By using AWS re:Post, you agree to the Terms of Use
/Enabling Identity Federation with AD FS 3.0 and Amazon AppStream 2.0/

Enabling Identity Federation with AD FS 3.0 and Amazon AppStream 2.0

0

I’m troubleshooting problems with the SSO integration of AppStream2.0 with ADFS. I followed step by step the guide indicated at the following link : https://aws.amazon.com/it/blogs/compute/enabling-identity-federation-with-ad-fs-3-0-and-amazon-appstream-2-0/ but when I try to navigate via browser in the RelayState URL , the ADFS page returns an error. Need to enable some other AWS service or is there a more detailed guide? As an image for APPStream2.0 I used a standard image of the Appstream2.0 service while the AD FS is resident on our windows machine. AD FS is 3.0 . Any suggestion? Thanks

3 Answers
1

At the bottom of the blog there is a few steps that are commonly missed for AD FS 3.0 under "Enable RelayState and forms authentication".

What is the exact error message you are getting?

You can use a browser extension, like SAML-tracer to capture the SAML message. Are you seeing the correct attributes and values? Can you paste a redacted copy of the SAML summary?

answered 3 months ago
0

The part about the "Enable RelayState and forms authentication" has been configured in all parts. It's an error message that returns ADFS server(error id 364 AD FS), does not allow me to login into the application. SAML tracer does not return any error. The RelayState URL at which point I built it on the example shown in the AS2 setup page(Enabling Identity Federation with AD FS 3.0 and Amazon AppStream 2.0). Is there any other way to get it? In the url I also checked the characters paid attention to the key sense. Thanks

answered 3 months ago
0

Attributes seem correct, I try to recheck.

Here is an error from the SAML-tracer:
HTTP/1.1 302 Found
Content-Length: 0
Content-Type: text/html; charset=utf-8
Location: https://xxxxxxxxxxxxxxxxxxxxxxx:443/adfs/ls/idpinitiatedsignon?client-request-id=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
Server: Microsoft-HTTPAPI/2.0
P3P: ADFS doesn't have P3P policy, please contact your site's admin for more details
Set-Cookie: MSISSamlRequest=; expires=Sun, 27 Mar 2022 10:29:04 GMT; path=/adfs
MSISAuthenticated=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==; path=/adfs; HttpOnly; Secure
MSISLoopDetectionCookie=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==; path=/adfs; HttpOnly; Secure

Here instead an error of AD FS: Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity DOMAIN\user for relying party trust https://signin.aws.amazon.com/saml.

Thanks in advance for any suggestions or help

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions