AppSteam: Error: Bad Request.(Error Code: INVALID_RELAY_STATE);Status Code:400
We have setup an identity provider to use Azure AD to authenticate users that access an AppSteam stack. This is a new build. I used the link below to do the set up. Everything seems to be working from the authentication side as I can get logged in (can see the user logged if I'm logged into the console and then it refreshes when not using in private browser window). However, when it redirects to the AWS Appstream page, I'm getting Error: Bad Request.(Error Code: INVALID_RELAY_STATE);Status Code:400. This suggests a malformed relay state URL, but I have verified that it appears to be the correct syntax (variables and stack name case-sensitive). The SAML response appears to be clean using the browser code analysis tools and the SAML decoder. The only thing that seems odd is that cookie analysis from the browser reports the credentials are expired (there are several errors in the capture i.e. Cookie "aws-creds" has been rejected because it is already expired). The 400 response header shows the statement "expires:Tue, 03 Jul 2001..." which is bizarre. Any help would be greatly appreciated.
First check for spaces. It is pretty easy in the Azure AD console to add a space before the relay state (and other fields) and cause issues.
If you remove the relay state, does it federate as expected? This should land you right on the AWS management console. If this works, you know for sure it is the relay state.
Can you post a redacted version of your relay state? Don't include your account number - here is mine as an example for us-east-1.
Thanks for your answer. I'll check for spaces (good call) and test it without the Relay State entry. I can tell you if I am logged in to the AWS console and then access the Azure App (non incognito window) to redirect to AWS AppSteam. The portal refreshes and I can see the role logged into the console. That tells me that we got through the SAML Authentication and actually got logged in to AWS via the role. The redirect to AppStream seems to be the problem somehow. Here's my relay state URL:
It turns out that there was a syntax error in the Azure Relay state URL after all even though I was sure they had fixed it (I had already found this issue). I noticed this when pasting in the correct Relay State URL to the window with the 400 error and refreshing, then it would redirect to the AppStream service. The problem was a capital "D" in the accountId variable field (case-sensitive variable). So it was indeed a malformed Relay State URL.
How to use an IDP where OpenID Connect will be used to pass an access token to Amazon Redshiftasked 4 months ago
Cognito & IAM setup for unauthorised access, to be used in Unity for Pollyasked a month ago
Cognito - Azure AD SAML responseasked 3 months ago
Does AWS supports FIDO2 pin-code?asked 4 months ago
How can I use Azure AD credentials for SSH into AWS EC2 Instance?Accepted Answerasked 2 months ago
AWS AD Connect Replication permissionsasked 3 years ago
Amazon Workspaces (Windows) : Is it possibile to use Google G Suite IdP for SSO ?Accepted Answerasked 2 years ago
AppSteam: Error: Bad Request.(Error Code: INVALID_RELAY_STATE);Status Code:400asked 7 days ago
Generate OIDC token from EC2 assigned IAM Role temporary credentialsasked 4 months ago
Getting an error logging in with IdP in authorization code grant flowasked 3 years ago