Auth0 Home Blog Docs

Can't get AWS SSO working with Auth0



I have followed these instructions to the letter, but after logging in to auth0 via the hosted login page I’m re-directed to the AWS SAML login screen with the following error:

Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: c5933149-eb23-11e7-a7de-af9e87aed2c3) (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: c59183be-eb23-11e7-9c29-cb0b29977211). Please try again.

I have copied and pasted the ARN of the IDP directly from IAM into the appropriate rules function per the Auth0 instructions like so:

`function (user, context, callback) {

user.awsRole = ‘arn:aws-us-gov:iam::redacted:role/auth0-admin-role,arn:aws-us-gov:iam::redacted:saml-provider/auth0SamlProvider’;
user.awsRoleSession = user.aws_id;

context.samlConfiguration.mappings = {’: ‘awsRole’,’: ‘awsRoleSession’

callback(null, user, context);

I’m wondering now if the this has something to do with us using an AWS GovCloud account or if I’ve somehow managed to miss a step. Or maybe I’m misinterpreting the error message. Any help would be greatly appreciated. Thank you.


I’m unaware of any specifics to AWA GovCloud that would make this unsupported or the instructions different. In addition, that same exact error message appears in the AWS forums for a SAML integration with ADFS so I would consider a configuration issue as the most likely reason.

I understand that you may even already did this, but I would redo the steps or even try doing the configuration with a second person (like pair programming) having the second pair of eyes just viewing what’s being done may be helpful.

In a reply to that AWS forum question there is a hint to review that the provider name and ARN match exactly, in particular, to note that they are case sensitive so you may also want to review that part.