AWS Cognito - SAML Provider Issue

Question

Hello,

I am trying to create a new AWS Cognito SAML identity provider and I am entering the metadata document endpoint URL, but when I try to save my new provider I get the following error: *"We were unable to update identity provider: Non-ok status code 403 returned from remote metadata source {here goes my provider URL} (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException; Request ID: bfdccf61-dcf3-41d1-88ca-50f73b5b42b4; Proxy: null)"*

The provider endpoint is ssl and has a valid certificate associated. I also understand that Cognito is getting a forbidden (403) response while trying to access the metadata. I can access the my provider endpoint URL from the browser (no credentials needed) and download the metadata file, and if I upload the file instead of using the endpoint it seems to work just fine. But I do not want to depend on this manually uploaded file in case the provider changes the metadata at some point.

I am not sure if there is anything the provider needs t do to allow AWS Cognito to access the endpoint. Can someone please provide some light to this problem?

Thank you very much in advance!

Answer

When you add a SAML provider in Cognito, the metadata document is requested from an AWS IP address. If you're able to access the metadata document in your browser without any authentication, it sounds like your identity provider has a firewall or similar blocking requests from AWS.

I'm not sure which identity provider you're using, but to make it work they will need to allow the AWS IP ranges [1] to access the metadata document.

[1] https://ip-ranges.amazonaws.com/ip-ranges.json

AWS Cognito - SAML Provider Issue

Relevant content