integrate AWS Cognito with Google Workspace using SAML integration

0

I have some applications served to my company users on EKS (i.e., Jenkins). In company we use Google Workspaces (GSuite) for email and stuff. So I want to allow users to login with Google creds to those applications I serve. I figured out I could use Cognito to achieve it but I cannot connect those and flow end with Google showing 403. Error: app_not_configured_for_user". In their documentation I can find:

Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.

but how do I debug it? I do not see a logs from both AWS and Google sides :/

I think I followed all possible guides and I cannot find what I'm doing wrong. I found that Google has this page but they do not provide exact scenario for AWS Cognito. Anyways all of those are very similar so I guess I shouldn't have problems, but I do have.

What I did:

  • In Google Admin (one for workspaces) I created "Web and mobile app" of SAML type
  • I downloaded metadata file
  • In AWS Cognito console I created User Pool
  • I created IdP provider and uploaded metadata file there
  • I created application client
  • Using those values I filled fields ACS URL and Entity ID in Google Admin using values:
    • ACS URL: https://my-domain-i-just-created.auth.us-east-1.amazoncognito.com/saml2/idpresponse
    • Entity ID: urn:amazon:cognito:sp:us-east-1_myPoolId
  • I also selected Name ID format to be Persisted
  • In attribute mapping I mapped email value to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
  • In AWS Cognito I enabled HostedUI and also created mapping of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to email field.

And now when I click View Hosted UI in AWS console it will redirect me to Google authentication and after it directly to before mentioned 403 app_not_configured_for_user page.

I tied it 3 times with slightly different configurations of mapping, signed responses, etc. but nothing gets me past that error.

Anyone tried to integrate it?

質問済み 2年前297ビュー
1回答
0

To debug this issue, I suggest generating a HAR file.[1] It will contain the SAML request and response to allow you to dive deeper into any potential configuration issues. For additional help, I suggest opening a ticket with AWS Support.

AWS
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