TechQA.

AWS SSO - Your request included an invalid SAML response

7.8k views Asked by At

I'm trying to implement a SAML IdP that perform SSO to AWS Console (IdP initiated SSO).

I'm using Samlify to build the SAMLResponse.

https://samlify.js.org

Samlify is generating the SAMLResponse encoded in Base64.

Then I get this SAMLResponse and URL encode it using SAML Online Tool (https://www.samltool.com/url.php)

Then I make the HTTP POST request using Postman, with the SAMLResponse Base64 URL encoded.

But AWS always return the same error:

Your request included an invalid SAML response. To logout, click here.

I was able to successfully perform SSO to Iamshowcase (SAML Test Service Provider) (https://sptest.iamshowcase.com). However I'm not able to SSO to AWS Console.

Below is the SAMLResponse (Base64 decoded):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_id-teste-001" Version="2.0" IssueInstant="2020-10-01T14:56:34.715Z" Destination="https://signin.aws.amazon.com/saml">
    <saml:Issuer>https://idp.example.com/idp/shibboleth</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f8f8de1b-8e00-4b3b-a3cc-e1e6194daae6" Version="2.0" IssueInstant="2020-10-01T14:56:34.715Z">
        <saml:Issuer>https://idp.example.com/idp/shibboleth</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference URI="#_f8f8de1b-8e00-4b3b-a3cc-e1e6194daae6">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>UBvDMLrAcqgjWu/2InE1OG091db+o44ZVxEMBHJ1eMQ=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
<ds:SignatureValue>R1THFfDoE62157Jn4D/6e9TeJfzlJJ6X+6evVa6k4jkLiwW2VNGfFRY0FYomeWoe8VV+4FUw1hwz3metKL0Mh080UafY4V4/PwRPqy1N3MJOp2V1UVy4SLC7amzw8UA1yTh5UNHC34ct9A7HN4+jP+69RUoAWZng1MXx+5jgS7s=</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBhTELMAkGA1UEBhMCdXMx
DTALBgNVBAgMBHRlc3QxDTALBgNVBAoMBHRlc3QxGDAWBgNVBAMMD2lkcC5leGFt
cGxlLmNvbTENMAsGA1UEBwwEdGVzdDENMAsGA1UECwwEdGVzdDEgMB4GCSqGSIb3
DQEJARYRdGVzdGVAZXhhbXBsZS5jb20wHhcNMjAxMDAxMTQyNjE2WhcNMjExMDAx
MTQyNjE2WjCBhTELMAkGA1UEBhMCdXMxDTALBgNVBAgMBHRlc3QxDTALBgNVBAoM
BHRlc3QxGDAWBgNVBAMMD2lkcC5leGFtcGxlLmNvbTENMAsGA1UEBwwEdGVzdDEN
MAsGA1UECwwEdGVzdDEgMB4GCSqGSIb3DQEJARYRdGVzdGVAZXhhbXBsZS5jb20w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMihvGtOfE9zViC2Q42YAexYBCRn
IyeLNrjGrb7640Gb63E0Hf+WS1EIIMMd3PtgFZ+Q1ztLoR9y1HJ/sIqv80jwa9k7
5v7q0fUPyJh++w5W0f701G4SCzbOqr3mxGy0BfUBZBuFYa+GCaRLckojSu4fs/6U
djrTg3Z/+BGMW0xbAgMBAAGjUDBOMB0GA1UdDgQWBBRVGU/JBBxfSxwkhxZ4afM0
+9jCzjAfBgNVHSMEGDAWgBRVGU/JBBxfSxwkhxZ4afM0+9jCzjAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBDQUAA4GBACVOb80MpJqAQo1SAIMdaIZzDBJ7H+/VNe2O
3iGNmrtO15mgbAsI5jTGyJZYLsmabB/XfDP5tCeXeyBay4NyhR0mL2klqNXxm1N/
JnE1vHXJNtmnWYJMKoOQkG/UsFm+mL2lCH9QNhLc3o843M9/pliUASKoM5ooCRH9
jxdeicXE</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">[email protected]</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2020-10-01T15:01:34.715Z" Recipient="urn:amazon:webservices"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2020-10-01T14:56:34.715Z" NotOnOrAfter="2020-10-01T15:01:34.715Z">
            <saml:AudienceRestriction>
                <saml:Audience>urn:amazon:webservices</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AttributeStatement>
            <saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">arn:aws:iam::999999999999:role/Teste-SAML-Role,arn:aws:iam::999999999999:saml-provider/TestSAMLProvider</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">mynameinsp</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

Postman HTTP Code:

POST /saml HTTP/1.1
Host: signin.aws.amazon.com
Content-Type: application/x-www-form-urlencoded
Cookie: aws-ubid-main=641-7565665-7658187

SAMLResponse=PHNhbWxwO.....zcG9uc2U%2B

What's wrong with this SAMLResponse?

amazon-web-services single-sign-on saml saml-2.0 samlify
Original Q&A
1

There are 1 answers

0
Daniel Barral On BEST ANSWER

Here is how I solved:

  • Changed the Recipient of the SubjectConfirmationData from "urn:amazon:webservices" to "https://signin.aws.amazon.com/saml"

         <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml:SubjectConfirmationData NotOnOrAfter="2020-10-08T22:34:05.626Z" Recipient="https://signin.aws.amazon.com/saml"/>
     </saml:SubjectConfirmation>

  • Included an AuthnStatement, that was missing:

      <saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z" SessionIndex="_be9967abd904ddcae3c0eb4189adbe3f71e327cf93">
      <saml:AuthnContext>
          <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
  </saml:AuthnStatement>

  • Included encoding in the beginning of the XML:

    <?xml version="1.0" encoding="UTF-8"?>

Related Questions in AMAZON-WEB-SERVICES

Related Questions in SINGLE-SIGN-ON

Related Questions in SAML

Related Questions in SAML-2.0

Related Questions in SAMLIFY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions