How can I capture and analyze the SAML response to troubleshoot common errors with SAML 2.0 federation with AWS?
Last updated: 2021-03-22
I'm using on-premises Active Directory with SAML integration, but I can't connect to the AWS Management Console. How do I troubleshoot this issue?
If you're using SAML federation, be sure that you've correctly configured Active Directory. For more information, see AWS federated authentication with Active Directory Federation Services (AD FS).
If you're setting up federated access to your AWS accounts for the first time, it's a best practice to use the AWS IAM Identity Center (successor to AWS Single Sign-On) service to provide centrally managed IAM Identity Center access to multiple AWS accounts.
To troubleshoot SAML-related errors:
- Capture and decode a SAML response from the browser.
- Review the values in the decoded file.
- Check for errors, and then confirm the configuration.
Capture and decode a SAML response
Capture and decode a SAML response from the browser, and then review the information sent to AWS. For browser-specific instructions, see How to view a SAML response in your browser for troubleshooting.
Review the values in the decoded file
Review the values in the decoded SAML response file:
- Verify that the value for the saml:NameID attribute matches the user name for the authenticated user.
- Review the value for https://aws.amazon.com/SAML/Attributes/Role. The Amazon Resource Names (ARNs) for the role and SAML provider are case-sensitive, and the ARNs must match the resources in your AWS account.
- Review the value for https://aws.amazon.com/SAML/Attributes/RoleSessionName. Be sure that the value matches the correct value as the claim rule. If you configure the attribute value to be an email address or an account name, the value must correspond to the email address or account name of the authenticated Active Directory user.
Check for errors and confirm the configuration
Check for errors with any of these values, and confirm that the following configurations are correct:
- Confirm that the claim rules are configured to meet the required elements and that all ARNs are accurate. For more information, see Configuring your SAML 2.0 IdP with relying party trust and adding claims.
- Confirm that you uploaded the latest metadata file from your IdP into AWS in your SAML provider. For more information, see Enabling SAML 2.0 federated users to access the AWS Management Console.
- Confirm that you have the AWS Identity and Access Management (IAM) role's trust policy configured correctly. For more information, see Modifying a role.
- Confirm that the Active Directory user attempting to log in to the console is a member of the Active Directory group that corresponds to the IAM role.
For a list of common errors, see Troubleshooting SAML 2.0 federation with AWS. If you're configuring claim rules in Active Directory, be sure to configure SAML assertions for the authentication responses to identify the key attributes and values that AWS requires.