By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Identity Centre with Azure AD -"Looks like this code isn't right"

0

I am trying to connects AWS Identity Centre for SSO with Azure AD.

I have configured as per the docs, and for authenticated Azure users I get re-directed to AWS but the error message I get is "Looks like this code isn't right. Please try again."

I have Automatic provisioning enable and working, so only valid users from AzureAD exist in AWS Identity Centre

Can anyone suggest where I can look next?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
Indy Bains
asked a year ago1889 views
3 Answers
0
Accepted Answer

this was resolved for me with the below resolution

If you have allowed Guest Users for your Azure AD and you would like to use those users to authenticate to AWS : This creates a mismatch between the username received in the SAML response from the AD and the actual username in AWS IAM Identity Center.

Resolution

To resolve this issue, may you kindly consider modifying the user claims sent with the SAML response to AWS SSO from Azure, so that, you can send the correct attribute for your guest AD users [1][2]. Please follow the following steps:

1. Login to your Azure portal and navigate to Azure AD Directory
2. Select Enterprise application from the left pane and select the required AWS application
3. Navigate to "Single Sign on" tab from the left pane
4. Click on Edit button next to "User Attributes & Claims"
5. Select the "Unique User Identifier (Name ID)" under Required Claims.
6. Now we would need to create two claim conditions (present at the bottom the screen), one for your AD users and other for your Guest users as follows.

	Members    		-   Attribute    -     user.userprincipalname
	Guests        	-   Attribute    -     user.mail

7. Save the edits and try the login process again and you should be able to log in. You might need to clear your browser cache completely.
Indy Bains
answered a year ago
profile picture
EXPERT
Sedat Salman
reviewed 3 months ago
0

Hi,

Thank you for reaching out to us! This error might usually occur if there is a mis-match between the user information carried in the SAML request, and the information for the user in IAM Identity Center. Please refer to the following documentation for common reasons for this issue and expectations from Identity Center:

If you need assistance with troubleshooting this issue, I recommend opening a support case so we are able to look into your resource configurations and assist in detail. re:Post is a public platform, and therefore, for security and privacy reasons please refrain from sharing any resource configuration details over this platform.

AWS
SUPPORT ENGINEER
Sumukhi_P
answered a year ago
0

Hello Team,

I've tried applying the claim configuration and yet it doesn't work.

Also, on the suggestion which stats "mis-match between the user information carried in the SAML request, and the information for the user in IAM Identity Center", I have set the Source Type as "External Identity Provider" in which I am not allowed to create the users. If that's the case, how do I resolve the issue?

Thanks!

Regards, Jay.

Mouyse
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content