By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Azure Guest accounts can't sign in using AWS SSO with Azure SAML

3

AWS SSO with Azure using SAML works only for users that were created in the Azure tenant as internal users. These users can sign in with SSO succesfully.

However whenever we invite an external user/guest to our Azure tenant, their UPN "username" gets a prefix added #EXT#. I believe this is causing issues for them to sign in using SSO in AWS. AWS SSO returns a "Looks like this code isn't right. Please try again" error.

Steps to reproduce

  1. Set up AWS SSO with Azure AD using SAML (including provisioning through SCIM)
  2. Create a new external user in Azure AD. Notice that their User Principal Name gets #EXT#
  3. Assign permissions to this Azure AD user so it is allowed to sign in AWS
  4. Sign in with this user into AWS SSO through the SSO link mentioned in AWS dashboard
  5. Notice you get the "looks like this code isn't right. Please try again" error

Now do the same steps but create an internal user. you will notice this works.

azure guest account

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
Mike
asked a year ago2358 views
5 Answers
2

Since AZURE is a Microsoft product we just hacked it.. One of our 'Super Admins' on Azure updated the 'User Principal Name' and removed the #EXT# and then we forced a re-provision for those users from AZURE to AWS and the users can login now.

Sdunt
answered a year ago
  • Mike
    a year ago

    It works by removing the #EXT# but it's not ideal. We need to remember ourselves whenever we invite an external user to our AWS account we need to edit their User principal name. Ideally AWS SSO should handle the hashtag so it works out of the box... or Microsoft shouldn't use hashtags in their external users but don;t think they will change this

1

You can configure a transform in AzureAD to return the email address value instead of the UPN for any claims that contain #EXT#. Make sure 'Specify output if no match' is set to user.userprincipalname (or whatever you normally use) for regular azure members.

For a vanilla SAML configuration, that would be the following claims:

  • Unique User Identifier (nameidentifier)
  • name

Unique User Identifier (nameidentifier) name

Pete Stanley
answered a year ago
  • dennis_l
    8 months ago

    This is a great solution. Thanks for posting it.

    Note for others, I also had to make sure that all users had First and Last Names set in Azure AD

1

Make sure you have populated the first, last and display name of the user. It fixed this issue for us.

Enter image description here

rePost-User-4518150
answered a year ago
0

Yep, I am getting the same error but with Google Workspaces as a provider

rePost-User-7313203
answered a year ago
0

These steps worked for me:

Steps from link above: Login to your Azure and navigate to Azure AD

In left menu, Click ‘Enterprise applications’

Choose your AWS SSO app

In left menu, click ‘Single Sign On’

Under ‘User attributes and claims’ — Click edit

Under Required claim, for the ‘Claim name’ = ‘Unique User Identifier (Name ID)’, click the value column

Click ‘Source attribute’ dropdown and choose select ‘user.mail’ (Try to take screenshot of the current value incase if we want to rollback)

Click ‘Save’. Now you can open private browser mode and give it a try with your own email id. It should work

Then ask your Guest user to try test via incognito browser tab. It worked for my Guest user as well.

AB
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content