Mapping SAML2 (external idp) users to Identity Center users
I worked with my university's IT team to connect my AWS Identity Center to our Shibboleth. After a little bit of confusion about the right endpoint to use we got that working at least from the institute side.
I disabled SCIM as I want to manage users and groups directly in Identity Center. I think what this means is that when I want to give a user some access I manually go into Identity Center and create a user for them with the same username and email as what will come out of Shibboleth. I think, then, when someone signs in using SSO, Identity Center will match up the SAML2 response with the User I created, and then any groups etc. will follow. Is that right?
The login part seems to work - Amazon redirects me to our shibboleth login, which then redirects me back. But from there things go awry:
We couldn't complete your request right now. Please try again later.
To try to troubleshoot this I enabled CloudTrail and it's saying this:
"responseElements": {
"ExternalIdPDirectoryLogin": "Failure"
},
I'm not sure why this isn't working, but to begin, do I have this whole process understood correctly?
- Newest
- Most votes
- Most comments
Hello,
I hope you're doing well.
Thank you for reaching out to us with your concern.
I understand that you have few queries related to Mapping SAML2 (external idp) users to Identity Center users. I am answering the queries below:
Q : when someone signs in using SSO, Identity Center will match up the SAML2 response with the User I created, and then any groups etc. will follow. Is that right?
Yes it is correct, When you add users to IAM Identity Center, ensure that you set the user name to be identical to the user name that you have in your IdP. At a minimum, you must have a unique email address and user name. To know more about the Manual provision, please follow the AWS Documentation[1].
Error : ""ExternalIdPDirectoryLogin": "Failure""
From this error we can see that the ExternalIDPDirectoryLogin got failed. It can be of any reason like username mismatch or attribute mappings. But without SAML Assertion we can't able to comment on this. To troubleshoot further we require SAML assertion to dive deep into this issue.
Hence, I would request you raise a support case ticket, where we can go deep dive into the resources to find out the actual root cause.
Thank you! Have a wonderful day!
Reference:
[1] Manual Provisioning : https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-manually.htm [2] Users, groups, and provisioning: https://docs.aws.amazon.com/singlesignon/latest/userguide/users-groups-provisioning.html#username-email-unique [3] SAML : https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml_view-saml-response.html [4] Connect to an external identity provider : https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-manually.html [5] Support plans: https://aws.amazon.com/premiumsupport/plans/.
Relevant content
- asked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
That makes a lot of sense. What I'm trying to do from the SAML2 side is have it send back e-mail address, then I did an attribute mapping: "Username" -> "${path:email}" is that acceptable? I'm doing this because in cognito the username IS an email address. In Cognito there is also an email address attribute, but I have them both set to the same thing. I want to map users by e-mail address.
If I don't use that mapping what will it use by default - whatever is in <NameID> ?
Thanks! So looking at the error page I was getting back, it was a NameId Format exception. The trouble is I don't exactly know what the NameID format is. So what I did was set up an SSO mapping between "Username" and "${path:email}" and I think that means matching to the user using email (twice). That seems to work, I THINK it's safe, and I'm not worried email address will change in the external idp. So hopefully that's ok.
It works, but it's a little intermittent and I'm not sure why. It seems like it should behave exactly the same every time.