Good day. I need help with integration of RazerID into my app as custom OIDC provider in Cognito. I have done all the configurations in the user pool and when I try to log in through Hosted UI it redirects me to Razer page, then I log in, it redirects me back to localhost callback with an error message:
http://localhost:3000/?error_description=invalid_token_signature%3A+Could+not+match+the+desired+key+identifier+within+the+list+of+keys&error=invalid_request
I check the network section I am getting the code and state
Identity Provider Configuration
App Client Settings
RazerID manual: PDF
How can I get the RazerID working properly?
Related
I am trying to setup this authentication (new method without cognito) but can't get it working.
I created a custom SAML app in AWS Single Sign on as documented here:https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html
And setup SAML on the Elasticsearch Service domain as documented here: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html
When following the Kibana URL from the Elasticsearch Service console I get redirected properly to AWS SSO but I hit an opendistro error message "SAML authentication error The SAML authentication failed. Please contact your administrator."
Am I missing a step with attribute mapping or something else that is not documented clearly? Has anyone else gotten this to work and what are your configuration settings?
You can "Shift+Click" on the AWS SSO Custom Application to see the assertion before it gets sent to OpenDistro. This helped me find what the username was that I was sending.
I added that username under the AWS ES "SAML master username (optional)" field and I was able to succesfully login using the AWS SSO.
I then went and added a hardcoded group value under the AWS SSO Mappings for that Custom App, added the same string under the AWS ES "SAML master backend role (optional)" and specified under the "Optional SAML Settings" the string I used to map this under "Roles key" so that it matches.
I checked the assertion using the "Shift+Click" and verified that things were looking ok and I had "group" authentication as well :)
I noticed that I did not require the "Application start URL".
All of this is once you have the rest of things correctly configured such as "Application ACS URL", "Application SAML audience" and the others.
When trying to login via my AWS Cognito's login page via Azure AD with email#live.com credentials, I'm being redirected to https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51483342-xxx-xxx-xxx-xxxx... and the page is throwing a 404 error.
Steps:
Created an Azure AD Enterprise Non Gallery Application.
Added identifier to enterprise application: urn:amazon:cognito:sp:ap-southeast-1_xxxxx
Added reply url as: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/saml2/idpresponse
Downloaded the SAML Signing Certificate > Federation Metadata XML and uploaded it on Cognito by adding a new SAML identity provider.
Mapped SAML attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to Email under Cognito Attribute Mapping.
Enabled the AzureAd identity provider under App Client Settings on Cognito.
Allowed OAuth Flows: Authorization code grant, Implicit grant.
Invited an existing xxx#live.com user to Azure Active Directory and assigned a role to the user in the newly created Enterprise application.
Validated SSO from Enterprise Application > SSO > Validate. It's working as correctly, without any errors.
Problem:
When trying to login via Cognito's login url: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/login?response_type=token&client_id=Cognito-App-Client-ID&redirect_uri=Callback-url-specified-in-cognito-app-client-settings --> AzureAd, I'm being redirected to https://login.microsoftonline.com/... where I enter the added user's email Id: xxx#live.com, after clicking next, instead of a password prompt the page throws a 404 error.
Also tried with inviting another user with email: xxx#mydomain.com, this also results in the same 404 error.
Tried in different browsers: chrome, firefox, safari. All result in the exact same error.
Azure AD SSO SAML2.0 integration doesn't work well with personal accounts.
Integrating with OIDC on the other hand works really well.
Azure AD integration with AWS Cognito.
I set up my AWS Cognito integration into my React Native app using amplify add auth according to the guide, all is well and good, I'm able to register and login in the app. The cli wizard associates two app clients with the User Pool it creates: [poolid]_app_client and [poolid]_app_clientWeb.
I would like to have authenticated users be able to communicate with a web app hosted on an EC2 instance. I thought I could use an Application Load Balancer to do this by setting it up to forward authenticated requests to the EC2 instance. Problem is, I'm unable to create an Application Load Balancer default action that authenticates with the Cognito User Pool.
