Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Azure Guest accounts can't sign in using AWS SSO with Azure SAML

3

AWS SSO with Azure using SAML works only for users that were created in the Azure tenant as internal users. These users can sign in with SSO succesfully.

However whenever we invite an external user/guest to our Azure tenant, their UPN "username" gets a prefix added #EXT#. I believe this is causing issues for them to sign in using SSO in AWS. AWS SSO returns a "Looks like this code isn't right. Please try again" error.

Steps to reproduce

  1. Set up AWS SSO with Azure AD using SAML (including provisioning through SCIM)
  2. Create a new external user in Azure AD. Notice that their User Principal Name gets #EXT#
  3. Assign permissions to this Azure AD user so it is allowed to sign in AWS
  4. Sign in with this user into AWS SSO through the SSO link mentioned in AWS dashboard
  5. Notice you get the "looks like this code isn't right. Please try again" error

Now do the same steps but create an internal user. you will notice this works.

azure guest account

Argomenti
Sicurezza, identità e conformità
Tag
Centro identità AWS IAM
Lingua
English
Mike
posta un anno fa2376 visualizzazioni
5 Risposte
2

Since AZURE is a Microsoft product we just hacked it.. One of our 'Super Admins' on Azure updated the 'User Principal Name' and removed the #EXT# and then we forced a re-provision for those users from AZURE to AWS and the users can login now.

Sdunt
con risposta un anno fa
  • Mike
    un anno fa

    It works by removing the #EXT# but it's not ideal. We need to remember ourselves whenever we invite an external user to our AWS account we need to edit their User principal name. Ideally AWS SSO should handle the hashtag so it works out of the box... or Microsoft shouldn't use hashtags in their external users but don;t think they will change this

1

You can configure a transform in AzureAD to return the email address value instead of the UPN for any claims that contain #EXT#. Make sure 'Specify output if no match' is set to user.userprincipalname (or whatever you normally use) for regular azure members.

For a vanilla SAML configuration, that would be the following claims:

  • Unique User Identifier (nameidentifier)
  • name

Unique User Identifier (nameidentifier) name

Pete Stanley
con risposta un anno fa
  • dennis_l
    9 mesi fa

    This is a great solution. Thanks for posting it.

    Note for others, I also had to make sure that all users had First and Last Names set in Azure AD

1

Make sure you have populated the first, last and display name of the user. It fixed this issue for us.

Enter image description here

rePost-User-4518150
con risposta un anno fa
0

Yep, I am getting the same error but with Google Workspaces as a provider

rePost-User-7313203
con risposta un anno fa
0

These steps worked for me:

Steps from link above: Login to your Azure and navigate to Azure AD

In left menu, Click ‘Enterprise applications’

Choose your AWS SSO app

In left menu, click ‘Single Sign On’

Under ‘User attributes and claims’ — Click edit

Under Required claim, for the ‘Claim name’ = ‘Unique User Identifier (Name ID)’, click the value column

Click ‘Source attribute’ dropdown and choose select ‘user.mail’ (Try to take screenshot of the current value incase if we want to rollback)

Click ‘Save’. Now you can open private browser mode and give it a try with your own email id. It should work

Then ask your Guest user to try test via incognito browser tab. It worked for my Guest user as well.

AB
con risposta 8 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente