I want to use an identity provider (IdP), such as Microsoft Entra ID (formerly Azure Active Directory) or Okta, to configure SAML 2.0 in Amazon WorkSpaces.
Resolution
Note: Before you configure SAML 2.0 authentication, verify that you adhere to the requirements and prerequisites.
Generate SAML 2.0 metadata specific to your IdP
Follow the instructions in Step 1: Generate SAML 2.0 metadata of the Amazon WorkSpaces SAML Authentication Implementation Guide for your IdP:
- Active Directory Federation Service (ADFS)
- Auth0
- Microsoft Entra ID (formerly Azure AD)
- Duo Single Sign-on
- JumpCloud
- Keycloak
- Okta
- OneLogin
- PingFederate
- PingOne for Enterprise
Use IAM to create a SAML 2.0 identity provider
Use the metadata document to create an AWS Identity and Access Management (IAM) identity provider.
Create a SAML 2.0 federation IAM role and policy
To establish a trust relationship between IAM and your IdP, create a SAML 2.0 federation IAM role.
You might encounter the following error: "Not authorized to perform sts:AssumeRoleWithSAML (Service: AWSSecurityTokenV20111201; Status Code: 403; Error Code: AccessDenied; Request ID: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111; Proxy: null). Please try again."
If you encounter a Not authorized to perform sts error, then verify that your trust policy includes the sts:AssumeRoleWithSAML action. Also, verify that your IAM SAML 2.0 provider's ARN is accurate. This field is case sensitive.
Configure your SAML 2.0 identity provider
Configure the information that your IdP sends as SAML 2.0 attributes in its authentication response to AWS.
For information about configurations for your IdP, see Step 4: Configure your SAML 2.0 identity provider of the Amazon WorkSpaces SAML Authentication Implementation Guide.
You might encounter the following errors:
- "Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111; Proxy: null) (Service: AWSSecurityTokenV20111201; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: a1b2c3d4-5678-90ab-cdef-EXAMPLE22222; Proxy: null). Please try again."
- "Request ARN is invalid (Service: AWSSecurityTokenV20111201; Status Code: 400; Error Code: ValidationError; Request ID: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111; Proxy: null). Please try again."
- "RoleSessionName is required in AuthnResponse (Service: AWSSecurityTokenV20111201; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111; Proxy: null). Please try again."
- "Your request included an invalid SAML response. To log out, click here"
If you encounter a Not authorized to perform sts:AssumeRoleWithSAML, Specified provider doesn't exist, or Request ARN is invalid error, then check your role and provider values. Verify that each ARN is accurate, and that they are separated by a comma. For example, aws:iam::ACCOUNT:role/ROLENAME,arn:aws:iam::ACCOUNT:saml-provider/SAMLPROVIDERNAME.
Note: These fields are case sensitive and don't support special characters.
If you encounter the RoleSessionName is required in AuthnResponse or Your request included an invalid SAML response error, then check that you correctly added all the necessary claims rules and configurations to the SAML 2.0 response.
Activate SAML 2.0 integration in your WorkSpaces directory
Turn on SAML 2.0 authentication in the WorkSpaces directory.
Related information
Troubleshoot SAML federation with IAM
Troubleshoot issues for WorkSpaces Personal