We have an application which can be launched via SAML launch. Our customers are using google SAML launch. Recently we have observed few scenarios where SAML launch is missing Userid attribute. Upon detailed investigation we found that referrer url for failed launch is missing "from_login=1" querystring. However, successful launches having "from_login=1" querystring.
I am guessing that failed users are not signing into google and trying to do SAML launch or Somehow google is failing to read cookie because of some browser restriction and not able to send it through. Could someone please guide me on the same?
Related
Good day. I need help with integration of RazerID into my app as custom OIDC provider in Cognito. I have done all the configurations in the user pool and when I try to log in through Hosted UI it redirects me to Razer page, then I log in, it redirects me back to localhost callback with an error message:
http://localhost:3000/?error_description=invalid_token_signature%3A+Could+not+match+the+desired+key+identifier+within+the+list+of+keys&error=invalid_request
I check the network section I am getting the code and state
Identity Provider Configuration
App Client Settings
RazerID manual: PDF
How can I get the RazerID working properly?
I'm looking for a solution to the following problem. I've configured an AWS Managed Grafana workspace to work with Google's G Suite SSO as a custom SAML 2.0 authentication provider according to step 14 of these AWS directions. When I try to login to the managed AWS Grafana workspace I get the following error:
Failed to save the SAML received information
I've worked with Google support, and they assure me everything is set up correctly on their side. When using the Test SAML logon feature on the Web Application portal in G Suite I get this error:
corresponding relay state is not found: https://...
Note: Grafana is not in G Suite's Pre-Intergrated SAML Apps Catalog. Also, Oauth is not an option in Amazon's managed Grafana for authentication.
The problem was solved by unchecking the Signed Response checkbox in the G Suite Application console. The relevant AWS recipe is here.
I am trying to setup this authentication (new method without cognito) but can't get it working.
I created a custom SAML app in AWS Single Sign on as documented here:https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html
And setup SAML on the Elasticsearch Service domain as documented here: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html
When following the Kibana URL from the Elasticsearch Service console I get redirected properly to AWS SSO but I hit an opendistro error message "SAML authentication error The SAML authentication failed. Please contact your administrator."
Am I missing a step with attribute mapping or something else that is not documented clearly? Has anyone else gotten this to work and what are your configuration settings?
You can "Shift+Click" on the AWS SSO Custom Application to see the assertion before it gets sent to OpenDistro. This helped me find what the username was that I was sending.
I added that username under the AWS ES "SAML master username (optional)" field and I was able to succesfully login using the AWS SSO.
I then went and added a hardcoded group value under the AWS SSO Mappings for that Custom App, added the same string under the AWS ES "SAML master backend role (optional)" and specified under the "Optional SAML Settings" the string I used to map this under "Roles key" so that it matches.
I checked the assertion using the "Shift+Click" and verified that things were looking ok and I had "group" authentication as well :)
I noticed that I did not require the "Application start URL".
All of this is once you have the rest of things correctly configured such as "Application ACS URL", "Application SAML audience" and the others.
I'm trying to use Shopify as an AWS Cognito User Pool "federated identity provider". Ostensibly, it seems to follow the OIDC protocol. However, there seems to be scant information on the format of the ProviderDetails field in the AWS API call, and I can't seem to figure out how to correctly pass the Issuer for Shopify. I've tried to do it through the console as well, but keep getting the message:
Discovery returned no results. Check the issuer and run discovery again or manually add the required fields below.
I suspect that, due to Shopify's multitenancy model, I'll never get a single set of OIDC parameters -- it seems to suggest there is a different URL for each shop.
Is there documentation on either (a) how to set up Shopify as an OIDC provider -- including Issuer, Authorization Endpoint, Token Endpoint, etc. -- or (b) why Shopify does not match the OIDC standard?
I’m currently working on integrating an application using Cognito with external IdPs (ADFS) using SAML. I have done the following steps for my user pool
1)I have created a SAML identity provider by importing the metadata of my ADFS server and enabled the signout flow checkbox.
2)Added the relying party trusts in the ADFS server for my userpool. Configured the singin end point as https://.auth..amazoncognito.com/saml2/idpresponse and logout endpoint as https://.auth..amazoncognito.com/saml2/logout.
3)Imported signing certificate from cognito to the relying party trust signature section.
When I am logging in it is asking for username and password of my Active directory. But During logout the request is going to /saml/logout endpoint and I am getting a successful response. Cognito cookie is getting cleared from the browser. But my ADFS cookies still remains in the browser. Next time When I am logging it my ADFS credentials are getting picked up from the browser. Cognito signout flow is unable to clear the federated IDP's cookies even when sign out flow is enabled. How can I fix this?
although this is not an answer for your question I would like to know how you managed to authenticate users using SAML Idp?
I've setup SAML Idp and enable it in my app client.
I am trying to log in using and android app that has 2 text fields for username and password and a login button.
I get UserNotFoundException. I followed Amazon documentation and cannot find a way to get over it. I'm confused.
Funny thing is that everything works flawlessly when I log in using the auto generated UI by Cognito that is accesses using below format.
Cognito Auto Generated UI