Troubleshooting SAML 2.0 federation with Amazon - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshooting SAML 2.0 federation with Amazon

Use the information here to help you diagnose and fix issues that you might encounter when working with SAML 2.0 and federation with IAM.

Error: Your request included an invalid SAML response. To logout, click here.

This error can occur when the SAML response from the identity provider does not include an attribute with the Name set to http://www.amazonaws.cn/SAML/Attributes/Role. The attribute must contain one or more AttributeValue elements, each containing a comma-separated pair of strings:

  • The ARN of a role that the user can be mapped to

  • The ARN of the SAML provider

For more information, see Configure SAML assertions for the authentication response. To view the SAML response in your browser, follow the steps listed in How to view a SAML response in your browser for troubleshooting.

Error: RoleSessionName is required in AuthnResponse (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)

This error can occur when the SAML response from the identity provider does not include an attribute with the Name set to http://www.amazonaws.cn/SAML/Attributes/RoleSessionName. The attribute value is an identifier for the user and is typically a user ID or an email address.

For more information, see Configure SAML assertions for the authentication response. To view the SAML response in your browser, follow the steps listed in How to view a SAML response in your browser for troubleshooting.

Error: Not authorized to perform sts:AssumeRoleWithSAML (service: AWSSecurityTokenService; status code: 403; error code: AccessDenied)

This error can occur if the IAM role specified in the SAML response is misspelled or does not exist. Make sure to use the exact name of your role, because role names are case sensitive. Correct the name of the role in the SAML service provider configuration.

You are allowed access only if your role trust policy includes the sts:AssumeRoleWithSAML action. If your SAML assertion is configured to use the PrincipalTag attribute, your trust policy must also include the sts:TagSession action. For more information about session tags, see Passing session tags in Amazon STS.

This error can occur if you do not have sts:SetSourceIdentity permissions in your role trust policy. If your SAML assertion is configured to use the SourceIdentity attribute, then your trust policy must also include the sts:SetSourceIdentity action. For more information about source identity, see Monitor and control actions taken with assumed roles.

This error can also occur if the federated users do not have permissions to assume the role. The role must have a trust policy that specifies the ARN of the IAM SAML identity provider as the Principal. The role also contains conditions that control which users can assume the role. Ensure that your users meet the requirements of the conditions.

This error can also occur if the SAML response does not include a Subject containing a NameID.

For more information, see Establish Permissions in Amazon for Federated Users and Configure SAML assertions for the authentication response. To view the SAML response in your browser, follow the steps listed in How to view a SAML response in your browser for troubleshooting.

Error: RoleSessionName in AuthnResponse must match [a-zA-Z_0-9+=,.@-]{2,64} (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)

This error can occur if the RoleSessionName attribute value is too long or contains invalid characters. The maximum valid length is 64 characters.

For more information, see Configure SAML assertions for the authentication response. To view the SAML response in your browser, follow the steps listed in How to view a SAML response in your browser for troubleshooting.

Error: Source Identity must match [a-zA-Z_0-9+=,.@-]{2,64} and not begin with "aws:" (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)

This error can occur if the sourceIdentity attribute value is too long or contains invalid characters. The maximum valid length is 64 characters. For more information about source identity, see Monitor and control actions taken with assumed roles.

For more information about creating SAML assertions, see Configure SAML assertions for the authentication response. To view the SAML response in your browser, follow the steps listed in How to view a SAML response in your browser for troubleshooting.

Error: Response signature invalid (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)

This error can occur when federation metadata of the identity provider does not match the metadata of the IAM identity provider. For example, the metadata file for the identity service provider might have changed to update an expired certificate. Download the updated SAML metadata file from your identity service provider. Then update it in the Amazon identity provider entity that you define in IAM with the aws iam update-saml-provider cross-platform CLI command or the Update-IAMSAMLProvider PowerShell cmdlet.

Error: Failed to assume role: Issuer not present in specified provider (service: AWSOpenIdDiscoveryService; status code: 400; error code: AuthSamlInvalidSamlResponseException)

This error can occur if the issuer in the SAML response does not match the issuer declared in the federation metadata file. The metadata file was uploaded to Amazon when you created the identity provider in IAM.

Error: Could not parse metadata.

This error can occur if you do not format your metadata file properly.

When you create or manage a SAML identity provider in the Amazon Web Services Management Console, you must retrieve the SAML metadata document from your identity provider.

This metadata file includes the issuer name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) received from the IdP. The metadata file must be encoded in UTF-8 format without a byte order mark (BOM). To remove the BOM, you can encode the file as UTF-8 using a text editing tool, such as Notepad++.

The x.509 certificate included as part of the SAML metadata document must use a key size of at least 1024 bits. Also, the x.509 certificate must also be free of any repeated extensions. You can use extensions, but the extensions can only appear once in the certificate. If the x.509 certificate does not meet either condition, IdP creation fails and returns an "Unable to parse metadata" error.

As defined by the SAML V2.0 Metadata Interoperability Profile Version 1.0, IAM neither evaluates nor takes action regarding the expiration of the metadata document’s X.509 certificate.

Error: Specified provider doesn't exist.

This error can occur if the name of the provider that you specify in the SAML assertion does not match the name of the provider configured in IAM. For more information about viewing the provider name, see Create a SAML identity provider in IAM.

Error: Requested DurationSeconds exceeds MaxSessionDuration set for this role.

This error can occur if you assume a role from the Amazon CLI or API.

When you use the assume-role-with-saml CLI or AssumeRoleWithSAML API operations to assume a role, you can specify a value for the DurationSeconds parameter. You can specify a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. If you specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the maximum session duration setting for a role.

Error: Response does not contain the required audience.

This error can occur if there is a mismatch between the audience URL and the identity provider in the SAML configuration. Make sure that your identity provider (IdP) relying party identifier exactly matches the audience URL (entity ID) provided in the SAML configuration.