AWS SSO: The SAML Request AssertionConsumerServiceURL is invalid

Hi All,

Im getting this error when trying to setup AWS SSO with Auth0 SAML using gmail.

The SAML Request AssertionConsumerServiceURL is invalid: ‘https://eu-west-2.signin.aws.amazon.com/platform/saml/acs/xxxxxxxx

I have followed all the steps in this guide https://auth0.com/docs/integrations/aws/configure-amazon-web-services-for-sso

Any ideas?

Thanks
Phil

Hey @pj76422, Welcome to the Auth0 Community!

Can you try again with the AWS SSO ACS URL copied from AWS and set it as Application Callback URL in the SAML Add on instead of “https://signin.aws.amazon.com/saml”, Currently the documentation referred by you at https://auth0.com/docs/integrations/aws/configure-amazon-web-services-for-sso has an issue in the steps and I will raise this to be fixed by the concerned team.

Also after configuration, you will need to manually provision a user on the AWS side as well to be able to
authenticate with Auth0.

Do try and let me know how you go!

Regards,
Sid

1 Like

Hi Sidarth,

That worked, I now get redirected to the AWS SAML login page. However, I get an error saying Invalid input.

In AWS Cloudtrail I have the following event ExternalIdPDirectoryLogin

{
“eventVersion”: “1.05”,
“userIdentity”: {
“type”: “Unknown”,
“principalId”: “xxxx”,
“arn”: “”,
“accountId”: “xxxx”,
“accessKeyId”: “”
},
“eventTime”: “2020-11-01T15:27:46Z”,
“eventSource”: “signin.amazonaws.com”,
“eventName”: “ExternalIdPDirectoryLogin”,
“awsRegion”: “eu-west-2”,
“sourceIPAddress”: "xxx.xxx.xxx.xxx,
“userAgent”: “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0”,
“errorMessage”: “Not a valid response for the provided request id: aws_f84oVbYAvEGS0ReeqqLWlGAzYbcyj9QU”,
“requestParameters”: null,
“responseElements”: {
“ExternalIdPDirectoryLogin”: “Failure”
},
“requestID”: “e840a1f3-aaf8-4004-ae7b-8bf51bea”,
“eventID”: “ca046831-efbd-444d-8232-1ab7e745a”,
“readOnly”: false,
“eventType”: “AwsConsoleSignIn”,
“recipientAccountId”: "xxxx
}

Thanks
Phil

Hey @pj76422, Thanks for letting me know.

Did you manually provision the user in the AWS SSO users setting with the same Auth0 user to work as mentioned in my previous post?

Following steps needs to be followed to configure the User in AWS:

a. Navigate to the AWS SSO landing page. In the left navigation pane, choose Users .

b. On the Users page, choose Add user .

c. On the Add user page, in the Username field, enter the email address associated with your Auth0 user If you do not use the correct email address, authentication will fail

d. In the Email and Confirm email address fields, enter the email you used in Step C

e. Enter any value you like for First Name and Last Name .

f. Ensure Display name field is populated.

g. Click Next: Groups .

h. Click Add user .

i. To assign the user to your AWS account, in the AWS SSO console, in the left navigation pane, click AWS accounts .

j. On the AWS Accounts page, select the AWS organization tab. Check the box next to the AWS account you want to assign to the user. Then click Assign users

k. On the Assign Users page, find and check the box next to the user you created. Then click Next: Permission sets .

l. Under the Select permission sets section, check the box next to the permission set you want to assign to the user. If you don’t have an existing permission set, click Create new permission set .

m. Click Finish .

Again I apologize this is not in the official documentation, which needs to be added.

Regards,
Sid

1 Like

Hi Sidarth,

I have already setup the user but checked it against what you have and it appears to be correct. Im getting the following error/warning from AWS

I’m assuming the SAML response is causing the problem or I have miss configuration on the AWS side.

part of SAML response:

saml:Subject
<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”>xxxxx@gmail.com</saml:NameID>
<saml:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<saml:SubjectConfirmationData NotOnOrAfter=“2020-11-02T09:42:47.275Z”
Recipient=“https://eu-west-2.signin.aws.amazon.com/platform/saml/acs/0ff55dc3-9e4f-4dec-a57xxxxxx” />
</saml:SubjectConfirmation>
</saml:Subject>

Thanks
Phil

Any update on this issue?

Tagging @sidharth.chaudhary for visibility.

Hey @pj76422, Can you DM me a HAR file to see, Also before that can you delete any rule you created based on this documentation and try again?

These rules I don’t think are required now since the policy is handled by AWS SSO.

I had this exact issue today and it seems to be an issue with using developer keys in your google social connection. This might not be your exact issue @pj76422 but I can see that you are also using google authentication. This could also help someone that had the same problem as me in the future. I followed this guide: https://auth0.com/docs/connections/social/google and set up a client id and secret in the Connections -> Social -> google-oauth

2 Likes

Thanks for sharing that with the rest of community!

The error indicates that the ACS URL being sent in the SAML Request does not match what is configured in Auth0.

Verify that in the Auth0 application’s SAML addon settings you have set http://localhost:5601/api/security/v1/saml as the ACS URL.

1 Like

Thanks for sharing that knowledge @jackiesty!