How can I capture and analyze the SAML response to troubleshoot common errors with SAML 2.0 federation with AWS?

Short description

If you're using SAML federation, be sure that you've correctly configured Active Directory. For more information, see AWS federated authentication with Active Directory Federation Services (AD FS).

If you're setting up federated access to your AWS accounts for the first time, it's a best practice to use the AWS IAM Identity Center (successor to AWS Single Sign-On) service to provide centrally managed IAM Identity Center access to multiple AWS accounts.

To troubleshoot SAML-related errors:

• Capture and decode a SAML response from the browser.
• Review the values in the decoded file.
• Check for errors, and then confirm the configuration.

Resolution

Capture and decode a SAML response

Capture and decode a SAML response from the browser, and then review the information sent to AWS. For browser-specific instructions, see How to view a SAML response in your browser for troubleshooting.

Review the values in the decoded file

Review the values in the decoded SAML response file:

1.    Verify that the value for the saml:NameID attribute matches the user name for the authenticated user.

2.    Review the value for https://aws.amazon.com/SAML/Attributes/Role. The Amazon Resource Names (ARNs) for the role and SAML provider are case-sensitive, and the ARNs must match the resources in your AWS account.

3.    Review the value for https://aws.amazon.com/SAML/Attributes/RoleSessionName. Be sure that the value matches the correct value as the claim rule. If you configure the attribute value to be an email address or an account name, the value must correspond to the email address or account name of the authenticated Active Directory user.

Check for errors and confirm the configuration

Check for errors with any of these values, and confirm that the following configurations are correct:

1.    Confirm that the claim rules are configured to meet the required elements and that all ARNs are accurate. For more information, see Configuring your SAML 2.0 IdP with relying party trust and adding claims.

2.    Confirm that you uploaded the latest metadata file from your IdP into AWS in your SAML provider. For more information, see Allowing SAML 2.0 federated users to access the AWS Management Console.

3.    Confirm that you have the AWS Identity and Access Management (IAM) role's trust policy configured correctly. For more information, see Modifying a role.

4.    Confirm that the Active Directory user attempting to log in to the console is a member of the Active Directory group that corresponds to the IAM role.

For a list of common errors, see Troubleshooting SAML 2.0 federation with AWS. If you're configuring claim rules in Active Directory, be sure to configure SAML assertions for the authentication responses to identify the key attributes and values that AWS requires.