Share via

Trouble Configuring AD App

Shane 1 Reputation point
2021-12-07T01:36:00.807+00:00

Hi,

We are trying to set up AD as a SAML Provider to our Cognito Pool which is a common use case. It seems we have been able to get the correct XML file as AD is accurately identifying the app name but we keep running into issues with our Reply URL.

I have read similar questions and I think our Reply URL configured on the Admin AD side matches Cognito.

Here is the troubleshooting details:
Request Id: 6ee9aca4-bdd4-42ce-9c2d-cb16037c0b00
Correlation Id: 97764005-8d6b-48b0-ac41-e0a08939fcaf
Timestamp: 2021-12-07T01:31:04Z
Message: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'urn:amazon:cognito:sp:us-west-2_XXXXXXXX'. (Do not want to expose the User Pool ID but it is accurate).

I think you should be able to tell that our Redirect URL matches the one in our request.

Thanks ahead for any guidance!

Microsoft Security Microsoft Entra Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2021-12-07T06:45:20.287+00:00

    Thanks for reaching out.

    I noticed that the reply URL mentioned in the application does not match the url specified in the request (it should be /saml2/idpresponse). Please see the screenshot below for your reference.

    To fix the issue, update your application with url that is specified in the request. I hope this was helpful.

    155529-capture.png

    Alternative text for above image:

    Reply url specified in the request is https://*****-bp.****.us-****-2.amazoncognito.com/saml2/idpresponse
    Reply url specified in the Application is https://*****-bp.****.us-****-2.amazoncognito.com/saml2/idresponse

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Shane 1 Reputation point
    2021-12-07T07:25:30.13+00:00

    Thanks for getting back to me. That is an interesting finding... can you see if you get a similar Reply URL specified in this error?

    Request Id: 804e0ff6-9345-4a6f-85cc-282dcfee1c00
    Correlation Id: 9f7d6d2a-7c1b-4bb4-b213-827904b07d9c
    Timestamp: 2021-12-07T07:19:16Z
    Message: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'urn:amazon:cognito:sp:us-west-2_XXXXXXX'.

    I can say for sure that the reply url listed in that error does not include "idpresponse." I find it strange that happened as Cognito errors out when we put a callback url that it is not expecting and I am fairly certain I did not "https://*****-bp.****.us-****-2.amazoncognito.com/saml2/idpresponse" in there as well.

    If that error comes back with the "idpresponse" problem again there must be something strange going on.

    Thanks again

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.