By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AppSteam: Error: Bad Request.(Error Code: INVALID_RELAY_STATE);Status Code:400

0

We have setup an identity provider to use Azure AD to authenticate users that access an AppSteam stack. This is a new build. I used the link below to do the set up. Everything seems to be working from the authentication side as I can get logged in (can see the user logged if I'm logged into the console and then it refreshes when not using in private browser window). However, when it redirects to the AWS Appstream page, I'm getting Error: Bad Request.(Error Code: INVALID_RELAY_STATE);Status Code:400. This suggests a malformed relay state URL, but I have verified that it appears to be the correct syntax (variables and stack name case-sensitive). The SAML response appears to be clean using the browser code analysis tools and the SAML decoder. The only thing that seems odd is that cookie analysis from the browser reports the credentials are expired (there are several errors in the capture i.e. Cookie "aws-creds" has been rejected because it is already expired). The 400 response header shows the statement "expires:Tue, 03 Jul 2001..." which is bizarre. Any help would be greatly appreciated.

https://aws.amazon.com/blogs/desktop-and-application-streaming/enabling-federation-with-azure-ad-single-sign-on-and-amazon-appstream-2-0/

Topics
Security, Identity, & ComplianceEnd User Computing
Tags
AWS Identity and Access ManagementAmazon AppStream
Language
English
AWS-User-2639757
asked 2 years ago1315 views
3 Answers
0

First check for spaces. It is pretty easy in the Azure AD console to add a space before the relay state (and other fields) and cause issues.

If you remove the relay state, does it federate as expected? This should land you right on the AWS management console. If this works, you know for sure it is the relay state.

Can you post a redacted version of your relay state? Don't include your account number - here is mine as an example for us-east-1.

https://appstream2.us-east-1.aws.amazon.com/saml?stack=Office-Stack&accountId=012345678910

profile pictureAWS
Jeremy_S
answered 2 years ago
0

Thanks for your answer. I'll check for spaces (good call) and test it without the Relay State entry. I can tell you if I am logged in to the AWS console and then access the Azure App (non incognito window) to redirect to AWS AppSteam. The portal refreshes and I can see the role logged into the console. That tells me that we got through the SAML Authentication and actually got logged in to AWS via the role. The redirect to AppStream seems to be the problem somehow. Here's my relay state URL:

https://appstream2.us-east-1.aws.amazon.com/saml?stack=POCAPStack&accountId=XXXXXXXXXXXX

AWS-User-2639757
answered 2 years ago
0

It turns out that there was a syntax error in the Azure Relay state URL after all even though I was sure they had fixed it (I had already found this issue). I noticed this when pasting in the correct Relay State URL to the window with the 400 error and refreshing, then it would redirect to the AppStream service. The problem was a capital "D" in the accountId variable field (case-sensitive variable). So it was indeed a malformed Relay State URL.

AWS-User-2639757
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content