Okta AWS login gives: Your request included an invalid SAML response. Skip to main content
https://support.okta.com/help/answers?id=9062a000000quz1qak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Rehan van ZylRehan van Zyl 

Okta AWS login gives: Your request included an invalid SAML response.

Hi,

I've used the "Amazon Web Services" Okta OAN to set up SAML 2.0 SSO. I've followed http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Service.html to configure the app. When trying to login through Okta I get the following error on an AWS page: Your request included an invalid SAML response. To logout, click here

I've also followed AWS's doc http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html#troubleshoot_saml_invalid-response to view the SAML response sent from Okta. On further investigation (and Base64 deconding the SAML response) I've found that the Role attribute is empty: <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" />

There is no AttributeValue for the Role as can be seen from the above. I have chosen valid AWS SAML roles for the user when assigning the application through Okta:

User-added image

I cannot figure out why the Role attribute is empty, any suggestions?

Thanks
Marshall DeanMarshall Dean

What do you mean by the role attribute is empty? Your screenshot shows 4 roles that this user should be able to assume.
I just went through all this, it was a pain to setup, but makes alot of sense after I finally got it all working.

Just to confirm in Okta:

  • Idenity Provider ARN is listed ~ arn:aws:iam::XXXXXXXXX:saml-provider/OktaIDP (XXXXXX being your account number)
  • Provisioning is enabled with the access key and secret key of the OktaSSO User
  • Create users provisioning feature is enabled

In AWS:

  • OktaIDP is setup with the metadata file in the identity providers section
  • The Okta Policy that includes the iam rules needed is set and attached to the OktaSSO User

Just to check as well what is the exact iam access you have set for the OktaUser? (I expect it might be policy permissions)

Rehan van ZylRehan van Zyl
Thanks, but my issue was solved. The version of the AWS OAN we were running had a bug. Support rolled my version back and it all worked.