By using AWS re:Post, you agree to the Terms of Use
/AppSteam: Error: Bad Request.(Error Code: INVALID_RELAY_STATE);Status Code:400/

AppSteam: Error: Bad Request.(Error Code: INVALID_RELAY_STATE);Status Code:400


We have setup an identity provider to use Azure AD to authenticate users that access an AppSteam stack. This is a new build. I used the link below to do the set up. Everything seems to be working from the authentication side as I can get logged in (can see the user logged if I'm logged into the console and then it refreshes when not using in private browser window). However, when it redirects to the AWS Appstream page, I'm getting Error: Bad Request.(Error Code: INVALID_RELAY_STATE);Status Code:400. This suggests a malformed relay state URL, but I have verified that it appears to be the correct syntax (variables and stack name case-sensitive). The SAML response appears to be clean using the browser code analysis tools and the SAML decoder. The only thing that seems odd is that cookie analysis from the browser reports the credentials are expired (there are several errors in the capture i.e. Cookie "aws-creds" has been rejected because it is already expired). The 400 response header shows the statement "expires:Tue, 03 Jul 2001..." which is bizarre. Any help would be greatly appreciated.

3 Answers

First check for spaces. It is pretty easy in the Azure AD console to add a space before the relay state (and other fields) and cause issues.

If you remove the relay state, does it federate as expected? This should land you right on the AWS management console. If this works, you know for sure it is the relay state.

Can you post a redacted version of your relay state? Don't include your account number - here is mine as an example for us-east-1.

answered 10 days ago

Thanks for your answer. I'll check for spaces (good call) and test it without the Relay State entry. I can tell you if I am logged in to the AWS console and then access the Azure App (non incognito window) to redirect to AWS AppSteam. The portal refreshes and I can see the role logged into the console. That tells me that we got through the SAML Authentication and actually got logged in to AWS via the role. The redirect to AppStream seems to be the problem somehow. Here's my relay state URL:

answered 10 days ago

It turns out that there was a syntax error in the Azure Relay state URL after all even though I was sure they had fixed it (I had already found this issue). I noticed this when pasting in the correct Relay State URL to the window with the 400 error and refreshing, then it would redirect to the AppStream service. The problem was a capital "D" in the accountId variable field (case-sensitive variable). So it was indeed a malformed Relay State URL.

answered 9 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions