<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
AWS Trust Relationship Policy Requires Manual Update when Using a Custom ACS URL for SAML SSO
Sep 9, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

This article provides guidance on configuring the Amazon Web Services (AWS) trust relationship policy when a custom Assertion Consumer Service (ACS) URL is used in Okta for Security Assertion Markup Language (SAML) Single Sign-On (SSO). When an administrator specifies a custom value in the ACS URL field within the Okta application, the AWS trust relationship policy must be manually updated to reflect this value.

Applies To
  • AWS Account Federation
  • SAML SSO
Cause

The standard AWS account federation setup instructions provide a default trust relationship policy where the SAML:aud value is set to https://signin.aws.amazon.com/saml. This value represents the SAML audience. If an administrator enters a custom URL in the ACS URL (optional & only relevant to SAML SSO) field on the Sign On tab of the Okta application, that URL becomes the new expected audience. The trust policy on the AWS side is not automatically updated and must be manually changed to match the custom ACS URL to ensure the federation works correctly.

Solution

To resolve this configuration mismatch, update the trust relationship policy in the AWS account to use the custom ACS URL as the SAML:aud value.

  1. In the AWS Management Console, navigate to the Identity and Access Management (IAM) service and locate the role created for the SAML federation.
  2. Select the Trust relationships tab and then select the Edit trust policy button.
  3. In the policy document, find the Condition block.
  4. Modify the SAML:aud value to match the exact URL provided in the ACS URL (optional & only relevant to SAML SSO) field in the Okta application.
    • For example, the default policy is: 
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "<COPY & PASTE SAML ARN VALUE HERE>"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}
    • If a custom ACS URL is configured in Okta, the policy must be updated as follows: 
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "<COPY & PASTE SAML ARN VALUE HERE>"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "<ACS URL value>"
        }
      }
    }
  ]
}

  1. Select the Update policy button to save the changes.

 

Related References

Recommended content

Still looking for help?
Loading
AWS Trust Relationship Policy Requires Manual Update when Using a Custom ACS URL for SAML SSO