Ashwin helps you access
the AWS console from
an on-premise AD using SAML

Ashwin_SAML_Thumbnail

I'm using on-premises Active Directory with SAML integration, but I can't connect to the AWS Management Console. How do I troubleshoot this issue?

If you're using SAML federation, first be sure that you've correctly configured Active Directory. For more information, see Enabling Federation to AWS Using Windows Active Directory, ADFS, and SAML 2.0.

If you're setting up federated access to your AWS accounts for the first time, we recommend using AWS Single Sign-On Service to provide centrally managed SSO access to multiple AWS accounts.

To troubleshoot SAML-related errors:

  • Capture and decode a SAML response from the browser.
  • Review the values in the decoded file.
  • Check for errors and confirm the configuration.

Capture and decode a SAML response

Capture and decode a SAML response from the browser, so you can review the information that is sent to AWS. For browser-specific instructions, see How to View a SAML Response in Your Browser for Troubleshooting.

Review the values in the decoded file

Review the values in the decoded SAML response file:

  1. Verify that the value for the saml:NameID attribute matches the user name for the authenticated user.
  2. Review the value for https://aws.amazon.com/SAML/Attributes/Role. The role ARN and SAML provider ARN are case-sensitive, and the ARNs must match the resources in your AWS account.
  3. Review the value for https://aws.amazon.com/SAML/Attributes/RoleSessionName. Be sure that the value matches the correct value as the claim rule that you created. If you configure the attribute value to be an email address or an account name, the value must correspond to the email address or account name of the authenticated Active Directory user.

Check for errors and confirm the configuration

Check for errors with any of these values, and confirm that the following configurations are correct:

  1. Confirm that the claim rules are configured to meet the required elements and that all ARNs are accurate. For more information, see Configuring your SAML 2.0 IdP with Relying Party Trust and Adding Claims.
  2. Confirm that you uploaded the latest metadata file from your IdP into AWS in your SAML provider. For more information, see Enabling SAML 2.0 Federated Users to Access the AWS Management Console.
  3. Confirm that you have the IAM role's trust policy configured correctly. For more information, see Modifying a Role.
  4. Confirm that the Active Directory user trying to log in to the console is a member of the Active Directory group that corresponds to the IAM role.

For a list of common errors, see Troubleshooting SAML 2.0 Federation with AWS. If you are configuring claim rules in Active Directory, be sure to Configure SAML Assertions for the Authentication Responses to identify the key attributes and values that AWS requires.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-06-01