This article outlines the steps to troubleshoot an error encountered while logging into AWS using SAML with AWS IAM and Group Matching in Okta.

• Okta Classic Engine
• Okta Identity Engine (OIE)

The error occurs when the name of the provider specified in the SAML assertion does not match the name of the provider configured in IAM.

1. In the Admin Console, go to Applications > Applications.
2. Enter AWS in the Search field.
3. Click AWS Account Federation, then select the Sign On tab.
4. Click Edit in the Settings section.
5. Under Advanced Sign-on Settings, check that the Role Value Pattern follows the syntax: 

arn:aws:iam::${accountid}:saml-provider/[SAML Provider Name],arn:aws:iam::${accountid}:role/${role}

5. • NOTE: The Role Value Pattern field takes the AWS role and account ID captured within the syntax of the AWS role groups and translates it into the proper syntax AWS requires in the Okta SAML assertion. This enables users to view their accounts and roles when they sign in.
      
6. Replace [SAML Provider Name] with the name of the SAML provider set up in all of the AWS accounts.
7. Ensure that the rest of the string is not altered, only copied and pasted.
8. Once updated, the configuration should work as expected.
    

If other issues are received, please refer to the blogs below and follow the steps outlined in them to set up Okta as an Identity Provider in AWS with IAM using Okta Groups instead of Entra ID (formerly Azure AD):
 

• Okta SAML Integration with AWS IAM Step 1: Obtaining the Metadata
• Okta SAML Integration with AWS IAM Step 2: AWS IAM Identity Provider
• Okta SAML Integration with AWS IAM Step 3: Creating SAML Roles
• Okta SAML Integration with AWS IAM Step 4: Granting Okta Users Access to AWS Roles
   

If still cannot log in after following these steps, please submit a ticket through the portal for further assistance.
 

Related References

• Enable group-based role mapping in Okta