Forum Discussion

IanaMac's avatar
IanaMac
Brass Contributor
Oct 21, 2024

Enterprise Application AWS IAM Identity Centre

Hi 

Can someone please help... 

I have configured AWS IAM Identity Centre  Enterprise Application, this works fine for internal users but I can not get external users working correctly as the username keeps looking at UPN rather e mail 

 

In the Enterprise Application i have set claim conditional

But when I look into AWS under users I still see the guest users have there username set as the UPN in Entra not there E Mail address.

 

Any ideas as to what i can do to sort this out? 

 

 

  • IanaMac Hello, to test SAML attestations, you can use debugging tools to understand what Azure AD is sending during the Single Sign-On (SSO) process. Go to the Single Sign-On section of the AWS IAM Identity Center application in Azure AD and click “Test” to generate a SAML request. At this point, check the attributes in the response, paying attention to the NameID and making sure that the “user.mail” attribute is sent correctly for guest users. This will help you figure out if the problem is coming from Azure AD or AWS IAM Identity Center.

  • micheleariis's avatar
    micheleariis
    Steel Contributor

    IanaMac Hello, to test SAML attestations, you can use debugging tools to understand what Azure AD is sending during the Single Sign-On (SSO) process. Go to the Single Sign-On section of the AWS IAM Identity Center application in Azure AD and click “Test” to generate a SAML request. At this point, check the attributes in the response, paying attention to the NameID and making sure that the “user.mail” attribute is sent correctly for guest users. This will help you figure out if the problem is coming from Azure AD or AWS IAM Identity Center.

    • IanaMac's avatar
      IanaMac
      Brass Contributor

      micheleariis 

      Many thanks for the response, however how do i run the test as a guest user who wont have access to azure -> Enterprise apps? 

      • micheleariis's avatar
        micheleariis
        Steel Contributor

        IanaMac Hi, a user with full access and appropriate permissions can simulate the SAML response as if it were a guest user, using the test or impersonation feature. In this way, you can analyze the response sent for guest users without the need for direct access.

Resources