Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Issue Accessing SAML SSO URL on AWS Workspace

0

Hi AWS Community,

We are encountering an issue in our system and have been unable to understand the behavior.

A user is trying to access a URL from a AWS Workspace: https://intrafed.inside.nsn.com/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices

However, He's receiving; 'This site can't be reached'.

Interestingly, the same URL is accessible to another user of our org. who is also using the same VPN and accessing the URL from another workspace in the same region, managed by us with the same IP and configuration.

Could you please help us understand why this discrepancy is occurring?

Looking forward to your assistance!

Best regards, FerIT

Topics
End User Computing
Tags
Amazon WorkSpaces
Language
English
asked a year ago195 views
1 Answer
0

The issue you're experiencing with one user being unable to access the SAML SSO URL on an AWS WorkSpace while another user can access it could be due to several factors related to SAML 2.0 federation and WorkSpaces configuration. Here are some potential reasons and troubleshooting steps to consider:

  1. WorkSpaces Directory Configuration: Ensure that the WorkSpaces Personal directories for both users are managed through AWS Directory Service (Simple AD, AD Connector, or AWS Managed Microsoft AD). SAML 2.0 integration is only available for WorkSpaces directories managed this way, not for directories managed directly by Amazon WorkSpaces.

  2. IAM Role and Permissions: Verify that the IAM role used for SAML 2.0 authentication has the correct permissions, including "sts:AssumeRoleWithSAML" and "sts:TagSession" actions in the trust relationship policy. Also, ensure the policy includes the "workspaces:Stream" action.

  3. SAML Response Attributes: Check the SAML response for the user experiencing issues. Key attributes to verify include:

    • The "NameID" element should have a "persistent" value and match the WorkSpaces username and Active Directory's "samaccountname".
    • The "Role" attribute should contain the correct IAM role ARN and IdP ARN.
    • The "RoleSessionName" value should be a valid email address or user principal name matching the user's Active Directory email.
    • The "PrincipalTag:Email" value should match the user's email address.

  4. Browser and Network Settings: Although you mentioned both users are using the same VPN, double-check browser settings, proxy configurations, and any local network settings that might be different between the two WorkSpaces.

  5. WorkSpaces Security Groups: Verify that the security group associated with the problematic WorkSpace allows outbound traffic to the SAML SSO URL.

  6. Service Control Policies: Confirm that no Service Control Policies (SCPs) are blocking the "WorkSpaces:Stream" API for the affected user's account.

To troubleshoot further:

  • View the SAML response in the browser for the user experiencing issues.
  • Check WorkSpaces and AWS Directory Service logs for any error messages related to SAML authentication.
  • Verify that the SAML identity provider (IdP) configuration in IAM matches the settings in your organization's IdP.

If the issue persists after checking these points, you may need to engage AWS Support for more in-depth troubleshooting, as there could be subtle configuration differences or account-specific issues that are not immediately apparent.
Sources
Troubleshoot SAML 2.0 authentication issues in WorkSpaces | AWS re:Post
Integrate SAML 2.0 with WorkSpaces Personal - Amazon WorkSpaces
View a SAML response in your browser - AWS Identity and Access Management

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content