Auth0 Home Blog Docs

Auth0 SSO for AWS service is not working

auth0

#1
Hi,

I configured SSO for AWS. Everything looks fine, but when I do SAML login I get the error from AWS saying "your request included an invalid SAML response To logout, click". As per AWS document, the SAML response must contain Attribute Role and RoleSessionName. Both the values are present in the saml response. Can anyone help me with this? FYI, below is my saml response.

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_8134cedbb542d473b7bb" Version="2.0" IssueInstant="2018-09-12T05:14:33Z" Destination="https://signin.aws.amazon.com/saml">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:awswithauth0.auth0.com</saml:Issuer>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_SgWAfGipx9GCQ4k9pAbyJipExZFldELk" IssueInstant="2018-09-12T05:14:33.533Z">
      <saml:Issuer>urn:awswithauth0.auth0.com</saml:Issuer>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
         <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <Reference URI="#_SgWAfGipx9GCQ4k9pAbyJipExZFldELk">
               <Transforms>
                  <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               </Transforms>
               <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
               <DigestValue>HZJKumSyiSTaPdeSxVgFfL3Po+M=</DigestValue>
            </Reference>
         </SignedInfo>
         <SignatureValue> </SignatureValue>
         <KeyInfo>
            <X509Data>
               <X509Certificate> </X509Certificate>
            </X509Data>
         </KeyInfo>
      </Signature>
      <saml:Subject>
         <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">user email id</saml:NameID>
         <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2018-09-12T06:14:33.533Z" Recipient="https://signin.aws.amazon.com/saml" />
         </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions NotBefore="2018-09-12T05:14:33.533Z" NotOnOrAfter="2018-09-12T06:14:33.533Z">
         <saml:AudienceRestriction>
            <saml:Audience>https://signin.aws.amazon.com/saml</saml:Audience>
         </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement AuthnInstant="2018-09-12T05:14:33.533Z" SessionIndex="_MeQBOLNYKAiZDbTCDbzjklDMPXJp_9v2">
         <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
         </saml:AuthnContext>
      </saml:AuthnStatement>
      <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
         <saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">arn:aws:iam::awsaccountid:role/QuicksightRole,arn:aws:iam::awsaccountid:auth0SamlProvider</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">user email id</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>
   </saml:Assertion>
</samlp:Response>