By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Configuring Cognito Identity Pools with Gsuite SAML Apps

0

Hey,

I was trying to follow the relevant guides from the docs, on how to configure Cognito Identity Pools with SAML apps.

I did the following:

  • Created a brand new Identity Pool
  • Linked it to a SAML Identity Provider @ IAM
  • Attached the metadata from my GSuite SAML App to the relevant SAML IDP in AWS IAM
  • I then created a react app, used this codeblock to connect via my identity pool -
import { fromCognitoIdentityPool } from "@aws-sdk/credential-providers";
// ...
const s3client = new S3Client({
  region: REGION,
  credentials: fromCognitoIdentityPool({
    clientConfig: { region: REGION },
    identityPoolId: "<IDENTITY_POOL_ID>",
    logins: {
      "arn:aws:iam::<ACCOUNT_ID>:saml-provider/<SAML_IDP_NAME>": <MY_SAML_RESPONSE_FROM_GSUITE_BASE64_ENCODED>
    },
  }),
});

But any time I get the error of -

message: "Invalid login token. Response (with optional signature) must contain an assertion with a mandatory signature",
__type: "NotAuthorizedException"

I tried to play with the mappings of different attributes in GSuite, but I don't understand the error, as I do get the saml response, decode it and see the signature right there. So what's missing?

asked 5 months ago220 views
1 Answer
0

The error message "Invalid login token. Response (with optional signature) must contain an assertion with a mandatory signature" indicates that the SAML assertion is not being accepted by AWS Cognito. This typically happens due to issues with the SAML response, such as missing or improperly configured attributes, signature validation issues, or incorrect setup in AWS or the Identity Provider (IdP).

Here are some steps to troubleshoot and resolve the issue:

1. Verify SAML Response

  1. Ensure that the SAML response from GSuite includes a valid, signed assertion. You can use online tools like SAML XML Tool to decode and inspect the SAML response.

  2. Ensure that the <Assertion> element contains a valid signature.

  3. Ensure that the <Response> element is signed, if required.

  4. Check the <Issuer> and ensure it matches the expected issuer in AWS.

2. Verify Attribute Mappings Ensure that the required attributes are correctly mapped in your GSuite SAML application configuration:

**NameID: **Ensure that the NameID format and value are correctly mapped. Cognito expects the NameID to be present and correctly formatted.

RoleAttribute: If you have roles mapped in the SAML response, ensure that they are correctly mapped and match the roles configured in AWS IAM.

3. Check AWS IAM Identity Provider Configuration Ensure that the IAM SAML Identity Provider is correctly configured:

**Metadata: **Ensure that the metadata from GSuite is correctly uploaded to the IAM Identity Provider.

SAML Provider ARN: Verify that the ARN used in your code matches the one created in IAM.

4. Review Cognito Identity Pool Configuration Ensure that the Cognito Identity Pool is correctly configured to trust the SAML Identity Provider:

**Identity Pool Trust Relationship: **Ensure that the Identity Pool is configured to trust the SAML provider. You can check this in the AWS Cognito console under "Identity Providers".

**Mappings: ** Ensure that the attributes in the SAML assertion are correctly mapped to the Cognito attributes.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions