Search code examples
amazon-web-servicesoauth-2.0azure-active-directoryamazon-cognitosaml-2.0

I'm trying to integrate AWS Cognito with Azure Ad for single sign on, but the page login.live.com/oauth20_authorize.srf is throwing a 404 error?

When trying to login via my AWS Cognito's login page via Azure AD with [email protected] credentials, I'm being redirected to https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51483342-xxx-xxx-xxx-xxxx... and the page is throwing a 404 error.

Steps:

  • Created an Azure AD Enterprise Non Gallery Application.
  • Added identifier to enterprise application: urn:amazon:cognito:sp:ap-southeast-1_xxxxx
  • Added reply url as: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/saml2/idpresponse
  • Downloaded the SAML Signing Certificate > Federation Metadata XML and uploaded it on Cognito by adding a new SAML identity provider.
  • Mapped SAML attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to Email under Cognito Attribute Mapping.
  • Enabled the AzureAd identity provider under App Client Settings on Cognito.
  • Allowed OAuth Flows: Authorization code grant, Implicit grant.
  • Invited an existing [email protected] user to Azure Active Directory and assigned a role to the user in the newly created Enterprise application.
  • Validated SSO from Enterprise Application > SSO > Validate. It's working as correctly, without any errors.

Problem:

  • When trying to login via Cognito's login url: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/login?response_type=token&client_id=Cognito-App-Client-ID&redirect_uri=Callback-url-specified-in-cognito-app-client-settings --> AzureAd, I'm being redirected to https://login.microsoftonline.com/... where I enter the added user's email Id: [email protected], after clicking next, instead of a password prompt the page throws a 404 error.
  • Also tried with inviting another user with email: [email protected], this also results in the same 404 error.
  • Tried in different browsers: chrome, firefox, safari. All result in the exact same error.
Solution

  • Azure AD SSO SAML2.0 integration doesn't work well with personal accounts. Integrating with OIDC on the other hand works really well.

    Azure AD integration with AWS Cognito.