AWS Org & Azure AD SSO - Sign In Issue
after hours of debugging powershell and IAM permission errors, I'm almost done creating an Azure AD to AWS Org SSO PoC. I've been following this guide and the last bit of it is to visit this link http://myapps.microsoft.com, and then magic is supposed to happen.... but it doesn't :(. For some reason, I'm getting prompted for credentials from Microsoft even though I'm logged in, and I've tried many combinations of my userID login to get in. Has anyone come across this issue (screenshot) when attempting to get Azure AD and AWS Orgs. I've double checked my attributes/claims & registration manifest but can't pinpoint the cause. Any help would be much appreciated, and if I find the root cause I'll be sure to post the resolution.
Not sure if this is helpful, but after I put in my creds, it redirects me to this link:
https://account.activedirectory.windowsazure.com/applications/redirecttoapplication.aspx?error=access_denied&error_description=AADSTS650057%3a+Invalid+resource.+The+client+has+requested+access+to+a+resource+which+is+not+listed+in+the+requested+permissions+in+the+client%27s+application+registration.+Client+app+ID%3a+0000000c-0000-0000-c000-000000000000(Microsoft+App+Access+Panel).+Resource+value+from+request%3a+84c029fc-2409-4373-a521-9e8fc98b78df.+Resource+app+ID%3a+84c029fc-2409-4373-a521-9e8fc98b78df.+List+of+valid+resources+from+app+registration%3a+.%0d%0aTrace+ID%3a+7c91fc7e-37c5-42e6-bebd-ab66fc113400%0d%0aCorrelation+ID%3a+50aa777c-7fc1-4a17-8a56-fe22944257f8%0d%0aTimestamp%3a+2019-06-21+21%3a00%3a30Z&state=U2luZ2xlU2lnbk9uVHlwZT1QYXNzd29yZCZvcGVyYXRpb249QXV0aENvZGUmYXBwbGljYXRpb25JZD04NGMwMjlmYy0yNDA5LTQzNzMtYTUyMS05ZThmYzk4Yjc4ZGYmYWNjb3VudD0%3d
For my issue, I had a problem with my basic SAML configuration in the Azure portal. By default the Entity ID was placed as a placeholder and never actually saved to be https://signin.aws.amazon.com/saml. Once I went in there, selected modify, and pasted it in, everything worked as expected and I was able to assume the role. Hope this helps folks in the future.
- How to use MFA with AWS CLI?
- How do I get the URL for the item using the Amazon API
- How to make links work with exported sites when hosted on AWS Cloudfront?
- Error launching CloudFormation Template for CloudHSM
- Glacier as Resource in CloudFormation template?
- how to secure keys for API calls from android device to amazon services
- Why is this IAM policy denying access with an MFA session?
- AWS Lambda Function Trigger API Gateway Issue
- GetMyFeesEstimate API Amazon vba
- AWS Cloudformation !Ref SecurityGroup returns an invalid ID
- How to set up AWS Client VPN with Keycloak as IdP
- How to view/identify which process taking how much memory?
- using bottlenose in python to extract product price from Amazon in different locale
- Unable to delete cfn stack, role is invalid or cannot be assumed
- How to Set Up Account Linking for a Skill using Alexa API from Amazon?
- GitHub actions "aws: not found" error on ubuntu-latest with Godot CI
- Download file from S3 to Rails 4 app
- Cloudfront (CDN) with Internal Application Load Balancer
- Connecting private load balancer to cloud front distribution?
- Request to Amazon API with delphi : Got HTTP/1.1 403 Forbidden
- Amazon QuickSight Connects Over Internet Instead of VPC to Public Redshift Cluster
- Shift Lambda infrastructure to ECS
- IAM policy to allow EC2 instance API access only to modify itself
- How to match these 2 tables?
- What is the best way of getting files from AWS S3, inserting them into zip and uploading that zip to the bucket?
- What does this mean? An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Signature expired
- AWS ElastiCache in cluster mode has no Primary / Reader endpoints
- How to query: filtering on multiple primary partition keys and range on primary sort key
- How can I get boto3 script to run as a Lambda function?
- Testing AWS CDK Applications Locally