- Mais recentes
- Mais votos
- Mais comentários
Since AZURE is a Microsoft product we just hacked it.. One of our 'Super Admins' on Azure updated the 'User Principal Name' and removed the #EXT# and then we forced a re-provision for those users from AZURE to AWS and the users can login now.
You can configure a transform in AzureAD to return the email address value instead of the UPN for any claims that contain #EXT#
. Make sure 'Specify output if no match' is set to user.userprincipalname (or whatever you normally use) for regular azure members.
For a vanilla SAML configuration, that would be the following claims:
- Unique User Identifier (nameidentifier)
- name
This is a great solution. Thanks for posting it.
Note for others, I also had to make sure that all users had First and Last Names set in Azure AD
Make sure you have populated the first, last and display name of the user. It fixed this issue for us.
Yep, I am getting the same error but with Google Workspaces as a provider
These steps worked for me:
Steps from link above: Login to your Azure and navigate to Azure AD
In left menu, Click ‘Enterprise applications’
Choose your AWS SSO app
In left menu, click ‘Single Sign On’
Under ‘User attributes and claims’ — Click edit
Under Required claim, for the ‘Claim name’ = ‘Unique User Identifier (Name ID)’, click the value column
Click ‘Source attribute’ dropdown and choose select ‘user.mail’ (Try to take screenshot of the current value incase if we want to rollback)
Click ‘Save’. Now you can open private browser mode and give it a try with your own email id. It should work
Then ask your Guest user to try test via incognito browser tab. It worked for my Guest user as well.
Conteúdo relevante
- AWS OFICIALAtualizada há 3 anos
- AWS OFICIALAtualizada há 7 meses
- AWS OFICIALAtualizada há um ano
It works by removing the #EXT# but it's not ideal. We need to remember ourselves whenever we invite an external user to our AWS account we need to edit their User principal name. Ideally AWS SSO should handle the hashtag so it works out of the box... or Microsoft shouldn't use hashtags in their external users but don;t think they will change this