I have some applications served to my company users on EKS (i.e., Jenkins). In company we use Google Workspaces (GSuite) for email and stuff. So I want to allow users to login with Google creds to those applications I serve. I figured out I could use Cognito to achieve it but I cannot connect those and flow end with Google showing 403. Error: app_not_configured_for_user". In their documentation I can find:
Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.
but how do I debug it? I do not see a logs from both AWS and Google sides :/
I think I followed all possible guides and I cannot find what I'm doing wrong. I found that Google has this page but they do not provide exact scenario for AWS Cognito. Anyways all of those are very similar so I guess I shouldn't have problems, but I do have.
What I did:
- In Google Admin (one for workspaces) I created "Web and mobile app" of SAML type
- I downloaded metadata file
- In AWS Cognito console I created User Pool
- I created IdP provider and uploaded metadata file there
- I created application client
- Using those values I filled fields ACS URL and Entity ID in Google Admin using values:
- ACS URL:
https://my-domain-i-just-created.auth.us-east-1.amazoncognito.com/saml2/idpresponse
- Entity ID:
urn:amazon:cognito:sp:us-east-1_myPoolId
- I also selected Name ID format to be Persisted
- In attribute mapping I mapped email value to
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
.
- In AWS Cognito I enabled HostedUI and also created mapping of
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
to email field.
And now when I click View Hosted UI in AWS console it will redirect me to Google authentication and after it directly to before mentioned 403 app_not_configured_for_user page.
I tied it 3 times with slightly different configurations of mapping, signed responses, etc. but nothing gets me past that error.
Anyone tried to integrate it?