Issue with Enabling Identity Federation with AD FS 4.0 and Amazon AppStream 2.0

0

My customer have the issue with the SSO integration of AppStream2.0 with ADFS. We followed step by step the guide indicated at the following link : https://aws.amazon.com/it/blogs/compute/enabling-identity-federation-with-ad-fs-3-0-and-amazon-appstream-2-0/ with correct settings for ADFS 4.0. However after the user login to ADFS portal, it's always landed in AWS console, not the Appstream 2.0 stack apps catalog. When the user access RelayStateURL directly, it does go to AppStream 2.0 stack apps catalog. Did anyone encounter the similar issue. Any suggestion what's the cause and how to fix it? Thanks

asked a month ago56 views
2 Answers
0

It's seems like an issue with incorrect relay state URL.. Did you use the relay state generator to generate the user access URL? You can use this portal to generate the same or use this URL https://<adfs_server_fqdn>/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F%252Fsignin.aws.amazon.com%252Fsaml%26RelayState%3Dhttps%253A%252F%252Fappstream2.<Region>.aws.amazon.com%252Fsaml%253Fstack%253D<Stack_Name_Case_Sensitive>%2526accountId%253D<aws_accountid_without_hypen> and replace the values in placeholders. For further assistance please open a support case.

answered a month ago
  • I can generate relay state url and access is all right via the url. The problem is on the federation between ADFS and AppStream 2.0. It does not divert to the AppStream 2.0 stack resources. I tested using AppStream 2.0 client and it works as expected.

  • Please open a support case so that we can assist you further with this.

0

Hi, did tech support find a solution for you? We are currently experiencing the exact same problem at our site.

omasse
answered a month ago
  • You will need to use complete URL including relay state if you are using ADFS as you IDP as ADFS doesn't have the option to define relay state URL in the configuration itself. Here is an example URL: https://<adfs_server_fqdn>/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F%252Fsignin.aws.amazon.com%252Fsaml%26RelayState%3Dhttps%253A%252F%252Fappstream2.<Region>.aws.amazon.com%252Fsaml%253Fstack%253D<Stack_Name_Case_Sensitive>%2526accountId%253D<aws_accountid_without_hypen>

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions