User cant login issue to AWS cognito through OpenId using azure AD SSO

Question

User cant login issue to AWS cognito through OpenId using azure AD SSO

Irfan Babar 1

Hi,

I using aws serverless architecture with cognito. I need to implement azure active directory SSO. I have managed to setup all configuration to connect my azure AD account with aws cognito using OpenId. I try following steps to login into my application with Azure AD SSO.

Try to login guest user with Azure AD, it show me login page with only email address field.
I enter my email address and click next button.
Instead of showing me password field, I get an error "This login.live.com page can’t be found".

Interesting Point

If I first login with azure AD portal with my guest user, and then try to login into my app then using SSO azure AD, I will get access token and successfully login into my application.

So it means, my configuration is correct, but there is some kind of permission issue or something else.
can anyone help me on this, how to resolve this problem, user should login with AD without first login with azure account.

Note:

I have created my azure AD app from app registration, not enterprise registration
I also tried saml2 with enterprise application still got same issue.

1 answer

Your answer

Answer 1

Siva-kumar-selvaraj 15,721

Hello @Irfan Babar ,

Thanks for reaching out.

This is most likely due to the URL's size/length when returning to the live login page (Example: https://login.live.com/oauth20_authorize.srf?client_id=****&scope=openid+profile+email+offline_access&redirect_uri=****&state=***** ), therefore could you please verify what HTTP error was received (404?) Additionally, verify that URLs do not exceed 2000 characters in length, as this is a known limitation of the login server.

If that is the case, determine which parameter has lengthy characters and see if there is a way to minimize them.

For example, in my test case, the "state=" parameter had lengthy characters, causing the whole URL to surpass the login server's 2K threshold.

Additionally, I would recommend that you log in using a work or school account rather than a Guest account (live.com) to check if the issue persists.

Looking forward to hearing from you. I hope this helps us narrow down the source of the problem.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Irfan Babar 1 Reputation point

2021-12-13T08:54:57.343+00:00

Hi, thankyou for your response.

I just checked my URL length and it is exceeding 2048 character, and the culprit is state parameter. Problem is I don't have the control for this request. In my aws cognito configuration I only added few things, client id<azure client id>, secret <azure secret>, issuer URL "https://login.microsoftonline.com/<tenant-id>/v2.0" for OpenID. And In azure AD, added secret key, redirect Uri contain cognito domain name like this "https://<domain>.auth.<region>.amazoncognito.com/oauth2/idpresponse" .

So I don't know from where state parameter is adding. But if url length is the problem then why it is working in other scenario, when I loggedin to azure portal in next tab and then try to login in my site using SSO?

Also it is my client requirement to use both custom-domain users as well as guest users like @Stuff .com, @Microsoft Corporation .com, @harsh.com .com
Irfan Babar 1 Reputation point

2021-12-13T11:58:19.63+00:00

Waiting for help. I have been stuck for 4 days now.
Siva-kumar-selvaraj 15,721 Reputation points

2021-12-14T16:17:54.05+00:00

The 'state' parameter is used to prevent against XSRF. Typically, the application generates a random string and sends it to the authorization server using the "state" parameter, and the authorization server returns the "state" parameter, so you would need to contact the application provider (AWS cognito) to see if there is a way to shorten the state parameter.

To answer your question about why it works in other scenarios, it is because this is an IDP initiated signing flow in which users first access IDP (Azure) and then access application during this flow state parameters are not involved, as opposed to an SP initiated flow in which application has more control over what all parameters need to be added in auth request.

https://blog.miniorange.com/idp-initiated-sp-initiated-login/
https://stackoverflow.com/questions/12779532/differences-between-sp-initiated-sso-and-idp-initiated-sso
Irfan Babar 1 Reputation point

2021-12-15T16:07:33.837+00:00

Yes you are right, aws cognito sending state parameter. But I have checked that it is only 32 character, and sending it cognito url like "https://cognito-domain/oauth2/authorize". And clientId which cognito is passing isn't match the clientId, we get in not found page.

And I didn't configure any login.live url in any of my configuration. I have use this url for openId. "https://login.microsoftonline.com/<tenent-id>/v2.0"

One more thing, I have implement Okta SSO, and didn't get any issue like this. if cognito send such large state, it should impact on okta SSO as well.

So I think, this issue is somehow related to azure AD. Can you verify once ?
Irfan Babar 1 Reputation point

2021-12-22T12:28:59.92+00:00
Now I m 100% sure it is azure issue, because I have added alternate email address for security. It ask me to check your mail for code. I go to my alternate email address, no code would be received (cant login to my account right now, because of it). I go back to azure portal and I have three options,

select my alternate email address

I have a code

I don't have any of these.

when I select third point. It show me next step, contain this information with next button.

We'll take you through a few simple steps to replace your security info. We won't use this to spam you—just to keep your account more secure.

when I click next button, got same login.live not found issue.
Siva-kumar-selvaraj 15,721 Reputation points

2021-12-22T13:44:21.763+00:00

Could you please confirm behavior when you use Azure AD work or school account instead personal account for testing SSO ? also could you please send an email with the subject line “Attn: siva kumar” to AzCommunity[at]Microsoft[dot]com referencing this thread so that we can take it offline. Thanks.

Share via

User cant login issue to AWS cognito through OpenId using azure AD SSO

1 answer

Your answer