Menu
AWS Identity and Access Management
User Guide

Troubleshooting SAML 2.0 Federation with AWS

Use the information here to help you diagnose and fix issues that you might encounter when working with SAML 2.0 and federation with IAM.

Error: Your request included an invalid SAML response. To logout, click here.

This error can occur when the SAML response from the identity provider does not include an attribute with the Name set to https://aws.amazon.com/SAML/Attributes/Role. The attribute must contain one or more AttributeValue elements, each containing a comma-separated pair of strings:

  • The ARN of a role that the user can be mapped to

  • The ARN of the SAML provider

For more information, see Configuring SAML Assertions for the Authentication Response. To view the SAML response in your browser, follow the steps listed in How to View a SAML Response in Your Browser for Troubleshooting.

Error: RoleSessionName is required in AuthnResponse (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)

This error can occur when the SAML response from the identity provider does not include an attribute with the Name set to https://aws.amazon.com/SAML/Attributes/RoleSessionName. The attribute value is an identifier for the user and is typically a user ID or an email address.

For more information, see Configuring SAML Assertions for the Authentication Response. To view the SAML response in your browser, follow the steps listed in How to View a SAML Response in Your Browser for Troubleshooting.

Error: Not authorized to perform sts:AssumeRoleWithSAML (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied)

This error can occur if the IAM role specified in the SAML response is misspelled or does not exist. Correct the name of the role in the SAML service provider configuration.

This error can also occur if the federated users do not have permissions to assume the role. The role must have a trust policy that specifies the ARN of the IAM SAML identity provider as the Principal. The role also contains conditions that control which users can assume the role. Ensure that your users meet the requirements of the conditions.

This error can also occur if the SAML response does not include a Subject containing a NameID.

For more information see Establish Permissions in AWS for Federated Users and Configuring SAML Assertions for the Authentication Response. To view the SAML response in your browser, follow the steps listed in How to View a SAML Response in Your Browser for Troubleshooting.

Error: RoleSessionName in AuthnResponse must match [a-zA-Z_0-9+=,.@-]{2,64} (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)

This error can occur if the RoleSessionName attribute value is too long or contains invalid characters. The maximum valid length is 64 characters.

For more information, see Configuring SAML Assertions for the Authentication Response. To view the SAML response in your browser, follow the steps listed in How to View a SAML Response in Your Browser for Troubleshooting.

Error: Response signature invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)

This error can occur when federation metadata of the identity provider does not match the metadata of the IAM identity provider. For example, the metadata file for the identity service provider might have changed to update an expired certificate. Download the updated SAML metadata file from your identity service provider. Then update it in the AWS identity provider entity that you define in IAM with the aws iam update-saml-provider cross-platform CLI command or the Update-IAMSAMLProvider PowerShell cmdlet.

Error: Failed to assume role: Issuer not present in specified provider (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException)

This error can occur if the issuer in the SAML response does not match the issuer declared in the federation metadata file uploaded to AWS when you created the identity provider in IAM.