Mobility

SSO Fix for using AWS with Azure AD Premium

If you are trying to use the Microsoft provided step by step for AWS SSO, there are several major issues or omissions with the document. The original can be found here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-amazon-web-service/

 

First as an omission or potential change since the document was written, when assigning a Role, it will also ask you to assign a policy. Just pick the policy which matches the permissions you wish to give users who care connecting this way.

Second, when you complete the step by step, you will most likely encounter one of the following errors:

  • Error: RoleSessionName in AuthnResponse must match [a-zA-Z_0-9+=,.@-]{2,32} (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)

or

  • Error: RoleSessionName is required in AuthnResponse (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)

 

While the first issue is pretty minor and you would probably be able to figure out what you need to do, the second issue is pretty big. The reason for this error is that the instructions tell you to copy and paste in unique IDs which won’t be valid for your environment. In this case, your connection strings are dependent on your role name and provider naming as well as the unique ID. You’ll have to look this up in your AWS portal under: IAM > Roles > [Whatever you named your Role]

 

In this case, I called my Role “AWS_Administrator”

image

 

As a unique ID, pretty much everything in AWS’s IAM pages have a ARN. You need to point to the unique ARNs of your environment. Look up your ARN as shown.

image

 

Next, look at the bottom of that page to find your Provider ARN

image

 

Merge those two ARNs in the following format:

arn:aws:iam::[Unique ID]:role/[RoleName],arn:aws:iam::[Unique ID]:saml-provider/[ProviderName]

 

That merged string should be used as the “https://aws.amazon.com/SAML/Attributes/Role” role attribute value

image

 

Lastly, as another error, the author recommends configuring the “https://aws.amazon.com/SAML/Attributes/RoleSessionName” Attributes with “User:Email” which is just invalid and would be passed as a literal constant. Instead, use User.Email or UserPrincipalName.

image

 

If this isn’t enough to resolve your issue, AWS does have a SAML troubleshooting page, but it’s extremely general and may not be of much help if you are using the Azure AD Application Gallery: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html

Leave a Reply