<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Invalid SAML Response with AWS Account Federation Application
Jan 9, 2026
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

When setting up SAML federation with the AWS Account Federation app and logging in with a user, this error may be encountered:

Your request included an invalid SAML response. To logout, click here.


invalid SAML 

Applies To
  • AWS Account Federation app
  • Security Assertion Markup Language (SAML)
Cause

This is not an exhaustive list. Here are some common causes:

  • Periods are used in the role name.
  • The group filter is incorrect. (CONNECT OKTA TO MULTIPLE AWS INSTANCES VIA USER GROUPS).
  • ARN value under Identity Provider ARN (Required only for SAML SSO) is incorrect.
  • The user Assigned to the application does not have a SAML Role assigned. 
Solution

Periods are used in the role name

When periods are used in the role name, the value of the attribute statement of the role will not be passed properly.

To resolve this:

  1. Create a new role in AWS that does not include the period character in the role name.
  2. Update the Group in Okta to the new role without the period character in the role name.
      
    aws#samplealias#sample.role.name#111111111111
    aws#samplealias#sample_role_name#111111111111

NOTE: This is an example of changing from using the period character to a different character or removing it.
These values are an example only and will need to be changed to a unique desired value.

 

The group filter is incorrect


When using the wrong group filter, the value of the attribute statement of the role will not be passed properly. (CONNECT OKTA TO MULTIPLE AWS INSTANCES VIA USER GROUPS)

To resolve this:

  • For configurations that are connecting to multiple AWS instances via user groups, use the following group filter:

    ^aws\#\S+\#(?{{role}}[\w\-]+)\#(?{{accountid}}\d+)$

 

ARN value under Identity Provider ARN (Required only for SAML SSO) is incorrect

After creating Okta as an identity provider in AWS, follow Step 1.7 from the AWS Account Federation SAML Setup Instructions to find the correct ARN value. 

  • Locate the newly created Identity Provider in the list of Identity Providers and copy its Provider ARN value. This will be needed later during this configuration.

 

The user Assigned to the application does not have a SAML Role assigned

  1. Navigate to the Assignments tab in Okta and click the pencil/edit button by the affected User.
  2. Scroll until the SAML Role is found.
  3. Ensure that the User is mapped to a role that is configured to use SSO.

Recommended content

Still looking for help?
Loading
Invalid SAML Response with AWS Account Federation Application