Hello everyone, I'm trying to SSO into AWS through my IdP (Keycloak). I'm stuck with the error **Your Request Included an Invalid SAML Response. To Logout, Click Here** that is thrown from AWS SingIn. This specific error is described in the AWS Documentation and states that the response from the identity provider does not include an attribute with the **Name** set to **https://aws.amazon.com/SAML/Attributes/Role**. But as you can see in the authentication response below (at the very end) this is set. Any help is appreciated here :) Thanks Carsten ``` https://auth.acme.org/auth/realms/master !REMOVED! !REMOVED! !REMOVED! !REMOVED! !REMOVED! AQAB https://auth.acme.org/auth/realms/master !REMOVED! !REMOVED! !REMOVED! !REMOVED! !REMOVED! AQAB G-367233d6-89a5-417b-9f1a-a4fa98f04a9c urn:amazon:webservices urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified firstname.lastname 28800 admin arn:aws:iam::MY_REMOVED_ACCOUNTID:role/AssumeRoleSAML,arn:aws:iam::MY_REMOVED_ACCOUNTID:saml-provider/MYPROVIDER ``` Edited by: Bob The Builder on Oct 17, 2019 4:02 PM

Troubleshooting SAML 2.0 Federation, Invalid SAML Response

Hello everyone,

I'm trying to SSO into AWS through my IdP (Keycloak). I'm stuck with the error Your Request Included an Invalid SAML Response. To Logout, Click Here that is thrown from AWS SingIn. This specific error is described in the AWS Documentation and states that the response from the identity provider does not include an attribute with the Name set to https://aws.amazon.com/SAML/Attributes/Role.

But as you can see in the authentication response below (at the very end) this is set. Any help is appreciated here :)

Thanks
Carsten

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://signin.aws.amazon.com/saml" ID="ID_c1b23a5d-0b90-4a2a-b88d-50b5c854bbe7" IssueInstant="2019-10-14T14:06:43.661Z" Version="2.0">
	<saml:Issuer>https://auth.acme.org/auth/realms/master</saml:Issuer>
	<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
		<dsig:SignedInfo>
			<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
			<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
			<dsig:Reference URI="#ID_c1b23a5d-0b90-4a2a-b88d-50b5c854bbe7">
				<dsig:Transforms>
					<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				</dsig:Transforms>
				<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
				<dsig:DigestValue>!REMOVED!</dsig:DigestValue>
			</dsig:Reference>
		</dsig:SignedInfo>
		<dsig:SignatureValue>!REMOVED!</dsig:SignatureValue>
		<dsig:KeyInfo>
			<dsig:KeyName>!REMOVED!</dsig:KeyName>
			<dsig:X509Data>
				<dsig:X509Certificate>!REMOVED!</dsig:X509Certificate>
			</dsig:X509Data>
			<dsig:KeyValue>
				<dsig:RSAKeyValue>
					<dsig:Modulus>!REMOVED!</dsig:Modulus>
					<dsig:Exponent>AQAB</dsig:Exponent>
				</dsig:RSAKeyValue>
			</dsig:KeyValue>
		</dsig:KeyInfo>
	</dsig:Signature>
	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
	</samlp:Status>
	<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_17ff48a3-e794-4b66-a237-c93820afccea" IssueInstant="2019-10-14T14:06:43.661Z" Version="2.0">
		<saml:Issuer>https://auth.acme.org/auth/realms/master</saml:Issuer>
		<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
			<dsig:SignedInfo>
				<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
				<dsig:Reference URI="#ID_17ff48a3-e794-4b66-a237-c93820afccea">
					<dsig:Transforms>
						<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
						<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</dsig:Transforms>
					<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
					<dsig:DigestValue>!REMOVED!</dsig:DigestValue>
				</dsig:Reference>
			</dsig:SignedInfo>
			<dsig:SignatureValue>!REMOVED!</dsig:SignatureValue>
			<dsig:KeyInfo>
				<dsig:KeyName>!REMOVED!</dsig:KeyName>
				<dsig:X509Data>
					<dsig:X509Certificate>!REMOVED!</dsig:X509Certificate>
				</dsig:X509Data>
				<dsig:KeyValue>
					<dsig:RSAKeyValue>
						<dsig:Modulus>!REMOVED!</dsig:Modulus>
						<dsig:Exponent>AQAB</dsig:Exponent>
					</dsig:RSAKeyValue>
				</dsig:KeyValue>
			</dsig:KeyInfo>
		</dsig:Signature>
		<saml:Subject>
			<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">G-367233d6-89a5-417b-9f1a-a4fa98f04a9c</saml:NameID>
			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml:SubjectConfirmationData NotOnOrAfter="2019-10-14T14:07:41.661Z" Recipient="https://signin.aws.amazon.com/saml"/>
			</saml:SubjectConfirmation>
		</saml:Subject>
		<saml:Conditions NotBefore="2019-10-14T14:06:41.661Z" NotOnOrAfter="2019-10-14T14:07:41.661Z">
			<saml:AudienceRestriction>
				<saml:Audience>urn:amazon:webservices</saml:Audience>
			</saml:AudienceRestriction>
		</saml:Conditions>
		<saml:AuthnStatement AuthnInstant="2019-10-14T14:06:43.661Z" SessionIndex="9909c433-23c8-44c1-a0d2-dbd862289b37::d87788fb-e8d3-4f93-b1f0-c638546a7a8e" SessionNotOnOrAfter="2019-10-15T00:06:43.661Z">
			<saml:AuthnContext>
				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
			</saml:AuthnContext>
		</saml:AuthnStatement>
		<saml:AttributeStatement>
			<saml:Attribute FriendlyName="Session Name" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">firstname.lastname</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute FriendlyName="Session Duration" Name="https://aws.amazon.com/SAML/Attributes/SessionDuration" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">28800</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute FriendlyName="Session Role" Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
				<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">arn:aws:iam::MY_REMOVED_ACCOUNTID:role/AssumeRoleSAML,arn:aws:iam::MY_REMOVED_ACCOUNTID:saml-provider/MYPROVIDER</saml:AttributeValue>
			</saml:Attribute>
		</saml:AttributeStatement>
	</saml:Assertion>
</samlp:Response>

Edited by: Bob The Builder on Oct 17, 2019 4:02 PM

Themen

Sicherheit, Identität & Konformität

Relevanter Inhalt

Wie kann ich die SAML-Antwort erfassen und analysieren, um häufig auftretende Fehler mit dem SAML 2.0-Verbund mit AWS zu beheben?
AWS OFFICIALAktualisiert vor 3 Jahren
Wie richte ich Okta als SAML-Identitätsanbieter in einem Amazon Cognito-Benutzerpool ein?
AWS OFFICIALAktualisiert vor 7 Monaten
Wie behebe ich einen Fehler „ungültige SAML-Antwort“ für den Okta- und AWS IAM-Verbund?
AWS OFFICIALAktualisiert vor 2 Jahren
Wie richte ich Auth0 als SAML-Identitätsanbieter mit einem Amazon-Cognito-Benutzerpool ein?
AWS OFFICIALAktualisiert vor 2 Jahren