Hello everyone, I'm trying to SSO into AWS through my IdP (Keycloak). I'm stuck with the error **Your Request Included an Invalid SAML Response. To Logout, Click Here** that is thrown from AWS SingIn. This specific error is described in the AWS Documentation and states that the response from the identity provider does not include an attribute with the **Name** set to **https://aws.amazon.com/SAML/Attributes/Role**. But as you can see in the authentication response below (at the very end) this is set. Any help is appreciated here :) Thanks Carsten ``` https://auth.acme.org/auth/realms/master !REMOVED! !REMOVED! !REMOVED! !REMOVED! !REMOVED! AQAB https://auth.acme.org/auth/realms/master !REMOVED! !REMOVED! !REMOVED! !REMOVED! !REMOVED! AQAB G-367233d6-89a5-417b-9f1a-a4fa98f04a9c urn:amazon:webservices urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified firstname.lastname 28800 admin arn:aws:iam::MY_REMOVED_ACCOUNTID:role/AssumeRoleSAML,arn:aws:iam::MY_REMOVED_ACCOUNTID:saml-provider/MYPROVIDER ``` Edited by: Bob The Builder on Oct 17, 2019 4:02 PM

Troubleshooting SAML 2.0 Federation, Invalid SAML Response

Hello everyone,

I'm trying to SSO into AWS through my IdP (Keycloak). I'm stuck with the error Your Request Included an Invalid SAML Response. To Logout, Click Here that is thrown from AWS SingIn. This specific error is described in the AWS Documentation and states that the response from the identity provider does not include an attribute with the Name set to https://aws.amazon.com/SAML/Attributes/Role.

But as you can see in the authentication response below (at the very end) this is set. Any help is appreciated here :)

