I am trying to use our Azure AD to provide auth for an internal application which is behind an ALB on AWS.
I am using a Cognito User Pool with the Azure AD configured as an identity provider.
We already have one application configured in this manner, which is accessible from anyone with an identity in Azure AD. The application I am deploying now, should only be accessible by a select few users with account admin privileges.
I have created an Enterprise Application in Azure AD Admin Center, but the issue I am having is that the application's Identifier(Entity ID) must be in the following format urn:amazon:cognito:sp:<region>_<userpool_id> and it must be globally unique.
It must be in this format because that value is used as the aud claim in the OIDC process. Since we already have an application which is uses this AD and User Pool combination, there is no way to provide the correct Entity ID because of the need for it to be globally unique across enterprise apps.
Is there some workaround for this without changing the auth config(e.g. I don't want to bypass Cognito or have ALBs targeting other ALBs)
No comments:
Post a Comment