- 최신
- 최다 투표
- 가장 많은 댓글
this was resolved for me with the below resolution
If you have allowed Guest Users for your Azure AD and you would like to use those users to authenticate to AWS : This creates a mismatch between the username received in the SAML response from the AD and the actual username in AWS IAM Identity Center.
Resolution
To resolve this issue, may you kindly consider modifying the user claims sent with the SAML response to AWS SSO from Azure, so that, you can send the correct attribute for your guest AD users [1][2]. Please follow the following steps:
1. Login to your Azure portal and navigate to Azure AD Directory
2. Select Enterprise application from the left pane and select the required AWS application
3. Navigate to "Single Sign on" tab from the left pane
4. Click on Edit button next to "User Attributes & Claims"
5. Select the "Unique User Identifier (Name ID)" under Required Claims.
6. Now we would need to create two claim conditions (present at the bottom the screen), one for your AD users and other for your Guest users as follows.
Members - Attribute - user.userprincipalname
Guests - Attribute - user.mail
7. Save the edits and try the login process again and you should be able to log in. You might need to clear your browser cache completely.
Hi,
Thank you for reaching out to us! This error might usually occur if there is a mis-match between the user information carried in the SAML request, and the information for the user in IAM Identity Center. Please refer to the following documentation for common reasons for this issue and expectations from Identity Center:
- [] Troubleshooting IAM Identity Center issues - Error 'An unexpected error has occurred' when a user tries to sign in using an external identity provider - https://docs.aws.amazon.com/singlesignon/latest/userguide/troubleshooting.html#issue8
If you need assistance with troubleshooting this issue, I recommend opening a support case so we are able to look into your resource configurations and assist in detail. re:Post is a public platform, and therefore, for security and privacy reasons please refrain from sharing any resource configuration details over this platform.
Hello Team,
I've tried applying the claim configuration and yet it doesn't work.
Also, on the suggestion which stats "mis-match between the user information carried in the SAML request, and the information for the user in IAM Identity Center", I have set the Source Type as "External Identity Provider" in which I am not allowed to create the users. If that's the case, how do I resolve the issue?
Thanks!
Regards, Jay.
관련 콘텐츠
- 질문됨 8달 전
AWS 공식업데이트됨 일 년 전
