<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z000079gryxCAAOkta Classic EngineIntegrationsAnswered2021-10-15T17:46:01.000Z2021-09-01T15:52:05.000Z2021-10-15T17:46:01.000Z

ShawnT.63519 (Customer) asked a question.

September 1, 2021 at 3:52 PM
AWS Account Federation SAML Role Value Pattern Missing Role

I have configured the SAML Advanced Sing-on Settings based on the docs, but the Role Value SAML Attribute is missing the second half of what should be there.

 

Example Group Name: AWS-123456789123-Team-Portal-Role

App Filter: amazon_aws

Group Filter: AWS-(?{{accountid}}\d+)-(?{{role}}[a-zA-Z0-9+=,.@\-_]+)

Role Value Pattern: arn:aws:iam::${accountid}:saml-provider/Okta,arn:aws:iam::${accountid}:role/${role}

 

The attribute returned by the SAML Response is:

 

<saml2:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

    <saml2:AttributeValue

        xmlns:xs="http://www.w3.org/2001/XMLSchema"

        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">arn:aws:iam::123456789123:saml-provider/Okta

</saml2:AttributeValue>

 

The ,arn:aws:iam::${accountid}:role/${role} part of the attribute is missing.

  • 4 answers
  • 723 views

    • ShawnT.63519 (Customer)

      Hey @User16254393570754125507 (Okta)​ ,

       

      Unfortunately that's not useful, there is no issue on the AWS side. The SAML Response was malformed, which is on the Okta side, not the AWS side.

       

      That said, I did figure it out. I changed the App Filter property to active_directory instead of the AWS App, and it started working as intended. I'm not clear on why, since the AD Group was mapped to the app, but it works so I'm not going to get hung up on it.

      Expand Post

  • MarcinR.97051 (Customer)

    I am seeing this same issue, the Role attribute is missing the IAM Role, it only contains the IDP ARN. Unlike @ShawnT.63519 (Customer)​ , no amount of fiddling with the app filter corrects it.

     

    I have eight Okta Apps for AWS logins, none of which have been edited and have worked correctly for two years, and all 8 have stopped working, blocking our users from logging into the AWS Console.

    Expand Post
This question is closed.
Loading
AWS Account Federation SAML Role Value Pattern Missing Role