Thanks for reporting this. We are in process of fixing couple of bugs identified in our implementation.
- Name id longer than 128 char results in error.
- SAML response containing invalid base64 chars (new line or whitespace) results in error.
We are in process of fixing these and will update here once it is done.
Meanwhile if above two cases are not applicable for your scenario, can you please PM me approximate timestamp and user pool id so that i can investigate further.
Hi Vinay, thanks for the response!
The nameId is a lot shorter than 128 chars. And the encoded SAML response does not contain any newline or whitespace characters.
Have also tried both with users that don't already exist in the user pool AND users that are already established (with user self-signup) within the user pool. Same problem for both.
Will PM you with details so that you can investigate furter :-)
Thanks a lot, Kenneth
A follow up for others that might experience the same problem...
It did not look like our SAML response contained invalid chars, but after inspecting AWS logs:
"I can confirm that the issue is related to the invalid base-64 chars (new line). You will see %0D%0A chars in the url encoded base-64 response, which typical SAML decoder ignore. This is why you don't see it in the base-64 response.
We have the fix rolled out in Frankfurt, Mumbai and London region already. So, you should be able to get it working in any of these regions. Meanwhile we are rolling out the fix in other regions."
I attempted to get it working with a user pool in Frankfurt, but experienced the same problem there. However, when I tried London, things started to work! :-D
Guess the fix will be rolled out in multiple regions soon...
Can you confirm this has rolled out on all regions, including us-west-2? I'm receiving a similar error, even when the IdP is showing success.
The fix has been deployed to handle the new line chars in the URL encoded SAML response.
Cognito SAML with multiple external IdPsAccepted Answerasked 3 years ago
ADFS Claims Mapping to Cognito User PoolsAccepted Answerasked 2 years ago
Troubleshooting SAML 2.0 Federation, Invalid SAML Responseasked 3 years ago
SAML authentication not workingasked 2 years ago
AWS Cognito User Pool SAML - SCIM supportasked 4 months ago
How to get Cognito SAML integration to sign AuthnRequest?Accepted Answerasked 9 months ago
SessionDurationAttribute does not work when signing in to QuickSight with SAML 2.0 federationasked 16 days ago
Workspaces SAML SP Response Issueasked a month ago
Internal Server Error - SAML Federation for User Poolsasked 5 years ago
Enabling Identity Federation with AD FS 3.0 and Amazon AppStream 2.0asked 6 months ago