Workspaces SAML SP Response Issue

Question

I recently followed [these instructions](https://docs.aws.amazon.com/workspaces/latest/adminguide/setting-up-saml.html) to set up SAML for AmazonWorkspaces. The result:  a loop between 'Open Workspaces' and the IdP auth (which seems to be working fine). I looked at the URL details, and noticed that AWS (acting as SP) provides an SP response containing three URLs:
* The IdP SSO URL (presumably taken from the metadata. 
* The relaystate URL created per the instructions.
* A token (saml/start/TOKEN) to start the workspace.

When I copy/paste the third URL into the browser, it does successfully open the workspace login screen. This makes me think that the SP response needs to be edited so that only the third URL is provided. Any ideas how to do this?

I'm thinking the IdP metadata (I'm using Okta btw) needs to be edited somehow, though I'm open to other suggestions as well.

Answer

If you're using Okta, you need to make sure you enter all the [attributes specified in step 5 ](https://docs.aws.amazon.com/workspaces/latest/adminguide/setting-up-saml.html#create-assertions-saml-auth). The default application will not include all the attributes necessary. Nor is sAMAccountName an attribute that is available to most SAML 2.0 IdPs, which is why most need to follow the instructions in Okta for creating the custom attribute.

Workspaces SAML SP Response Issue

관련 콘텐츠