Forum Discussion
Enterprise Application AWS IAM Identity Centre
Hi
Can someone please help...
I have configured AWS IAM Identity Centre Enterprise Application, this works fine for internal users but I can not get external users working correctly as the username keeps looking at UPN rather e mail
In the Enterprise Application i have set claim conditional
But when I look into AWS under users I still see the guest users have there username set as the UPN in Entra not there E Mail address.
Any ideas as to what i can do to sort this out?
IanaMac Hello, to test SAML attestations, you can use debugging tools to understand what Azure AD is sending during the Single Sign-On (SSO) process. Go to the Single Sign-On section of the AWS IAM Identity Center application in Azure AD and click “Test” to generate a SAML request. At this point, check the attributes in the response, paying attention to the NameID and making sure that the “user.mail” attribute is sent correctly for guest users. This will help you figure out if the problem is coming from Azure AD or AWS IAM Identity Center.
- micheleariisSteel Contributor
IanaMac Hello, to test SAML attestations, you can use debugging tools to understand what Azure AD is sending during the Single Sign-On (SSO) process. Go to the Single Sign-On section of the AWS IAM Identity Center application in Azure AD and click “Test” to generate a SAML request. At this point, check the attributes in the response, paying attention to the NameID and making sure that the “user.mail” attribute is sent correctly for guest users. This will help you figure out if the problem is coming from Azure AD or AWS IAM Identity Center.
- IanaMacBrass Contributor
Many thanks for the response, however how do i run the test as a guest user who wont have access to azure -> Enterprise apps?
- micheleariisSteel Contributor
IanaMac Hi, a user with full access and appropriate permissions can simulate the SAML response as if it were a guest user, using the test or impersonation feature. In this way, you can analyze the response sent for guest users without the need for direct access.