- Newest
- Most votes
- Most comments
It appears you're encountering issues while setting up Google Workspace as an Identity Provider for AWS WorkSpaces using SAML 2.0. Based on the information provided, there are a few potential areas to investigate:
-
SAML Configuration: Ensure that the SAML configuration in both Google Workspace and AWS is correct and matching. This includes the Service Provider (SP) Entity ID, Assertion Consumer Service (ACS) URL, and Start URL.
-
IAM Role and Trust Relationship: Verify that you have created the necessary IAM role for SAML 2.0 federation and that the trust relationship is correctly established between IAM and the Google Workspace identity provider.
-
SAML Attributes: Check that the information Google Workspace sends as SAML 2.0 attributes in its authentication response to AWS is correctly configured. This includes attributes like RoleSessionName, which is required in the AuthnResponse.
-
RelayState: The RelayState parameter you've configured might be causing issues. Ensure it's correctly set up in both Google Workspace and AWS.
-
Metadata: Confirm that you've properly generated and uploaded the SAML metadata between Google Workspace and AWS.
-
Error Analysis: The 400 error you're receiving could be due to various reasons. Some common errors include:
- Invalid identity token
- Specified provider doesn't exist
- Request ARN is invalid
- RoleSessionName is required in AuthnResponse
To troubleshoot:
- Double-check all SAML configuration settings in both Google Workspace and AWS.
- Verify the IAM role and its trust relationship.
- Ensure all required SAML attributes are correctly set up.
- Review the RelayState configuration.
- Confirm the SAML metadata is correctly exchanged between Google Workspace and AWS.
If the issue persists after these checks, you may need to review AWS CloudTrail logs or contact AWS support for more detailed error information.
Sources
Configure SAML 2.0 authentication for WorkSpaces | AWS re:Post
Integrate third-party SAML solution providers with AWS - AWS Identity and Access Management
Integrating Google Workspace with AWS Cognito for SAML Login "relayState from identity provider. " | AWS re:Post
Check the Identity Center trouble shooting guide for a few common issues for that error (it's not you, it's us) : https://docs.aws.amazon.com/singlesignon/latest/userguide/troubleshooting.html#issue14
Besides what is mentioned there, another common problem is, the user is not yet provisioned in Identity Center, or not provisioned correctly. Make sure that this user you are using is there in identity center. Check the nameid passed over to Identity Center in the SAML response (an HTTP POST towards Identity Center), is the same as the user is provisioned in Identity Center.
BTW, You are going to use Google as the Identity Provider, I don't understand why you "created the AWS managed MS directory"?
BTW2. Google-Identity Center integration also supports SCIM for auto provisioning of users. I guess you have not set it up yet. Typically you first make sure single sign on works, and then add provisioning, though you don't have to follow that order.
Response from AWS support team.
""" From case notes I understand that you are trying to set up the Google SSO for AWS workspace access and I do understand that you are currently using Google Single Sign-On (SSO) to access the AWS Management Console.
I would like to inform you that to use SAML 2.0 authentication with WorkSpaces, the identity provider (IdP) must support IdP-initiated deep linking for the relay state URL.
At this time, we are aware that Google Workspace do not support this capability and cannot be used with Amazon WorkSpaces SAML 2.0 integration.
Below article mentions a list of identity providers that do support IdP-initiated deep linking:
https://docs.aws.amazon.com/workspaces/latest/adminguide/setting-up-saml.html#
I hope this information proves useful. Please feel free to reach out if you have any further questions or concerns. """
Relevant content
- Accepted Answerasked 5 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 7 months ago
I already have Google SSO setup for AWS console access. The AWS web and mobile application already present in Google workspace. Can I use the same application or should I create new application Google workspace? If I can use the same application then what should be the User Access URL and IdP deep link parameter name - optional for AWS MS AD SAMl 2.0 authentication setup? Also, do I need to make changes in existing SSO role which we created at the time of Google SSO setup for console access.