Troubleshoot SAML federation with IAM
Use the information here to help you diagnose and fix issues that you might encounter when working with SAML 2.0 and federation with AWS Identity and Access Management.
Topics
- Error: Your request included an invalid SAML response. To logout, click here.
- Error: RoleSessionName is required in AuthnResponse (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)
- Error: Not authorized to perform sts:AssumeRoleWithSAML (service: AWSSecurityTokenService; status code: 403; error code: AccessDenied)
- Error: RoleSessionName in AuthnResponse must match [a-zA-Z_0-9+=,.@-]{2,64} (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)
- Error: Source Identity must match [a-zA-Z_0-9+=,.@-]{2,64} and not begin with "aws:" (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)
- Error: Response signature invalid (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)
- Error: Invalid private key.
- Error: Failed to remove private key.
- Error: Failed to remove private key because the Key ID does not match a private key.
- Error: Failed to assume role: Issuer not present in specified provider (service: AWSOpenIdDiscoveryService; status code: 400; error code: AuthSamlInvalidSamlResponseException)
- Error: Could not parse metadata.
- Error: Unable to update identity provider. No updates are defined for metadata or encryption assertion.
- Error: Unable to set assertion encryption mode to Required because no private key is provided.
- Error: Unable to add and remove private keys in the same request. Set a value for only one of the two parameters.
- Error: Specified provider doesn't exist.
- Error: Requested DurationSeconds exceeds MaxSessionDuration set for this role.
- Error: Private key limit of 2 is reached.
- Error: Response does not contain the required audience.
Error: Your request included an invalid SAML response. To logout, click here.
This error can occur when the SAML response from the identity provider does not include an
attribute with the Name
set to https://aws.amazon.com/SAML/Attributes/Role
.
The attribute must contain one or more AttributeValue
elements, each containing a
comma-separated pair of strings:
-
The ARN of a role that the user can be mapped to
-
The ARN of the SAML provider
For more information, see Configure SAML assertions for the authentication response. To view the SAML response in your browser, follow the steps listed in View a SAML response in your browser.
Error: RoleSessionName is required in AuthnResponse (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)
This error can occur when the SAML response from the identity provider does not include an
attribute with the Name
set to
https://aws.amazon.com/SAML/Attributes/RoleSessionName
. The attribute value is an
identifier for the user and is typically a user ID or an email address.
For more information, see Configure SAML assertions for the authentication response. To view the SAML response in your browser, follow the steps listed in View a SAML response in your browser.
Error: Not authorized to perform sts:AssumeRoleWithSAML (service: AWSSecurityTokenService; status code: 403; error code: AccessDenied)
This error can occur if the IAM role specified in the SAML response is misspelled or does not exist. Make sure to use the exact name of your role, because role names are case sensitive. Correct the name of the role in the SAML service provider configuration.
You are allowed access only if your role trust policy includes the
sts:AssumeRoleWithSAML
action. If your SAML assertion is configured to use the
PrincipalTag attribute, your
trust policy must also include the sts:TagSession
action. For more information
about session tags, see Pass session tags in AWS STS.
This error can occur if you do not have sts:SetSourceIdentity
permissions in
your role trust policy. If your SAML assertion is configured to use the SourceIdentity attribute, then your trust
policy must also include the sts:SetSourceIdentity
action. For more information
about source identity, see Monitor and control actions
taken with assumed roles.
This error can also occur if the federated users do not have permissions to assume the
role. The role must have a trust policy that specifies the ARN of the IAM SAML identity
provider as the Principal
. The role also contains conditions that control which
users can assume the role. Ensure that your users meet the requirements of the
conditions.
This error can also occur if the SAML response does not include a Subject
containing a NameID
.
For more information, see Establish Permissions in AWS for Federated Users and Configure SAML assertions for the authentication response. To view the SAML response in your browser, follow the steps listed in View a SAML response in your browser.
Error: RoleSessionName in AuthnResponse must match [a-zA-Z_0-9+=,.@-]{2,64} (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)
This error can occur if the RoleSessionName
attribute value is too long or
contains invalid characters. The maximum valid length is 64 characters.
For more information, see Configure SAML assertions for the authentication response. To view the SAML response in your browser, follow the steps listed in View a SAML response in your browser.
Error: Source Identity must match
[a-zA-Z_0-9+=,.@-]{2,64} and not begin with "aws:"
(service:
AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)
This error can occur if the sourceIdentity
attribute value is too long or
contains invalid characters. The maximum valid length is 64 characters. For more information
about source identity, see Monitor and control actions
taken with assumed roles.
For more information about creating SAML assertions, see Configure SAML assertions for the authentication response. To view the SAML response in your browser, follow the steps listed in View a SAML response in your browser.
