User1674032011076195442 (Customer) asked a question.
Hello,
we have a cognito userpool and have configured SAML login with Okta.
we have done this many times and manage multiple userpools.
however, one okta and userpool that were configured is getting this error when trying to login:
Invalid SAML response received: Unable to contact the configured provider.
I have never seen this error before and not quite sure where it is coming from.
in the okta logs I see that the login was successful.
we are using fastpass.
any ideas?
the SAML response:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
Destination="https://domain-name.auth.region.amazoncognito.com/saml2/idpresponse"
ID="id" InResponseTo="responseid"
IssueInstant="2024-01-15T11:58:06.073Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/app-id</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig*">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more*rsa-sha256" />
<ds:Reference URI="*id">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig*enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n*" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc*sha256" />
<ds:DigestValue>digest</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
signature
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
signature
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="id" IssueInstant="2024-01-15T11:58:06.073Z"
Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
http://www.okta.com/app-id</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig*">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more*rsa-sha256" />
<ds:Reference URI="*id">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig*enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n*" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc*sha256" />
<ds:DigestValue>digest=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
signature
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
signature
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
email@address.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="response"
NotOnOrAfter="2024-01-15T12:03:06.074Z"
Recipient="https://domain-name.auth.region.amazoncognito.com/saml2/idpresponse" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2024-01-15T11:53:06.074Z"
NotOnOrAfter="2024-01-15T12:03:06.074Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:cognito:sp:region_userpoolid</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2024-01-15T11:58:04.868Z"
SessionIndex="sessionindex"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
email@address.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
please reference the document:https://repost.aws/knowledge-center/cognito-invalid-saml-response-errors
please contact aws team if you still can't solve it.
thanks, the document does not provide a fix to my issue..
I have contacted aws, waiting for a response
Hi, @User1674032011076195442 (Customer)
Thank you for posting on our Community page!
As specified in Amazon Cognito's documentation, IdP-initiated SSO is not supported.
Overcoming for this limitation involves creating a Bookmark App in Okta This tehnique is used to simulate a service provider initiated login.
For a detailed step-by-step instructions on how to use the Bookmark App, refer to this Okta documentation.
You may also check these articles:
https://repost.aws/knowledge-center/iam-invalid-saml-response-okta
https://repost.aws/knowledge-center/cognito-invalid-saml-response-errors
Ask the Experts: Now Thru 1/31 Okta FastPass Engineering and Product Teams Answer Your Questions
Community members help others by clicking Like or Select as Best on responses. Try it today.
_____________________________________________________________________________
Hi @User16594883467582706479 (Customer Support Online Experience) I am not initiating the login from the IdP