Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Issue with Enabling Identity Federation with AD FS 4.0 and Amazon AppStream 2.0
My customer have the issue with the SSO integration of AppStream2.0 with ADFS. We followed step by step the guide indicated at the following link : https://aws.amazon.com/it/blogs/compute/enabling-identity-federation-with-ad-fs-3-0-and-amazon-appstream-2-0/ with correct settings for ADFS 4.0. However after the user login to ADFS portal, it's always landed in AWS console, not the Appstream 2.0 stack apps catalog. When the user access RelayStateURL directly, it does go to AppStream 2.0 stack apps catalog. Did anyone encounter the similar issue. Any suggestion what's the cause and how to fix it? Thanks
- Topics
- End User Computing
- Language
- English
- Newest
- Most votes
- Most comments
It's seems like an issue with incorrect relay state URL.. Did you use the relay state generator to generate the user access URL? You can use this portal to generate the same or use this URL https://<adfs_server_fqdn>/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F%252Fsignin.aws.amazon.com%252Fsaml%26RelayState%3Dhttps%253A%252F%252Fappstream2.<Region>.aws.amazon.com%252Fsaml%253Fstack%253D<Stack_Name_Case_Sensitive>%2526accountId%253D<aws_accountid_without_hypen> and replace the values in placeholders. For further assistance please open a support case.
Hi, did tech support find a solution for you? We are currently experiencing the exact same problem at our site.
You will need to use complete URL including relay state if you are using ADFS as you IDP as ADFS doesn't have the option to define relay state URL in the configuration itself. Here is an example URL: https://<adfs_server_fqdn>/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F%252Fsignin.aws.amazon.com%252Fsaml%26RelayState%3Dhttps%253A%252F%252Fappstream2.<Region>.aws.amazon.com%252Fsaml%253Fstack%253D<Stack_Name_Case_Sensitive>%2526accountId%253D<aws_accountid_without_hypen>
Hi, I resolved this problem by configuring the relying party Trust in the endpoint tab "https://signin.aws.amazon.com/saml" as the default marking option "Set the trusted URL as default" at index 0 and Restart ADFS service "Restart-Service ADFSSRV".
Relevant content
- asked 3 years ago
I can generate relay state url and access is all right via the url. The problem is on the federation between ADFS and AppStream 2.0. It does not divert to the AppStream 2.0 stack resources. I tested using AppStream 2.0 client and it works as expected.
Please open a support case so that we can assist you further with this.