samlify icon indicating copy to clipboard operation
samlify copied to clipboard
verified publisher icon tngan

Having some problems using samlfy with AWS

Open bgosse2010 opened this issue 1 year ago • 1 comments

Hard to describe if my problem is with AWS or samilfy. If anyone has any experience with getting samify working with AWS I'd love to here about it. I'm not a 100% sure about my sp metadata being correct. But here's the problem:

When attempting the login an access one of my SAML SSO service provider applications defined in IAM Identity Center I get the following error:

"An error occurred while signing in to the application
No access
Confirm with your administrator that you have access to the application and that your primary email address is assigned in IAM Identity Center."

However when I click on the View All Applications button I can see my application listed with others. When I click on my app's icon I get access as the user that I logged in with.  

Any help with resolving this issue will be greatly appreciated.

Here's my sp metadata:

<EntityDescriptor
 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 entityID="https://magicgridwebapi">
    <SPSSODescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:persistent</NameIDFormat>
        <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://XXXXXXXXXXXXXXX:3000/acs"/>
    </SPSSODescriptor>
</EntityDescriptor>

Here's my auth request:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_63491542-f8b3-4f10-be45-4130aaa84235"
                    Version="2.0"
                    IssueInstant="2024-03-22T21:46:10.975Z"
                    Destination="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/NzQ3Njg2MDExMjA0X2lucy03MTM4YjdiZDE2YjUxZGZl"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    AssertionConsumerServiceURL="https://p1-dev-are11-gostack2-lb-100401387.us-east-1.elb.amazonaws.com:3000/acs"
                    >
    <saml:Issuer>https://magicgridwebapi</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"
                        AllowCreate="true"
                        />
</samlp:AuthnRequest>

Also my use a samilfy in my app seem to work fine with another third party idp.

bgosse2010 avatar Mar 22 '24 22:03 bgosse2010

I got this fixed with an update to my meta_sp.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://magicgridwebapi" validUntil="2025-12-09T09:13:31.006Z">
   <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:3000/acs" index="0" isDefault="true"/>
   </md:SPSSODescriptor>
</md:EntityDescriptor>

bgosse2010 avatar Mar 24 '24 23:03 bgosse2010