Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I configure SAML 2.0 authentication for WorkSpaces?

2 minute read
0

I want to use an identity provider (IdP), such as Microsoft Entra ID (formerly Azure Active Directory) or Okta, to configure SAML 2.0 in Amazon WorkSpaces.

Short description

Make sure that you meet the requirements to complete the prerequisites.

Amazon WorkSpaces supports the following IdPs:

  • Active Directory Federation Service (ADFS)
  • Auth0
  • Microsoft Entra ID (formerly Azure AD)
  • Duo Single Sign-on
  • JumpCloud
  • Keycloak
  • Okta
  • OneLogin
  • PingFederate
  • PingOne for Enterprise

Resolution

To use an IdP to configure SAML 2.0 in Amazon WorkSpaces, see Set up SAML 2.0 for WorkSpaces Personal.

If your trust policy doesn't include the sts:AssumeRoleWithSAML action, then you might get the following error message:

"Not authorized to perform sts:AssumeRoleWithSAML (Service: AWSSecurityTokenV20111201; Status Code: 403; Error Code: AccessDenied; Request ID: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111; Proxy: null). Please try again."

To resolve this error, update the role trust policy to add the sts:AssumeRoleWithSAML action and confirm that the IAM SAML 2.0 provider's Amazon Resource Name (ARN) is correct.
Note: These fields are case sensitive and don't support special characters.

If you misconfigure your SAML 2.0 IdP, then you might get one of the following error messages:

"Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111; Proxy: null) (Service: AWSSecurityTokenV20111201; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: a1b2c3d4-5678-90ab-cdef-EXAMPLE22222; Proxy: null). Please try again."

"Request ARN is invalid (Service: AWSSecurityTokenV20111201; Status Code: 400; Error Code: ValidationError; Request ID: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111; Proxy: null). Please try again."

To resolve the errors, check your role and provider values. Confirm that you specified the correct ARNs and separated your ARNS with a comma.
Note: These fields are case sensitive and don't support special characters.

If you don't include the RoleSessionName in your SAML 2.0 IdP configuration, then you might get one of the following error messages:

"RoleSessionName is required in AuthnResponse (Service: AWSSecurityTokenV20111201; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111; Proxy: null). Please try again."

"Your request included an invalid SAML response. To log out, click here"

To resolve the errors, check that you added the claims rules and configurations to the SAML 2.0 response.

If you experience SAML authentication issues, then see How do I troubleshoot SAML 2.0 authentication issues in WorkSpaces?

Related information

Troubleshoot SAML federation with IAM

Troubleshoot issues for WorkSpaces Personal

Topics
End User Computing
Tags
Amazon WorkSpaces
Language
English
AWS OFFICIALUpdated 8 days ago
1 Comment

This article was reviewed and updated on 2026-06-01.

AWS
MODERATOR
replied 7 days ago

Relevant content