I am trying to setup the new AWS SSO service with an external SAMLv2 based IdP. I have tried to configure the service with both KeyCloak and Okta to no avail. I follow the Okta instructions from https://docs.aws.amazon.com/singlesignon/latest/userguide/okta-idp.html. I can trigger an SP initiated login through my AWS SSO url and get properly re-directed to my Okta IdP page. After successfully signing in, I am re-directed back to AWS, but get an error page that says 'Invalid MFA Credentials'.
Screenshot of 'Invalid MFA Credentials' Error
I am not having any luck finding logs in CloudTrail to see what is going on that match this event. Does anyone know where I could start looking for how to move forward?
Related
I recently migrated my email mailbox and mangement from GSuite to Microsoft office 365. After this I am getting below error while opening quicksight from my AWS account.
The AWS principal tag corresponding to “PrincipalTag:Email” in your SAML assertion or OIDC token is either an invalid email or not present. Please reach out to your QuickSight account’s admin to ensure that the email address for this AWS principal tag is correct.
Please let me know if you any solution or document to resolve this.
I checked many AWS SSO document but none are helping. I am using cognito as IDP.
I am trying to setup this authentication (new method without cognito) but can't get it working.
I created a custom SAML app in AWS Single Sign on as documented here:https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html
And setup SAML on the Elasticsearch Service domain as documented here: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html
When following the Kibana URL from the Elasticsearch Service console I get redirected properly to AWS SSO but I hit an opendistro error message "SAML authentication error The SAML authentication failed. Please contact your administrator."
Am I missing a step with attribute mapping or something else that is not documented clearly? Has anyone else gotten this to work and what are your configuration settings?
You can "Shift+Click" on the AWS SSO Custom Application to see the assertion before it gets sent to OpenDistro. This helped me find what the username was that I was sending.
I added that username under the AWS ES "SAML master username (optional)" field and I was able to succesfully login using the AWS SSO.
I then went and added a hardcoded group value under the AWS SSO Mappings for that Custom App, added the same string under the AWS ES "SAML master backend role (optional)" and specified under the "Optional SAML Settings" the string I used to map this under "Roles key" so that it matches.
I checked the assertion using the "Shift+Click" and verified that things were looking ok and I had "group" authentication as well :)
I noticed that I did not require the "Application start URL".
All of this is once you have the rest of things correctly configured such as "Application ACS URL", "Application SAML audience" and the others.
I am using IdP as Onelogin & aws cognito(SP). SP initiated login working fine. But when i clicked on App Portal/ Home -> on my application, then it redirects to cognito with error prompt "Invalid relayState from identity provider"
I checked relay state parameter in One-Login configuration is correct like https://***:81/login which is our login page URL.
Cognito only supports SP initiated flow.
So the flow must go Cognito Authorize endpoint -> IDP -> back to Cognito.
I’m currently working on integrating an application using Cognito with external IdPs (ADFS) using SAML. I have done the following steps for my user pool
1)I have created a SAML identity provider by importing the metadata of my ADFS server and enabled the signout flow checkbox.
2)Added the relying party trusts in the ADFS server for my userpool. Configured the singin end point as https://.auth..amazoncognito.com/saml2/idpresponse and logout endpoint as https://.auth..amazoncognito.com/saml2/logout.
3)Imported signing certificate from cognito to the relying party trust signature section.
When I am logging in it is asking for username and password of my Active directory. But During logout the request is going to /saml/logout endpoint and I am getting a successful response. Cognito cookie is getting cleared from the browser. But my ADFS cookies still remains in the browser. Next time When I am logging it my ADFS credentials are getting picked up from the browser. Cognito signout flow is unable to clear the federated IDP's cookies even when sign out flow is enabled. How can I fix this?
although this is not an answer for your question I would like to know how you managed to authenticate users using SAML Idp?
I've setup SAML Idp and enable it in my app client.
I am trying to log in using and android app that has 2 text fields for username and password and a login button.
I get UserNotFoundException. I followed Amazon documentation and cannot find a way to get over it. I'm confused.
Funny thing is that everything works flawlessly when I log in using the auto generated UI by Cognito that is accesses using below format.
Cognito Auto Generated UI
Whenever I perform logout in one of my service providers I always get the same error message:
Not a valid SAML 2.0 Request Message!
The message was not recognized by the SAML 2.0 SSO Provider. Please check the logs for more details.
Let's take salesforce for example... I have tried configuring it with https://myidpdomain:9443/samlsso and https://myidpdomain:9443/samlsso?wa=wsignout1.0 in the "Identity Provider Logout URL" setting.
The same with zendesk...
To both these service providers I have enabled the single logout checkbox in the SAML Inbound Authentication configuration.
The single sign on works fine.
Are you using SAML2 SSO Web browser or Passive STS ? In SAML2 SSO web browser profile, you can not send wa=wsignout1.0 for logout. It is not valid. Therefore above error has been generated. wa=wsignout1.0 is used in Passive STS profile not in SAML2 SSO. If you are using /samlsso end point in WSO2IS, It means that your are using SAML2 SSO. Therefore, you must send a proper logout request to the /samlsso end point. If you need to get more idea about SSO logout with SAML2 SSO, Please go through this.