I am creating an EUC Dashboard in AWS by following this tutorial.
SSO is the IdP and a Cognito User Pool is the SP. I created a user in SSO who can sign-in and see the Dashboard via the direct CloudFront URL.
When trying to login via the User Portal (clicking on the Dashboard-App in the User Portal) with this link https://d-NUMBER.awsapps.com/start/#/saml/default/dashboard/ins-NUMBER
I get this response from Cognito:
https://APP-NAME.auth.eu-central-1.amazoncognito.com/error?error=Invalid_samlResponse_or_relayState_from_identity_provider
By looking at the request that is send I can see that the RelayState is empty and the SAML-Response contains my e-mail as expected.
How do the two types of sign-in differ and why doesn't the User Portal method work?
I found the solution to this:
In the configuration for the SSO application at Application properties for Application start URL I added the CloudFront URL: https://ID.cloudfront.net/index.html
This is probably only a workaround to the issue but it works.