user lookup in cognito with external IDP bug

[jxuamazon]

If you have an active AWS support contract, please open a case with AWS Premium Support team using the below documentation to report the issue: https://docs.aws.amazon.com/awssupport/latest/user/case-management.html

Please make sure to add the following data in order to facilitate the root cause detection.

Describe the bug A clear and concise description of what the bug is. Before submitting a new issue, please search through open GitHub Issues and check out the troubleshooting documentation.

There are two bugs in the token_service.py in 2024-1

1. identity provider prefix is case sensitive , but cognito is not , so identiity_provider_prefix is upper case , the user look up will fail.
2. user_id and user_email are different most of the time, so email = token_username.replace(identity_provider_prefix, "", 1) will return incorrect email .

Steps to reproduce Steps to reproduce the behavior:

1. Use upper case for IDP name , e.g. "AWSIDC" , user look up will fail
2. Use AD user user@rc.local , with user email such as like username@amazon.com - the email returned in the lookup will be user@rc.local , instead of username@amazon.com

User will not be able to login.

Expected behavior User should be able to login

Actual behavior Error on cluster-manager : user with email user@rc.locall doesn't exist

Screenshots/Video If applicable, add screenshots and/or a video to help explain your problem.

Environment (please complete the following information):

• RES Version: [e.g. 2023.11]. 2024-1
• Software Stack AMI ID: [e.g. ami-0fceec18b58bfda68]
• Software Stack OS: [e.g. Windows, Amazon Linux 2, CentOS 7, RedHat Enterprise Linux 7]

Additional context Add any other context about the problem here.

[Mohjeet]

Identity provider prefix is case sensitive bug:

We are currently working on a fix for this bug. As a quick fix we recommend to use lower case letters for the provider name.

If you already have an environment setup with the following issue, steps to re-configure SSO:

1. Dynamo DB -> Tables -> <env-name>-cluster-settings table -> key identity-provider.cognito.sso_enabled - set to False
2. Cognito -> <env-name>-user-pool -> Sign-in experience -> Federated identity provider sign-in -> delete the entry
3. Cognito -> <env-name>-user-pool -> Users -> disable and delete all user entries except clusteradmin.
4. Login to RES as clusteradmin to configure SSO again. (This time with a lower case provider name)

user_id and user_email are different most of the time bug:

We are using the user's email address as the users identity. There is a mistake in the Setting up SSO documentation that is leading to this bug. We are working on fixing the documentation.

For Configuring attribute mappings for the application -> Step 3 instead of entering: ${user:subject} enter instead: ${user:email}

If you already have an environment setup with the following issue, steps to fix:

• IAM Identity Center -> Applications -> Customer Managed -> Click the Application created during SSO configuration -> Actions -> Edit attribute mappings -> Change the attribute of Subject to ${user:email} -> Save Changes

[junbo75]

The fix has been released in 2024.01.01 patch. Closing the issue now.