.

AWS
AWS-User-7083746
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt