Unable to configure SSO with AWS for multitenant signin

Question

Unable to configure SSO with AWS for multitenant signin

Ishika Shah 20

Hi,

I am trying to setup a registered app to accept multi tenant signin with single sign on.
I am trying to use cognito with it, which needs the identity URI to be of the format "urn:amazon:cognito:sp:<your-cognito-user-pool-id>", but I am not able to add this value in the SAML configuration nor as part of the identity URIs in the manifest section.

Any tips of what I can do here?

Accepted answer

0 additional answers

Your answer

Answer 1

Kancharla Saiteja 5,810 Microsoft External Staff Moderator

Hi @Ishika Shah,

Based on your query, here is my understanding: You would like to configure multi-tenant sign in for your AWS application.

Entra supports multi-tenant sign in using OAuth or OpenID connect for the applications registered from app registrations. While configuring this application, you will have an option to choose the supported account types for the application.

User's image

If you would like to configure IdentifierURI for this application, here are the supported formats: identifierUris attribute.

If you would like to have a SAML application for single sign on, you need to add identifier (Entity ID) in the specified format itself. You need to ensure the identifier and replyURL has been received from Amazon itself. You can add multiple instances that regards to the same entity. I have tried the format your provided (urn:amazon:cognito:sp:<your-cognito-user-pool-id>) where I am able to add without any issue. Please make sure you add the URLs provided from Amazon correctly. These URLs has to be identified in Amazon and configured accordingly.

I believe you may need to follow this document: How to set up SAML federation in Amazon Cognito using IdP-initiated single sign-on, request signing, and encrypted assertions.

Additional documentation: Using SAML identity providers with a user pool

Note: The above documents are from Amazon and Microsoft does not hold any responsibility. We have shared this information to make things easy for the configuration.

Ishika Shah 20 Reputation points

2025-05-09T16:05:52.2333333+00:00

Hi,
Here I tried to enter it as the application ID URI and that did not work, it gave an error stating "Failed to update property as the URI schema is invalid".

And I am unable to edit the SAML configuration, I tried clicking "Add Identifier" and it just doesn't let me edit it.

Here's where it says the account type.

Kancharla Saiteja 5,810 Microsoft External Staff Moderator

Hi @Ishika Shah,

When you configure an application from application registrations, you can only edit identifier URI in the following formats only:

Supported application ID URI formats	Example app ID URIs
api://<appId>	api://00001111-aaaa-2222-bbbb-3333cccc4444
api://<appId>	api://00001111-aaaa-2222-bbbb-3333cccc4444
api://<tenantId>/<appId>	api://aaaabbbb-0000-cccc-1111-dddd2222eeee/00001111-aaaa-2222-bbbb-3333cccc4444
api://<tenantId>/<string>	api://aaaabbbb-0000-cccc-1111-dddd2222eeee/api
api://<string>/<appId>	api://productapi/00001111-aaaa-2222-bbbb-3333cccc4444
https://<tenantInitialDomain>.onmicrosoft.com/<string>	`https://contoso.onmicrosoft.com/productsapi`
https://<verifiedCustomDomain>/<string>	`https://contoso.com/productsapi`
https://<string>.<verifiedCustomDomain>	`https://product.contoso.com`
https://<string>.<verifiedCustomDomain>/<string>	`https://product.contoso.com/productsapi`

The above mentioned are the only supported formats, apart from it you cannot modify it in any means apart from it.

When it comes to adding the same application as SAML SSO, please try to make the available identifier as default and try adding new identifier. If you are still facing the same issue of not able to add the URL, kindly wait for a while. This issue happens if there is a glitch from Entra. If this does not help you, reconfigure the application (if it is a new configuration) and try to add the identifier in SAML SSO.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Kancharla Saiteja 5,810 Reputation points Microsoft External Staff Moderator

2025-05-12T09:44:04.28+00:00

Hi @Ishika Shah, Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Ishika Shah 20 Reputation points

2025-05-12T19:11:57.62+00:00

Hi,

It still does not answer my question how do I fix the error, since I cannot add the identifier 'urn:amazon:cognito:sp:us-west-2_5GzEuPhsB' to the app?

Sorry, but we’re having trouble signing you in. AADSTS700016: Application with identifier 'urn:amazon:cognito:sp:us-west-2_5GzEuPhsB' was not found in the directory 'SelfActualize.ai'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Kancharla Saiteja 5,810 Reputation points Microsoft External Staff Moderator

2025-05-13T12:11:22.8733333+00:00

Hi @ishika shah

Could you please check your private messages and respond accordingly.
Ishika Shah 20 Reputation points

2025-05-14T17:41:15.67+00:00

I have responded to the private message.
Kancharla Saiteja 5,810 Reputation points Microsoft External Staff Moderator

2025-05-15T14:29:33.55+00:00

Hi @ishika shah

Could you please check your private messages and respond accordingly.
Ishika Shah 20 Reputation points

2025-05-15T16:29:40.5266667+00:00

replied
Martin Naude 0 Reputation points

2025-05-22T08:25:34.08+00:00

Hi @Kancharla Saiteja - Would it be possible to please share the solution on this forum for others to see? I have the exact same issue, and would like to know what the solution was you and @Ishika Shah were able to come up with.
Martin Naude 0 Reputation points

2025-06-11T15:30:58.69+00:00
@Kancharla Saiteja Please let me know what I need to do to get this working my side... It looks like you were able to help @Ishika Shah out, and I really need to know how to do this.

Share via

Unable to configure SSO with AWS for multitenant signin

0 additional answers

Your answer