Cognito User Pool SAML Federation throwing Unable to contact the configured provider

0

Hi,

I have a user pool with a configured Federated SAML IDP in Cognito's AWS Console (User Pool > Sign-in Experience > Federated identity provider sign-in). Our users were able to login through this IDP in our Cognito just fine a week or so ago, now they are getting the following error: "Invalid SAML response received: Unable to contact the configured provider". I already checked the following troubleshooting guides but they don't have any information about this error

I checked all configuration parameters on the configuration and they are all matching the expected values. The IDP has correct configuration for Assertion Customer Service URL, Entity ID, Name Identifier Format, certificates, and fields mapping. On the other side Cognito also has all correct configuration regarding URL Metadata, Field Mapping, User Pool Client attribution, etc. I tested in this User Pool a secondary configuration with a different IDP (Auth0) and that worked fine as well, this error is specifically about this IDP integration I mentioned which stopped working for whatever reason.

What is this error about and how can I fix/troubleshoot it?

2 Answers
1

The error "Invalid SAML response received: Unable to contact the configured provider" signifies that Cognito is unable to establish a connection to the metadata endpoint of your SAML Identity provider (IdP) through provided metadata file /metadata url.

Please check if metadata file /metadata url has been updated for your SAML IdP and also make sure that SAML IdP metadata is publicly accessible through metadata url.

To troubleshoot this issue we require HAR file which is non-public information. Please open a support case with AWS using the following link and add your HAR log [1] for troubleshooting:

https://console.aws.amazon.com/support/home#/case/create

[1] https://repost.aws/knowledge-center/support-case-browser-har-file

AWS
SUPPORT ENGINEER
answered 5 months ago
0

Thanks for the insight @Vinay, I talked to the customer and in principle their IDP Metadata URL is valid and there is no firewall rule blocking it from being accessed online. So it must something wrong on Cognito implementation, I hope you can escalate this to the Cognito team to validate if there is something wrong in the implementation.

In the mean time, to fix this issue and not block user's capacity to SSO into our Cognito instance, I replaced the configuration from instead of using URL Metadata to now use the File metadata. I basically downloaded the file manually and uploaded it to Cognito. Now the SSO is working again.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions