By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AppStream 2.0 with existing Azure SSO Federation

0

We have SSO through Azure configured in our environment where users connect to the IAM/SSO page, log on with their azure credentials and MFA and are assigned Permission Sets. All good. I want to use Appstream 2.0 using the existing identity provider.

In Applications, I choose Appstream, get all the attribute matching configured, get the Relay State done. Role/Policy configured correctly as far as I know. The problem is that the Appstream sso app has it's own metadata fields that are presumably different than the existing one. The setup guide for Appstream says you should take the metadata from the Appstream app and create a new even though I already have one configured in IAM.

So users get the error below Error: Failed to assume role: Issuer not present in specified provider (service: AWSOpenIdDiscoveryService; status code: 400; error code: AuthSamlInvalidSamlResponseException) This error can occur if the issuer in the SAML response does not match the issuer declared in the federation metadata file. The metadata file was uploaded to AWS when you created the identity provider in IAM.

Am I missing something to get this working?

I saw the info below and doesn't seem like you can have more than one SAML provider and we already have one.

Q: Can I connect more than one identity source to IAM Identity Center?

No. At any given time, you can have only one directory or one SAML 2.0 identity provider connected to IAM Identity Center. But, you can change the identity source that is connected to a different one.

Topics
Security, Identity, & ComplianceEnd User Computing
Tags
AWS Identity and Access ManagementAmazon AppStream
Language
English
rePost-User-1579460
asked a year ago638 views
2 Answers
0
Accepted Answer

I created a new saml provider in IAM and everything works now.

rePost-User-1579460
answered a year ago
0

Hello,

I hope you're doing well.

Thank you for reaching out to us with your concern.

I understand that you want to use Appstream 2.0 using the existing identity provider. When tried assuming the role, users facing access denied error. Hence you reached out to us for assistance.

Unfortunately, I am unable to fully answer this question without additional context. Basically I need to have saml response to identify the exisiting setup. Hence, I would request you to create a Support ticket. Where we can have a more visibility to dive deep into your exisiting structure and can provide you the resolution.

rePost-User-5962359
answered a year ago
  • rePost-User-1579460
    a year ago

    Thank you for responding. If I had access to paid support I wouldn't be using re:Post though.

    I think I might have been confused in my original post. I believe there is a restriction of having one SAML provider linked to SSO in "IAM Identity Center" which isn't a problem. But you are allowed more than one SAML Identity Provider in "Identity and Access Management (IAM)" ? If this is the case I just need to create a new SAML provider there and link it with the Role and Application.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content