Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS OIDC Integration with Azure AD – Multi-Tenant Support Limitation

0

Hi,

We are integrating Azure Active Directory (Azure AD) with AWS Cognito (SSO) using OIDC (OpenID Connect) to allow user authentication into AWS.

Currently, AWS requires a tenant-specific Azure AD OIDC endpoint such as: https://login.microsoftonline.com/<tenant-id>/v2.0

However, for our use case, we need to support users from multiple or different Azure AD tenants (external collaborators, partner organizations, etc.). Azure provides multi-tenant endpoints like:

These endpoints allow sign-in from users across multiple Azure AD tenants. Unfortunately, AWS does not currently support these multi-tenant OIDC endpoints, limiting our ability to support external users.

We would like to ask:

  1. Is there current or upcoming support in AWS IAM Identity Center for Azure AD multi-tenant OIDC?
  2. Are there any recommended workarounds or architectures to support external Azure AD users via OIDC?
  3. Is this a known product limitation? If so, is it on the AWS roadmap for enhancement?

We appreciate any official guidance or best practices you can provide to help us support this multi-tenant OIDC scenario.

Kind regards,
Rahul Siddu

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
asked 9 months ago351 views
1 Answer
0

You're correct about the limitation with AWS Cognito and multi-tenant Azure AD integration. This is indeed a known limitation in AWS Cognito's current implementation.

The core issue is that when using the multi-tenant endpoints like "https://login.microsoftonline.com/common/v2.0", Microsoft returns tokens with tenant-specific issuer URLs (in the format "https://login.microsoftonline.com/{tenant_id}/v2.0"). However, Cognito expects the issuer in the token to match exactly what was configured. This mismatch causes validation failures when users from different tenants attempt to authenticate.

AWS has acknowledged this limitation, and there is an internal feature request with the Cognito team to support multi-tenancy when integrating with Microsoft's common endpoint. Unfortunately, there's no published ETA for when this feature will become available, as AWS doesn't typically share details about their development roadmap publicly.

In the meantime, here are some potential workarounds:

  1. Create separate identity providers in Cognito for each tenant you need to support. This works but becomes unwieldy as you add more tenants.

  2. Develop a custom identity provider that acts as a proxy between your application and Azure AD, handling the dynamic issuer claims.

  3. Use AWS IAM federation with SAML 2.0 instead of OIDC if your requirements allow for it. This approach might provide more flexibility for multi-tenant scenarios.

  4. Consider using AWS IAM Identity Center with different configurations. While IAM Identity Center also has limitations with multiple IdPs, you could explore account-specific identity provider configurations.

For the most up-to-date information on this feature, I'd recommend keeping an eye on the AWS "What's New" page and the Official AWS Blog for announcements about new features and improvements to Cognito's identity provider capabilities.
Sources
Cognito Social Login - Allow Microsoft Personal Accounts and Multi-tenant Access | AWS re:Post
Infrastructure OU - Shared Services account - AWS Prescriptive Guidance

answered 9 months ago
EXPERT
reviewed 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content