Thanks
Carsten

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://signin.aws.amazon.com/saml" ID="ID_c1b23a5d-0b90-4a2a-b88d-50b5c854bbe7" IssueInstant="2019-10-14T14:06:43.661Z" Version="2.0">
	<saml:Issuer>https://auth.acme.org/auth/realms/master</saml:Issuer>
	<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
		<dsig:SignedInfo>
			<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
			<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
			<dsig:Reference URI="#ID_c1b23a5d-0b90-4a2a-b88d-50b5c854bbe7">
				<dsig:Transforms>
					<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				</dsig:Transforms>
				<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
				<dsig:DigestValue>!REMOVED!</dsig:DigestValue>
			</dsig:Reference>
		</dsig:SignedInfo>
		<dsig:SignatureValue>!REMOVED!</dsig:SignatureValue>
		<dsig:KeyInfo>
			<dsig:KeyName>!REMOVED!</dsig:KeyName>
			<dsig:X509Data>
				<dsig:X509Certificate>!REMOVED!</dsig:X509Certificate>
			</dsig:X509Data>
			<dsig:KeyValue>
				<dsig:RSAKeyValue>
					<dsig:Modulus>!REMOVED!</dsig:Modulus>
					<dsig:Exponent>AQAB</dsig:Exponent>
				</dsig:RSAKeyValue>
			</dsig:KeyValue>
		</dsig:KeyInfo>
	</dsig:Signature>
	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
	</samlp:Status>
	<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_17ff48a3-e794-4b66-a237-c93820afccea" IssueInstant="2019-10-14T14:06:43.661Z" Version="2.0">
		<saml:Issuer>https://auth.acme.org/auth/realms/master</saml:Issuer>
		<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
			<dsig:SignedInfo>
				<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
				<dsig:Reference URI="#ID_17ff48a3-e794-4b66-a237-c93820afccea">
					<dsig:Transforms>
						<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
						<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</dsig:Transforms>
					<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
					<dsig:DigestValue>!REMOVED!</dsig:DigestValue>
				</dsig:Reference>
			</dsig:SignedInfo>
			<dsig:SignatureValue>!REMOVED!</dsig:SignatureValue>
			<dsig:KeyInfo>
				<dsig:KeyName>!REMOVED!</dsig:KeyName>
				<dsig:X509Data>
					<dsig:X509Certificate>!REMOVED!</dsig:X509Certificate>
				</dsig:X509Data>
				<dsig:KeyValue>
					<dsig:RSAKeyValue>
						<dsig:Modulus>!REMOVED!</dsig:Modulus>
						<dsig:Exponent>AQAB</dsig:Exponent>
					</dsig:RSAKeyValue>
				</dsig:KeyValue>
			</dsig:KeyInfo>
		</dsig:Signature>
		<saml:Subject>
			<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">G-367233d6-89a5-417b-9f1a-a4fa98f04a9c</saml:NameID>
			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml:SubjectConfirmationData NotOnOrAfter="2019-10-14T14:07:41.661Z" Recipient="https://signin.aws.amazon.com/saml"/>
			</saml:SubjectConfirmation>
		</saml:Subject>
		<saml:Conditions NotBefore="2019-10-14T14:06:41.661Z" NotOnOrAfter="2019-10-14T14:07:41.661Z">
			<saml:AudienceRestriction>
				<saml:Audience>urn:amazon:webservices</saml:Audience>
			</saml:AudienceRestriction>
		</saml:Conditions>
		<saml:AuthnStatement AuthnInstant="2019-10-14T14:06:43.661Z" SessionIndex="9909c433-23c8-44c1-a0d2-dbd862289b37::d87788fb-e8d3-4f93-b1f0-c638546a7a8e" SessionNotOnOrAfter="2019-10-15T00:06:43.661Z">
			<saml:AuthnContext>
				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
			</saml:AuthnContext>
		</saml:AuthnStatement>
		<saml:AttributeStatement>
			<saml:Attribute FriendlyName="Session Name" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">firstname.lastname</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute FriendlyName="Session Duration" Name="https://aws.amazon.com/SAML/Attributes/SessionDuration" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">28800</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute FriendlyName="Session Role" Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
				<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">arn:aws:iam::MY_REMOVED_ACCOUNTID:role/AssumeRoleSAML,arn:aws:iam::MY_REMOVED_ACCOUNTID:saml-provider/MYPROVIDER</saml:AttributeValue>
			</saml:Attribute>
		</saml:AttributeStatement>
	</saml:Assertion>
</samlp:Response>

Edited by: Bob The Builder on Oct 17, 2019 4:02 PM

Topics

Security, Identity, & Compliance

Relevant content

OpenSearch Saml SP-initiated login through IAM Identity Center SSO
rePost-User-3884245
asked a year ago
AWS SSO - User portal customize URL with external IdP (SAML)
Accepted Answer
Assice
asked 2 years ago
AWS SSO with Google SAML group mapping
Oleksandr
asked 9 months ago
Internal Server Error - SAML Federation for User Pools
kschulst
asked 7 years ago
How do I troubleshoot an "invalid SAML response" error for Okta and AWS IAM Federation?
AWS OFFICIALUpdated 2 years ago
How do I capture and analyze the SAML response to troubleshoot common errors when I use SAML 2.0 federation with AWS?
AWS OFFICIALUpdated 11 days ago
How do I troubleshoot invalid SAML response errors users might receive when they federate into Amazon Cognito?
AWS OFFICIALUpdated a year ago
How do I set up AD FS as a SAML identity provider with an Amazon Cognito user pool?
AWS OFFICIALUpdated 3 years ago
Troubleshooting "The Access Key ID or Security Token is Invalid" Error after Upgrading DynamoDB Local to Version 2.0.0 / 1.23.0 or Greater
EXPERT
Leeroy Hannigan
published 10 months ago
How to Rotate your External IdP Certificates in AWS IAM Identity Center (successor to AWS Single Sign-On) with Zero Downtime
EXPERT
Matt-B
published a year ago