By using AWS re:Post, you agree to the AWS re:Post Terms of Use

integrate AWS Cognito with Google Workspace using SAML integration

0

I have some applications served to my company users on EKS (i.e., Jenkins). In company we use Google Workspaces (GSuite) for email and stuff. So I want to allow users to login with Google creds to those applications I serve. I figured out I could use Cognito to achieve it but I cannot connect those and flow end with Google showing 403. Error: app_not_configured_for_user". In their documentation I can find:

Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.

but how do I debug it? I do not see a logs from both AWS and Google sides :/

I think I followed all possible guides and I cannot find what I'm doing wrong. I found that Google has this page but they do not provide exact scenario for AWS Cognito. Anyways all of those are very similar so I guess I shouldn't have problems, but I do have.

What I did:

  • In Google Admin (one for workspaces) I created "Web and mobile app" of SAML type
  • I downloaded metadata file
  • In AWS Cognito console I created User Pool
  • I created IdP provider and uploaded metadata file there
  • I created application client
  • Using those values I filled fields ACS URL and Entity ID in Google Admin using values:
    • ACS URL: https://my-domain-i-just-created.auth.us-east-1.amazoncognito.com/saml2/idpresponse
    • Entity ID: urn:amazon:cognito:sp:us-east-1_myPoolId
  • I also selected Name ID format to be Persisted
  • In attribute mapping I mapped email value to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
  • In AWS Cognito I enabled HostedUI and also created mapping of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to email field.

And now when I click View Hosted UI in AWS console it will redirect me to Google authentication and after it directly to before mentioned 403 app_not_configured_for_user page.

I tied it 3 times with slightly different configurations of mapping, signed responses, etc. but nothing gets me past that error.

Anyone tried to integrate it?

asked 3 years ago466 views
2 Answers
0

To debug this issue, I suggest generating a HAR file.[1] It will contain the SAML request and response to allow you to dive deeper into any potential configuration issues. For additional help, I suggest opening a ticket with AWS Support.

AWS
answered 2 years ago
0

Hi, I noticed that you're experiencing an issue with integrating Google Workspace with AWS Cognito, and I'm encountering the same problem. Have you by chance found a solution or could you provide a guide on how you approached the configuration?Any information you could share would be greatly appreciated! Thank you!

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions