Saltar al contenido
Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post
Acerca de re:Post

integrate AWS Cognito with Google Workspace using SAML integration

0

I have some applications served to my company users on EKS (i.e., Jenkins). In company we use Google Workspaces (GSuite) for email and stuff. So I want to allow users to login with Google creds to those applications I serve. I figured out I could use Cognito to achieve it but I cannot connect those and flow end with Google showing 403. Error: app_not_configured_for_user". In their documentation I can find:

Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.

but how do I debug it? I do not see a logs from both AWS and Google sides :/

I think I followed all possible guides and I cannot find what I'm doing wrong. I found that Google has this page but they do not provide exact scenario for AWS Cognito. Anyways all of those are very similar so I guess I shouldn't have problems, but I do have.

What I did:

  • In Google Admin (one for workspaces) I created "Web and mobile app" of SAML type
  • I downloaded metadata file
  • In AWS Cognito console I created User Pool
  • I created IdP provider and uploaded metadata file there
  • I created application client
  • Using those values I filled fields ACS URL and Entity ID in Google Admin using values:
    • ACS URL: https://my-domain-i-just-created.auth.us-east-1.amazoncognito.com/saml2/idpresponse
    • Entity ID: urn:amazon:cognito:sp:us-east-1_myPoolId
  • I also selected Name ID format to be Persisted
  • In attribute mapping I mapped email value to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
  • In AWS Cognito I enabled HostedUI and also created mapping of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to email field.

And now when I click View Hosted UI in AWS console it will redirect me to Google authentication and after it directly to before mentioned 403 app_not_configured_for_user page.

I tied it 3 times with slightly different configurations of mapping, signed responses, etc. but nothing gets me past that error.

Anyone tried to integrate it?

Temas
Seguridad, identidad y cumplimiento
Etiquetas
Amazon Cognito
Idioma
English
preguntada hace 4 años513 visualizaciones
2 Respuestas
0

To debug this issue, I suggest generating a HAR file.[1] It will contain the SAML request and response to allow you to dive deeper into any potential configuration issues. For additional help, I suggest opening a ticket with AWS Support.

AWS
respondido hace 3 años
0

Hi, I noticed that you're experiencing an issue with integrating Google Workspace with AWS Cognito, and I'm encountering the same problem. Have you by chance found a solution or could you provide a guide on how you approached the configuration?Any information you could share would be greatly appreciated! Thank you!

respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Contenido relevante