While running the okta-aws-cli, utility users report seeing the below error occasionally or on every attempt during authentication:
Error: fetching SSO web token received API response
"400 Bad Request", error: "invalid_grant", description: "The application's assurance requirements are not met by the 'subject_token'."
The above error will be displayed in the console where the okta-aws-cli is being run after authenticating with a browser.
- Okta Identity Engine (OIE)
- okta-aws-cli
- Okta AWS Federation Application (SAML)
There are a number of causes why this can happen:
- The AWS SAML Federation Applications authentication policy is more restrictive than the OIDC Applications authentication policy.
- The AWS SAML Federation Application authentication policy requires a device to be managed.
- The AWS SAML Federation Application authentication policy requires a Re-Authentication Frequency on every Sign-in Attempt.
Okta recommends that both the AWS SAML Federation Application and the OIDC Application use the same Authentication Policy. This policy should not require device management and should not have the Re-Authentication Frequency set to every Sign-in Attempt.
- Navigate to Security > Authentication Policies.
- Verify both SAML Federation and OIDC applications are assigned to the same policy.
- Edit the policy(s)/rule(s) that will apply.
- Verify that the Device State is is set to Any.
- Verify that Re-authentication frequency is is set to Never re-authenticate if the session is active, or is set to at least Re-authenticate after 1 Minute.
If separate policies are desired/needed, the OIDC Application policy can require Device State is set to Registered, and Re-Authentication Frequency set to every Sign-in Attempt.
The policy for the AWS SAML Federation Application should not require management and should set the Re-Authentication Frequency to Every 1 minute or a larger value.
Related References
- For information on updating existing Authentication Policies, see:
- For General Authentication Policy information, see:
