1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
0
I found the problem. After looking closely at the username (aka IdP sub) attribute, I noticed they were all lowercase letters. For some reason, Cognito is changing the sub sent by the IdP.
- The sub return by Cognito mapped to username: microsoft_ggp_c-q7nrodmtft5r0gt79offfxwcjazbj37ncz0qa
- After cleaning up, I was setting my SourceUser.ProviderAttributeValue to: ggp_c-q7nrodmtft5r0gt79offfxwcjazbj37ncz0qa
- But the real 'sub' sent by the idp is: GGp_c-Q7nrOdmtFt5R0gt79OfFfXWcjaZBj37NcZ0qA (Notice the actual sub has uppercase, and lowercase letters) This results in error: Error Invalid ProviderName/Username
The fix is you have set your SourceUser.ProviderAttributeValue to original Idp sub.
- Go to Sign-up Experience
- Create a new custom attributes: 'custom:sub'
- Go to Sign-In Experience and click on your IdP provider, in my case I named it "Microsoft"
- Scroll down to the mapping section, and map 'custom:sub' to OIDC attribute sub
- Go to App Integration and click on your client app
- Scroll to Attribute read and write permissions, and make sure 'custom:sub' has read:write permissions (otherwise cognito won't return it)
Now update your AdminLinkProviderForUser function and set: SourceUser.ProviderAttributeValue to event.request.userAttributes['custom:sub']
I did an if statement because this is only needed for Azure AD OIDC, this code is not needed if you are using Azure SAML and other social provider
let SourceProviderUsername = event.userName.substring(event.userName.indexOf('_') + 1,);
const SournceProviderName = event.userName.substring(0,event.userName.indexOf('_'),);
//if idp provider is "Microsoft" I need to set the SourceProviderUsername to the real sub
if (SournceProviderName === 'microsoft')
SourceProviderUsername = event.request.userAttributes['custom:sub'];
// set the rest of the fields required to call AdminLinkProviderForUser
That was 3 days of battling this issue, I hope I can save you some time.
respondido hace 2 meses
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 3 años