Azure SSO with AWS Single-Account Access architecture

Question

I have been trying to get AWS setup with SSO using Azure, and am unable to get it to function as intended. We have a few different AWS accounts, and our preferred method of integrating SSO is to use the AWS Single-Account Access architecture for multiple accounts instead of using AWS SSO. I was able to setup the first account just fine without any issues. However, the second account is having a problem when signing into AWS due to the Identifier URL. According to MS documentation I am following (https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial and https://social.technet.microsoft.com/wiki/contents/articles/51137.active-directory-azure-integration-with-aws-amazon-web-services.aspx), when setting up the second account in Azure you simply add a # and a number after it to the identifier URL in order to allow multiple AWS apps. Azure then drops those digits when communicating with AWS for SSL.

However, this is not happening. Azure is still passing the # and number when I try connecting to the SSO application. So instead of "https://signin.aws.amazon.com/saml" as the documentation indicates it should be passing, AWS is getting "https://signin.aws.amazon.com/saml#2" which of course ends up in a bad request error.

Answer 1

Hi @Adam Weight ,

I understand that you are seeing the 400 error when adding ""https://signin.aws.amazon.com/saml#2"

Based on your screenshot, it looks like you are adding #2 in the Reply URL and you should not add the # there. You should add the # in the Entity ID/Identifier field.

Please try removing the #2 from the Reply URL section and let me know if that resolves the issue.

Thanks,

Marilee

-

If this answer helps resolve your question, please consider "marking as answer" so that others in the community with similar questions can more easily find a solution.