Azure Guest accounts can't sign in using AWS SSO with Azure SAML
AWS SSO with Azure using SAML works only for users that were created in the Azure tenant as internal users. These users can sign in with SSO succesfully.
However whenever we invite an external user/guest to our Azure tenant, their UPN "username" gets a prefix added #EXT#. I believe this is causing issues for them to sign in using SSO in AWS. AWS SSO returns a "Looks like this code isn't right. Please try again" error.
Steps to reproduce
- Set up AWS SSO with Azure AD using SAML (including provisioning through SCIM)
- Create a new external user in Azure AD. Notice that their User Principal Name gets #EXT#
- Assign permissions to this Azure AD user so it is allowed to sign in AWS
- Sign in with this user into AWS SSO through the SSO link mentioned in AWS dashboard
- Notice you get the "looks like this code isn't right. Please try again" error
Now do the same steps but create an internal user. you will notice this works.
- 最新
- 最多得票
- 最多評論
Since AZURE is a Microsoft product we just hacked it.. One of our 'Super Admins' on Azure updated the 'User Principal Name' and removed the #EXT# and then we forced a re-provision for those users from AZURE to AWS and the users can login now.
You can configure a transform in AzureAD to return the email address value instead of the UPN for any claims that contain #EXT#. Make sure 'Specify output if no match' is set to user.userprincipalname (or whatever you normally use) for regular azure members.
For a vanilla SAML configuration, that would be the following claims:
- Unique User Identifier (nameidentifier)
- name
This is a great solution. Thanks for posting it.
Note for others, I also had to make sure that all users had First and Last Names set in Azure AD
Make sure you have populated the first, last and display name of the user. It fixed this issue for us.
Yep, I am getting the same error but with Google Workspaces as a provider
These steps worked for me:
Steps from link above: Login to your Azure and navigate to Azure AD
In left menu, Click ‘Enterprise applications’
Choose your AWS SSO app
In left menu, click ‘Single Sign On’
Under ‘User attributes and claims’ — Click edit
Under Required claim, for the ‘Claim name’ = ‘Unique User Identifier (Name ID)’, click the value column
Click ‘Source attribute’ dropdown and choose select ‘user.mail’ (Try to take screenshot of the current value incase if we want to rollback)
Click ‘Save’. Now you can open private browser mode and give it a try with your own email id. It should work
Then ask your Guest user to try test via incognito browser tab. It worked for my Guest user as well.
相關內容
- 已提問 6 個月前
AWS 官方已更新 3 年前- AWS 官方已更新 1 年前
It works by removing the #EXT# but it's not ideal. We need to remember ourselves whenever we invite an external user to our AWS account we need to edit their User principal name. Ideally AWS SSO should handle the hashtag so it works out of the box... or Microsoft shouldn't use hashtags in their external users but don;t think they will change this