Error: Response signature invalid (service: AWSSecurityTokenService; status code: 400; error code: InvalidIdentityToken)
This error can occur when federation metadata of the identity provider does not match the
metadata of the IAM identity provider. For example, the metadata file for the identity
service provider might have changed to update an expired certificate. Download the updated
SAML metadata file from your identity service provider. Then update it in the AWS identity
provider entity that you define in IAM with the aws iam update-saml-provider
cross-platform CLI command or the Update-IAMSAMLProvider
PowerShell
cmdlet.
Error: Invalid private key.
This error can occur if you do not format your private key file properly. This error may provide additional detail about why the private key is invalid:
-
Key is encrypted.
-
Key format is not recognized. Private key file must be a .pem file.
When you Create a SAML identity provider in IAM in the AWS Management Console, you must download the private key from your identity provider to provide to IAM to enable encryption. The private key must be a .pem file that uses AES-GCM or AES-CBC encryption algorithm to decrypt SAML assertions.
Error: Failed to remove private key.
This error can occur when SAML encryption is set to Required, and your request would remove the only private decryption key for the IAM SAML provider. For more information about rotating private keys, see Manage SAML encryption keys.
Error: Failed to remove private key because the Key ID does not match a private key.
This error can occur if the keyId
value for the private key does not match
either Key ID for the identity provider's private key files.
When you use update-saml-providerRemovePrivateKey
must be a valid Key ID for a private key attached to your identity provider.
Error: Failed to assume role: Issuer not present in specified provider (service: AWSOpenIdDiscoveryService; status code: 400; error code: AuthSamlInvalidSamlResponseException)
This error can occur if the issuer in the SAML response does not match the issuer declared in the federation metadata file. The metadata file was uploaded to AWS when you created the identity provider in IAM.
Error: Could not parse metadata.
This error can occur if you do not format your metadata file properly.
When you create or manage a SAML identity provider in the AWS Management Console, you must retrieve the SAML metadata document from your identity provider.
This metadata file includes the issuer name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) received from the IdP. The metadata file must be encoded in UTF-8 format without a byte order mark (BOM). To remove the BOM, you can encode the file as UTF-8 using a text editing tool, such as Notepad++.
The X.509 certificate included as part of the SAML metadata document must use a key size of at least 1024 bits. Also, the X.509 certificate must also be free of any repeated extensions. You can use extensions, but the extensions can only appear once in the certificate. If the X.509 certificate does not meet either condition, IdP creation fails and returns an "Unable to parse metadata" error.
As defined by the SAML
V2.0 Metadata Interoperability Profile Version 1.0
Error: Unable to update identity provider. No updates are defined for metadata or encryption assertion.
This error can occur if you use the update-saml-provider
CLI or
UpdateSAMLProvider
API operations, but don’t provide update values in your
request parameters. For more information on updating your IAM SAML provider, see Create a SAML identity provider in
IAM.
Error: Unable to set assertion encryption mode to Required because no private key is provided.
This error can occur when you haven’t previously uploaded a private decryption key and you attempt to set SAML encryption to Required without including a private key in your request.
Make sure that a private key is defined for your IAM SAML provider when using
create-saml-provider
CLI, CreateSAMLProvider
API,
update-saml-provider
CLI, or UpdateSAMLProvider
API operations to
require encrypted SAML assertions.
Error: Unable to add and remove private keys in the same request. Set a value for only one of the two parameters.
This error can occur if both add and remove private key values are included in the same request.
When you use update-saml-provider
Error: Specified provider doesn't exist.
This error can occur if the name of the provider in the SAML assertion does not match the name of the provider in IAM. For more information about viewing the provider name, see Create a SAML identity provider in IAM.
Error: Requested DurationSeconds exceeds MaxSessionDuration set for this role.
This error can occur if you assume a role from the AWS CLI or API.
When you use the assume-role-with-saml CLI or AssumeRoleWithSAML API operations to assume a role, you can specify a value for the
DurationSeconds
parameter. You can specify a value from 900 seconds (15
minutes) up to the maximum session duration setting for the role. If you specify a value
higher than this setting, the operation fails. For example, if you specify a session duration
of 12 hours, but your administrator set the maximum session duration to 6 hours, your
operation fails. To learn how to view the maximum value for your role, see Update the maximum session duration
for a role.
Error: Private key limit of 2 is reached.
This error can occur if you try to add a private key to your identity provider.
You can save up to two private keys for each identity provider. When you use update-saml-provider
Remove private keys that have expired before adding a new private key. For more information about rotating private keys, see Manage SAML encryption keys.
Error: Response does not contain the required audience.
This error can occur if there is a mismatch between the audience URL and the identity provider in the SAML configuration. Make sure that your identity provider (IdP) relying party identifier exactly matches the audience URL (entity ID) provided in the SAML configuration.