- Newest
- Most votes
- Most comments
The error message "Invalid login token. Response (with optional signature) must contain an assertion with a mandatory signature" indicates that the SAML assertion is not being accepted by AWS Cognito. This typically happens due to issues with the SAML response, such as missing or improperly configured attributes, signature validation issues, or incorrect setup in AWS or the Identity Provider (IdP).
Here are some steps to troubleshoot and resolve the issue:
1. Verify SAML Response
-
Ensure that the SAML response from GSuite includes a valid, signed assertion. You can use online tools like SAML XML Tool to decode and inspect the SAML response.
-
Ensure that the <Assertion> element contains a valid signature.
-
Ensure that the <Response> element is signed, if required.
-
Check the <Issuer> and ensure it matches the expected issuer in AWS.
2. Verify Attribute Mappings Ensure that the required attributes are correctly mapped in your GSuite SAML application configuration:
**NameID: **Ensure that the NameID format and value are correctly mapped. Cognito expects the NameID to be present and correctly formatted.
RoleAttribute: If you have roles mapped in the SAML response, ensure that they are correctly mapped and match the roles configured in AWS IAM.
3. Check AWS IAM Identity Provider Configuration Ensure that the IAM SAML Identity Provider is correctly configured:
**Metadata: **Ensure that the metadata from GSuite is correctly uploaded to the IAM Identity Provider.
SAML Provider ARN: Verify that the ARN used in your code matches the one created in IAM.
4. Review Cognito Identity Pool Configuration Ensure that the Cognito Identity Pool is correctly configured to trust the SAML Identity Provider:
**Identity Pool Trust Relationship: **Ensure that the Identity Pool is configured to trust the SAML provider. You can check this in the AWS Cognito console under "Identity Providers".
**Mappings: ** Ensure that the attributes in the SAML assertion are correctly mapped to the Cognito attributes.
Relevant content
- asked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago