Hi,
I configured SSO for AWS. Everything looks fine, but when I do SAML login I get the error from AWS saying "your request included an invalid SAML response To logout, click". As per AWS document, the SAML response must contain Attribute Role and RoleSessionName. Both the values are present in the saml response. Can anyone help me with this? FYI, below is my saml response.
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_8134cedbb542d473b7bb" Version="2.0" IssueInstant="2018-09-12T05:14:33Z" Destination="https://signin.aws.amazon.com/saml">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:awswithauth0.auth0.com</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_SgWAfGipx9GCQ4k9pAbyJipExZFldELk" IssueInstant="2018-09-12T05:14:33.533Z">
<saml:Issuer>urn:awswithauth0.auth0.com</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_SgWAfGipx9GCQ4k9pAbyJipExZFldELk">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>HZJKumSyiSTaPdeSxVgFfL3Po+M=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue> </SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate> </X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">user email id</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2018-09-12T06:14:33.533Z" Recipient="https://signin.aws.amazon.com/saml" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2018-09-12T05:14:33.533Z" NotOnOrAfter="2018-09-12T06:14:33.533Z">
<saml:AudienceRestriction>
<saml:Audience>https://signin.aws.amazon.com/saml</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2018-09-12T05:14:33.533Z" SessionIndex="_MeQBOLNYKAiZDbTCDbzjklDMPXJp_9v2">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">arn:aws:iam::awsaccountid:role/QuicksightRole,arn:aws:iam::awsaccountid:auth0SamlProvider</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">user email id</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Hey there!
Sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes the number of incoming questions is just too big for our bandwidth. Sorry for such inconvenience!
Do you still require further assistance from us?