- 新しい順
- 投票が多い順
- コメントが多い順
First check for spaces. It is pretty easy in the Azure AD console to add a space before the relay state (and other fields) and cause issues.
If you remove the relay state, does it federate as expected? This should land you right on the AWS management console. If this works, you know for sure it is the relay state.
Can you post a redacted version of your relay state? Don't include your account number - here is mine as an example for us-east-1.
https://appstream2.us-east-1.aws.amazon.com/saml?stack=Office-Stack&accountId=012345678910
Thanks for your answer. I'll check for spaces (good call) and test it without the Relay State entry. I can tell you if I am logged in to the AWS console and then access the Azure App (non incognito window) to redirect to AWS AppSteam. The portal refreshes and I can see the role logged into the console. That tells me that we got through the SAML Authentication and actually got logged in to AWS via the role. The redirect to AppStream seems to be the problem somehow. Here's my relay state URL:
https://appstream2.us-east-1.aws.amazon.com/saml?stack=POCAPStack&accountId=XXXXXXXXXXXX
It turns out that there was a syntax error in the Azure Relay state URL after all even though I was sure they had fixed it (I had already found this issue). I noticed this when pasting in the correct Relay State URL to the window with the 400 error and refreshing, then it would redirect to the AppStream service. The problem was a capital "D" in the accountId variable field (case-sensitive variable). So it was indeed a malformed Relay State URL.