- Newest
- Most votes
- Most comments
Hello,
I hope you're doing well.
Thank you for reaching out to us with your concern.
I understand that you have few queries related to Mapping SAML2 (external idp) users to Identity Center users. I am answering the queries below:
Q : when someone signs in using SSO, Identity Center will match up the SAML2 response with the User I created, and then any groups etc. will follow. Is that right?
Yes it is correct, When you add users to IAM Identity Center, ensure that you set the user name to be identical to the user name that you have in your IdP. At a minimum, you must have a unique email address and user name. To know more about the Manual provision, please follow the AWS Documentation[1].
Error : ""ExternalIdPDirectoryLogin": "Failure""
From this error we can see that the ExternalIDPDirectoryLogin got failed. It can be of any reason like username mismatch or attribute mappings. But without SAML Assertion we can't able to comment on this. To troubleshoot further we require SAML assertion to dive deep into this issue.
Hence, I would request you raise a support case ticket, where we can go deep dive into the resources to find out the actual root cause.
Thank you! Have a wonderful day!
Reference:
[1] Manual Provisioning : https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-manually.htm [2] Users, groups, and provisioning: https://docs.aws.amazon.com/singlesignon/latest/userguide/users-groups-provisioning.html#username-email-unique [3] SAML : https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml_view-saml-response.html [4] Connect to an external identity provider : https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-manually.html [5] Support plans: https://aws.amazon.com/premiumsupport/plans/.
Relevant content
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
That makes a lot of sense. What I'm trying to do from the SAML2 side is have it send back e-mail address, then I did an attribute mapping: "Username" -> "${path:email}" is that acceptable? I'm doing this because in cognito the username IS an email address. In Cognito there is also an email address attribute, but I have them both set to the same thing. I want to map users by e-mail address.
If I don't use that mapping what will it use by default - whatever is in <NameID> ?
Thanks! So looking at the error page I was getting back, it was a NameId Format exception. The trouble is I don't exactly know what the NameID format is. So what I did was set up an SSO mapping between "Username" and "${path:email}" and I think that means matching to the user using email (twice). That seems to work, I THINK it's safe, and I'm not worried email address will change in the external idp. So hopefully that's ok.
It works, but it's a little intermittent and I'm not sure why. It seems like it should behave exactly the same every time.