AWS Identity Centre with Azure AD -"Looks like this code isn't right"

Question

I am trying to connects AWS Identity Centre for SSO with Azure AD.

I have configured as per the docs, and for authenticated Azure users I get re-directed to AWS but the error message I get is "Looks like this code isn't right. Please try again."

I have Automatic provisioning enable and working, so only valid users from AzureAD exist in AWS Identity Centre

Can anyone suggest where I can look next?

Accepted Answer

this was resolved for me with the below resolution

If you have allowed Guest Users for your Azure AD and you would like to use those users to authenticate to AWS :
This creates a mismatch between the username received in the SAML response from the AD and the actual username in AWS IAM Identity Center.

Resolution
============
To resolve this issue, may you kindly consider modifying the user claims sent with the SAML response to AWS SSO from Azure, so that, you can send the correct attribute for your guest AD users [1][2]. Please follow the following steps:

1. Login to your Azure portal and navigate to Azure AD Directory
	2. Select Enterprise application from the left pane and select the required AWS application
	3. Navigate to "Single Sign on" tab from the left pane
	4. Click on Edit button next to "User Attributes & Claims"
	5. Select the "Unique User Identifier (Name ID)" under Required Claims.
	6. Now we would need to create two claim conditions (present at the bottom the screen), one for your AD users and other for your Guest users as follows.

Members    		-   Attribute    -     user.userprincipalname
		Guests        	-   Attribute    -     user.mail

7. Save the edits and try the login process again and you should be able to log in. You might need to clear your browser cache completely.

Answer

Hello Team,

I've tried applying the claim configuration and yet it doesn't work.

Also, on the suggestion which stats "mis-match between the user information carried in the SAML request, and the information for the user in IAM Identity Center", I have set the Source Type as "External Identity Provider" in which I am not allowed to create the users. If that's the case, how do I resolve the issue?

Thanks!

Regards,
Jay.

Answer

Hi,

Thank you for reaching out to us! This error might usually occur if there is a mis-match between the user information carried in the SAML request, and the information for the user in IAM Identity Center. Please refer to the following documentation for common reasons for this issue and expectations from Identity Center:

- [] Troubleshooting IAM Identity Center issues - Error 'An unexpected error has occurred' when a user tries to sign in using an external identity provider - https://docs.aws.amazon.com/singlesignon/latest/userguide/troubleshooting.html#issue8

If you need assistance with troubleshooting this issue, I recommend opening a support case so we are able to look into your resource configurations and assist in detail. re:Post is a public platform, and therefore, for security and privacy reasons please refrain from sharing any resource configuration details over this platform.

AWS Identity Centre with Azure AD -"Looks like this code isn't right"

Resolution

相关内容