If I choose the App Client associated with the [poolid]_app_clientWeb, I get an error on save: Error creating listener The user pool client must have a client secret. This is the client ID exported by the amplify tools to my React Native app in aws-exports.js.
If I choose the App Client associated with the [poolid]_app_client I get Error creating listener OAuth flows must be enabled in the user pool client.
Not sure how to proceed. Is ALB the way to go or API Gateway?
You should have made appropriate changes in "User Pools -> App Integration -> App client" settings for your client
API Gateway makes this much more straightforward. After I went through Create API, I was able to create an Authorizer that connected with my Cognito User Pool (the clientWeb one). Then, after creating endpoint Resources, I associated them with the authorizer in the Method Request section of their configuration.
I could then send the identity token I get from Amplify:
(await Auth.currentSession()).idToken.jwtToken
as an HTTP header value to the endpoints I configured.
I’m currently working on integrating an application using Cognito with external IdPs (ADFS) using SAML. I have done the following steps for my user pool
1)I have created a SAML identity provider by importing the metadata of my ADFS server and enabled the signout flow checkbox.
2)Added the relying party trusts in the ADFS server for my userpool. Configured the singin end point as https://.auth..amazoncognito.com/saml2/idpresponse and logout endpoint as https://.auth..amazoncognito.com/saml2/logout.
3)Imported signing certificate from cognito to the relying party trust signature section.
When I am logging in it is asking for username and password of my Active directory. But During logout the request is going to /saml/logout endpoint and I am getting a successful response. Cognito cookie is getting cleared from the browser. But my ADFS cookies still remains in the browser. Next time When I am logging it my ADFS credentials are getting picked up from the browser. Cognito signout flow is unable to clear the federated IDP's cookies even when sign out flow is enabled. How can I fix this?
although this is not an answer for your question I would like to know how you managed to authenticate users using SAML Idp?
I've setup SAML Idp and enable it in my app client.
I am trying to log in using and android app that has 2 text fields for username and password and a login button.
I get UserNotFoundException. I followed Amazon documentation and cannot find a way to get over it. I'm confused.
Funny thing is that everything works flawlessly when I log in using the auto generated UI by Cognito that is accesses using below format.
Cognito Auto Generated UI
WSO2 IS: 5.0.0 with service pack
documentation: https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0
I added the travelocity.com service provider according the document.
run http://localhost:8080/travelocity.com and got authentication error. So I tried to check and modify inbound Authentication Configuration > SAML2 Web SSO Configuration, all I see is "Configure" link. Click the link, it shows "New Service Provider" page with "Register" and "Cancel" buttons. If I click Register button, I got duplicate service provider error. Does the UI support modifying SAML2 Web SSO Configuration?
I then deleted the Service Provider and add the travelocity.com service provider from scratch. However, I got duplicate service provider error too when I configure 'SAML2 Web SSO Configuration'
I am stuck. How can I get rid of duplicate service provider error?
Probably, you may have configured an another SAML2 SSO configuration with same issuer name. You can browse the registry and go to the /_system/config/repository/identity/SAMLSSO location and delete the SAML2 SSO configuration that can be found there. Then retry again.
If not, you can try with some other issuer name and see.. As in doc,then you need to provide a new issuer name in the travelocity.com application.
SAML.IssuerID=travelocitynew.com
Then in the SAML2 SSO configuration of the WSO2IS, you can create the configuration with new issuer name which is travelocitynew.com
If you try with fresh WSO2IS SP1, we can not see this issue.
The document missed one step: click 'Update' button to save whole configuration after clicking Register button new SAML2 Web SSO Configuration. Anyway, I believe it still a bug in the web console of WSO2IS.
What I did is to reinstall WSO2IS+service pack from scratch and configure it again.