Redirect Issue when trying to integrate AWS with Entra using OpenID Connect

Shoeb Ahmad 0

I have configured the settings in both Entra and AWS. The issue I am currently facing is that the application takes to me a generic AWS homepage instead of the landing page in AWS Management Console (https://console.aws.amazon.com/console/home).

Below are some details:

Timestamp of the Issue: While no formal error message was shown at a specified date and time after logging in using the application, I tried to run it at 10:15am EST today, December 19, 2024.

Steps to Reproduce the Issue: Logged into the application at myapplications.microsoft.com. Selected the application configured to integrate with AWS using OpenID Connect (OIDC). I am first taken to an Entra login page at the link https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?client_id={client-id}&response_type=code&redirect_uri=https%3A%2F%2Fsignin.aws.amazon.com%2Foidc&scope=openid%20profile%20email&state=random-string&nonce=random-nonce&prompt=login. Instead of being directed to the AWS Management Console, I was redirected to the generic AWS homepage at this URL https://aws.amazon.com/?code={authorization-code}&state=random-string&session_state={session-state-number}.

Environment: Identity Provider: Microsoft Entra ID (Azure AD)

Federation Type: OpenID Connect (OIDC)

AWS Service Used: AssumeRoleWithWebIdentity Method: Web Browser Login (I accessed the application via a browser and clicked on the AWS-related app in the Azure portal at myapplications.microsoft.com. The redirection issue occurred during this login flow)

Shoeb Ahmad 0 Reputation points

2024-12-25T05:47:05.45+00:00
Hi Akhilesh,

I have verified and updated redirect_uri parameter at least four times. Can you suggest what it should look like? When you say it should match the endpoint configured in AWS for handling the login flow, what are you referring to exactly? It doesn't look like the token exchange is occurring, otherwise, I should not see the url I am taken to after Entra login. The url https://aws.amazon.com/?code={authorization-code}&state=random-string&session_state={session-state-number} opens to a generic AWS homepage, here is what the login flow should be:

I log into Azure AD via the application in myapplications.microsoft.com

Azure AD redirects me to https://signin.aws.amazon.com/oidc with an authorization code.

AWS exchanges the authorization code for an ID token, validates it, and uses the token’s claims to map the user to an IAM role.

I am directed to the AWS Management Console with the permissions granted by the IAM role.
Akhilesh Vallamkonda 10,955 Reputation points Microsoft Vendor

2024-12-27T16:15:10.9666667+00:00

Hi @Shoeb Ahmad
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Akhilesh Vallamkonda 10,955 Reputation points Microsoft Vendor

2024-12-30T08:26:56.0433333+00:00

Hi @Shoeb Ahmad We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Akhilesh Vallamkonda 10,955 Reputation points Microsoft Vendor

2024-12-23T08:16:30.1866667+00:00

Hi @Shoeb Ahmad
Thank you for reaching us!
Based on the information you provided, it might be the issue with the redirection URL.
Please verify that the redirect_uri parameter in your OpenID Connect (OIDC) request is correctly set to the expected endpoint. It should match the endpoint configured in AWS for handling the login flow. try to update redirection URL, try logging in to the application again and see if the issue is resolved.
Please sign in to rate this answer.
Akhilesh Vallamkonda 10,955 Reputation points Microsoft Vendor

2024-12-26T12:40:02.98+00:00

Hi @Shoeb Ahmad
can you please check the Redirect URI in App registrations which has shown in the below and see it has the required endpoint.

Akhilesh Vallamkonda 10,955 Reputation points Microsoft Vendor

2024-12-30T14:02:16.2833333+00:00

Hi @Shoeb Ahmad
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Shoeb Ahmad 0 Reputation points

2024-12-30T21:36:12.64+00:00

Hi Akhilesh, thanks for the reply. I have checked Redirect URI in App registrations and I just changed my license to one that is supportive of AWS-Entra-OIDC set ups ( a Free Trial version) but get the same result.

Akhilesh Vallamkonda 10,955 Reputation points Microsoft Vendor

2025-01-02T10:18:07.4533333+00:00

Hi @Shoeb Ahmad
May I Know what you are trying to achieve and what steps and documents you have follow for this, could you please explain for better understanding.

Shoeb Ahmad 0 Reputation points

2025-01-03T00:32:16.48+00:00

Hi Akhilesh,

I just finished following up with AWS Support and this is an excerpt from the last email:

'Thank you for your patience as AWS Support has continued to troubleshoot your query. After testing on our end, the service team and I were successfully able to replicate the error. Based on our testing, the issue occurs during the redirection from the Azure App to the AWS console. As such, it appears that the issue is likely on the IdP's side, which in your case is Azure/Entra. Thus, I would recommend if you haven't done so already to reach out to Entra support to further diagnose the issue from their end. I understand this may be frustrating as you have waited a while for a response from AWS Support. However, I believe getting further assistance from Entra support will allow the issue to be diagnosed further.'

To answer your question, I have explained the issue in detail in the message posted on Dec. 19 entitled 'Redirect Issue when trying to integrate AWS with Entra using OpenID Connect'. While I am quite sure I have configured the settings in Entra and AWS, I find that when trying to run an application added in myapplications.microsoft.com it takes me first to the Entra login page. Once I have entered my user information, I am taken to a generic AWS page at the URL https://aws.amazon.com/?code=&state=random-string&session_state={session-state-number}. It seems that the token exchange has not taken place and the authorization code has not been used to obtain a token. Shouldn't I be taken to the AWS Management Console page at https://console.aws.amazon.com/?

Akhilesh Vallamkonda 10,955 Reputation points Microsoft Vendor

2025-01-03T13:24:26.8666667+00:00

Hello @Shoeb Ahmad

Thank you for reply!
To identify the issue, could you please share the fiddler trace of your request/response when the application is run. The fiddler captures web requests which helps diagnosing issues. Once you collect the trace, you can export the trace by choosing File > Save > All Sessions from the menu bar.
please send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:akhilesh".
For more info, please go through below documents.
Capture web requests with Fiddler
https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-troubleshoot-network-trace#collect-a-network-trace-with-fiddler

Shoeb Ahmad 0 Reputation points

2025-01-03T14:35:44.1066667+00:00

Hi Akhilesh,

The fiddler trial version I had has expired and not looking to buy it yet. I have collected traces using DevTools Export HAR file previously. What do you suggest?

Akhilesh Vallamkonda 10,955 Reputation points Microsoft Vendor

2025-01-06T18:45:15.8466667+00:00

Hi @Shoeb Ahmad
you can also Collect a network trace in the browser

Akhilesh Vallamkonda 10,955 Reputation points Microsoft Vendor

2025-01-08T15:52:39.3066667+00:00

Hi @Shoeb Ahmad
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Shoeb Ahmad 0 Reputation points

2025-01-08T16:05:27.7266667+00:00

Hi Akhilesh,

I have sent an email today at the address azcommunity@microsoft.com with the subject "ATTN:akhilesh" and the trace you requested. Please let me know if you received it.

Akhilesh Vallamkonda 10,955 Reputation points Microsoft Vendor

2025-01-08T16:12:02.8633333+00:00

Hi @Shoeb Ahmad
Thank you for your response. I saw your email will work and get back to you.

Shoeb Ahmad 0 Reputation points

2025-01-10T05:41:31.5366667+00:00

Hi Akhilesh,

Thanks for your reply, I thought the issue might need further troubleshooting. I am in Eastern Standard Time and availability is anytime between 9 am-5 pm. Let me know what works for you.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Redirect Issue when trying to integrate AWS with Entra using OpenID Connect

1 answer

Your answer