I am trying to setup this authentication (new method without cognito) but can't get it working.
I created a custom SAML app in AWS Single Sign on as documented here:https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html
And setup SAML on the Elasticsearch Service domain as documented here: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html
When following the Kibana URL from the Elasticsearch Service console I get redirected properly to AWS SSO but I hit an opendistro error message "SAML authentication error The SAML authentication failed. Please contact your administrator."
Am I missing a step with attribute mapping or something else that is not documented clearly? Has anyone else gotten this to work and what are your configuration settings?
You can "Shift+Click" on the AWS SSO Custom Application to see the assertion before it gets sent to OpenDistro. This helped me find what the username was that I was sending.
I added that username under the AWS ES "SAML master username (optional)" field and I was able to succesfully login using the AWS SSO.
I then went and added a hardcoded group value under the AWS SSO Mappings for that Custom App, added the same string under the AWS ES "SAML master backend role (optional)" and specified under the "Optional SAML Settings" the string I used to map this under "Roles key" so that it matches.
I checked the assertion using the "Shift+Click" and verified that things were looking ok and I had "group" authentication as well :)
I noticed that I did not require the "Application start URL".
All of this is once you have the rest of things correctly configured such as "Application ACS URL", "Application SAML audience" and the others.
Related
Good day. I need help with integration of RazerID into my app as custom OIDC provider in Cognito. I have done all the configurations in the user pool and when I try to log in through Hosted UI it redirects me to Razer page, then I log in, it redirects me back to localhost callback with an error message:
http://localhost:3000/?error_description=invalid_token_signature%3A+Could+not+match+the+desired+key+identifier+within+the+list+of+keys&error=invalid_request
I check the network section I am getting the code and state
Identity Provider Configuration
App Client Settings
RazerID manual: PDF
How can I get the RazerID working properly?
We have an application which can be launched via SAML launch. Our customers are using google SAML launch. Recently we have observed few scenarios where SAML launch is missing Userid attribute. Upon detailed investigation we found that referrer url for failed launch is missing "from_login=1" querystring. However, successful launches having "from_login=1" querystring.
I am guessing that failed users are not signing into google and trying to do SAML launch or Somehow google is failing to read cookie because of some browser restriction and not able to send it through. Could someone please guide me on the same?
I am trying to setup the new AWS SSO service with an external SAMLv2 based IdP. I have tried to configure the service with both KeyCloak and Okta to no avail. I follow the Okta instructions from https://docs.aws.amazon.com/singlesignon/latest/userguide/okta-idp.html. I can trigger an SP initiated login through my AWS SSO url and get properly re-directed to my Okta IdP page. After successfully signing in, I am re-directed back to AWS, but get an error page that says 'Invalid MFA Credentials'.
Screenshot of 'Invalid MFA Credentials' Error
I am not having any luck finding logs in CloudTrail to see what is going on that match this event. Does anyone know where I could start looking for how to move forward?
When trying to login via my AWS Cognito's login page via Azure AD with email#live.com credentials, I'm being redirected to https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51483342-xxx-xxx-xxx-xxxx... and the page is throwing a 404 error.
Steps:
Created an Azure AD Enterprise Non Gallery Application.
Added identifier to enterprise application: urn:amazon:cognito:sp:ap-southeast-1_xxxxx
Added reply url as: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/saml2/idpresponse
Downloaded the SAML Signing Certificate > Federation Metadata XML and uploaded it on Cognito by adding a new SAML identity provider.
Mapped SAML attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to Email under Cognito Attribute Mapping.
Enabled the AzureAd identity provider under App Client Settings on Cognito.
Allowed OAuth Flows: Authorization code grant, Implicit grant.
Invited an existing xxx#live.com user to Azure Active Directory and assigned a role to the user in the newly created Enterprise application.
Validated SSO from Enterprise Application > SSO > Validate. It's working as correctly, without any errors.
Problem:
When trying to login via Cognito's login url: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/login?response_type=token&client_id=Cognito-App-Client-ID&redirect_uri=Callback-url-specified-in-cognito-app-client-settings --> AzureAd, I'm being redirected to https://login.microsoftonline.com/... where I enter the added user's email Id: xxx#live.com, after clicking next, instead of a password prompt the page throws a 404 error.
Also tried with inviting another user with email: xxx#mydomain.com, this also results in the same 404 error.
Tried in different browsers: chrome, firefox, safari. All result in the exact same error.
Azure AD SSO SAML2.0 integration doesn't work well with personal accounts.
Integrating with OIDC on the other hand works really well.
Azure AD integration with AWS Cognito.
I'm trying to use Shopify as an AWS Cognito User Pool "federated identity provider". Ostensibly, it seems to follow the OIDC protocol. However, there seems to be scant information on the format of the ProviderDetails field in the AWS API call, and I can't seem to figure out how to correctly pass the Issuer for Shopify. I've tried to do it through the console as well, but keep getting the message:
Discovery returned no results. Check the issuer and run discovery again or manually add the required fields below.
I suspect that, due to Shopify's multitenancy model, I'll never get a single set of OIDC parameters -- it seems to suggest there is a different URL for each shop.
Is there documentation on either (a) how to set up Shopify as an OIDC provider -- including Issuer, Authorization Endpoint, Token Endpoint, etc. -- or (b) why Shopify does not match the OIDC standard?