Troubleshooting SAML 2.0 Federation, Invalid SAML Response
0
Hello everyone,
I'm trying to SSO into AWS through my IdP (Keycloak). I'm stuck with the error Your Request Included an Invalid SAML Response. To Logout, Click Here that is thrown from AWS SingIn. This specific error is described in the AWS Documentation and states that the response from the identity provider does not include an attribute with the Name set to https://aws.amazon.com/SAML/Attributes/Role.
But as you can see in the authentication response below (at the very end) this is set. Any help is appreciated here :)
Thanks
Carsten
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://signin.aws.amazon.com/saml" ID="ID_c1b23a5d-0b90-4a2a-b88d-50b5c854bbe7" IssueInstant="2019-10-14T14:06:43.661Z" Version="2.0">
<saml:Issuer>https://auth.acme.org/auth/realms/master</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<dsig:Reference URI="#ID_c1b23a5d-0b90-4a2a-b88d-50b5c854bbe7">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>!REMOVED!</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>!REMOVED!</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>!REMOVED!</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>!REMOVED!</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>!REMOVED!</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_17ff48a3-e794-4b66-a237-c93820afccea" IssueInstant="2019-10-14T14:06:43.661Z" Version="2.0">
<saml:Issuer>https://auth.acme.org/auth/realms/master</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<dsig:Reference URI="#ID_17ff48a3-e794-4b66-a237-c93820afccea">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>!REMOVED!</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>!REMOVED!</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>!REMOVED!</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>!REMOVED!</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>!REMOVED!</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">G-367233d6-89a5-417b-9f1a-a4fa98f04a9c</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2019-10-14T14:07:41.661Z" Recipient="https://signin.aws.amazon.com/saml"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2019-10-14T14:06:41.661Z" NotOnOrAfter="2019-10-14T14:07:41.661Z">
<saml:AudienceRestriction>
<saml:Audience>urn:amazon:webservices</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2019-10-14T14:06:43.661Z" SessionIndex="9909c433-23c8-44c1-a0d2-dbd862289b37::d87788fb-e8d3-4f93-b1f0-c638546a7a8e" SessionNotOnOrAfter="2019-10-15T00:06:43.661Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute FriendlyName="Session Name" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">firstname.lastname</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="Session Duration" Name="https://aws.amazon.com/SAML/Attributes/SessionDuration" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">28800</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="Session Role" Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">arn:aws:iam::MY_REMOVED_ACCOUNTID:role/AssumeRoleSAML,arn:aws:iam::MY_REMOVED_ACCOUNTID:saml-provider/MYPROVIDER</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Edited by: Bob The Builder on Oct 17, 2019 4:02 PM
posta 5 anni fa1784 visualizzazionilg...
1 Risposta
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Queste risposte sono utili? Dai un voto positivo alla risposta corretta per aiutare la community a trarre vantaggio dalle tue conoscenze.
0
This was solved by attaching the roles to a group which the user is assigned to. Instead of directly attaching the role to the user.
con risposta 5 anni falg...
Contenuto pertinente
- AWS UFFICIALEAggiornata 8 mesi fa
- AWS UFFICIALEAggiornata 3 anni fa
- Come faccio a configurare AD FS come provider di identità SAML con un pool di utenti Amazon Cognito?AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata 7 mesi fa