This article explains the following error that occurs during the Amazon Web Services (AWS) Account Federation process.
Response did not contain a valid SAML assertion
This happens when the size of the Security Assertion Markup Language (SAML) response exceeds a hard limit set by AWS.
- AWS Account Federation
- SAML 2.0 federation
- SAML Response size exceeding 128 KB
The root cause of this error is the AWS hard limit on the size of the SAML response. AWS only accepts a SAMLResponse that is less than 128 KB in size. The SAML assertion size is typically exceeded when the assertion includes too many groups or roles.
Reduce the size of the SAML response to be under the 128 KB limit. Consider one of the following methods:
-
Review and potentially consolidate roles across AWS accounts.
-
Configure the Identity Provider (IdP) to filter the roles being sent in the SAML assertion. Send only the roles relevant to the user or a necessary subset of roles, instead of sending all possible roles.
For more information on the size limit, consult the AWS documentation on federated authentication.
