Question: "Why is Cognito rejecting my SAML assertion?"
Quick Response:
Three potential root causes of this issue:
(1) Your SAML assertion does NOT carry/deliver all the attributes required by Cognito (see the detailed answer and resolution below).
(2) Attributes do NOT meet the format required by Cognito.
For example, (Note that please replace "ACCOUNT_NUMBER" with your aws id assigned by Amazon AWS (e.g., 123456789012))
attribute #1: awsRoles
attribute #1 value: arn:aws:iam::ACCOUNT_NUMBER:role/shibbolethidp,arn:aws:iam::ACCOUNT_NUMBER:saml-provider/Shibboleth-IdP
attribute #2: awsRoleSessionName
attribute #2 value: winston.hong@example.com
(3) Attribute values do NOT registered at Cognito through ADMIN console of Amazon AWS (see (II) Important Remarks on Role later on).
Remarks
(1) Adding SAML Identity Providers to a User Pool states that Audience URI/SP Entity ID of User Pool (NOT Identity Pool) is urn:amazon:cognito:sp:your-User-Pool-ID.
(2) How to enable secure access to Kibana using AWS Single Sign-On describes how to utilize AWS SSO to access Kibana (Amazon Elasticsearch Service, an AWS internal service).
An example of two important SAML SP parameters for User Pool (NOT Identity Pool) is provided below.
(I) Application ACS URL: https://<Elasticsearch domain name>.auth.<AWS region>.amazoncognito.com/saml2/idpresponse
(II) Application SAML audience: urn:amazon:cognito:sp:<user pool id>
Question: "The user pool in Cognito is set to require an email address, and I think I've got the attribute mapping set correctly, but it's not really easy to tell."
Answer:
Your SAML response indicates that your attribute mapping is NOT set correctly.
(1) Attribute "RoleSessionName" carried by your Shibboleth IdP v3 SAML response to Cognito is NOT required by Cognito.
<saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">bob</saml2:AttributeValue>
</saml2:Attribute>
The correct attribute "RoleSessionName" carried by Shibboleth IdP v3 SAML response to Cognito should be your E-mail address "bob@example.com" instead of your given name "bob".
<saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">bob@example.com</saml2:AttributeValue> </saml2:Attribute>
(2) Resolution:(minor revision may be required depending on your data repository such as LDAP)
Add attribute resolution
<resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Simple" sourceAttributeID="employeeType">
<resolver:Dependency ref="myLDAP"/>
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/Role"
friendlyName="Role" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="awsRoleSessionName" xsi:type="ad:Simple" sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP"/>
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
friendlyName="RoleSessionName" />
</resolver:AttributeDefinition>
into "attribute-resolver-full.xml" or "attribute-resolver.xml" (depending on your Shibboleth IdP configuration). Shibboleth IdP Attribute Resolver Example.
Note that OpenLDAP attribute "employeeType" is used to carry the role of Amazon AWS. Your data store/repository may use different attribute to carry the role of Amazon AWS.
(I) The following OpenLDAP attributes have been mapped with AWS configuration through AWS administration console.
mail: winston.hong@example.com
employeeType: arn:aws:iam::ACCOUNT_NUMBER:role/shibbolethidp,arn:aws:iam::ACCOUNT_NUMBER:saml-provider/Shibboleth-IdP
(II) We provide the official link of configuring Amazon AWS with Google G Suite to describe SAML IdP configuration steps (performed through AWS administration console):
Cognito Configuring Your Identity Pool for a SAML Provider states that
Before configuring your identity pool to support a SAML provider, you must first configure the SAML identity provider in the IAM console. For more information, see Integrating third-party SAML solution providers with AWS in the IAM User Guide.
Integrating third-party SAML solution providers with AWS states that
Amazon Web Services cloud application – This article on the Google G Suite Administrator Help site describes how to configure G Suite as a SAML 2.0 IdP with AWS as the service provider.
Access the link of Google G Suite Amazon Web Services cloud application, and then Click "Step 1: Set up Amazon Web Services as a SAML 2.0 service provider (SP)", you can get the following SAML configuration steps of Amazon AWS for Cognito.
4. log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
5. In the navigation pane, select identity providers and then click Create SAML Provider.
6. Select SAML as the Provider Type, and give it a name such as GoogleApps.
7. Upload the IDP metadata you saved earlier from the Google Admin console SAML settings.
8. Click Next Step and on the following page, click Create.
9. Click the Roles tab on the left sidebar and click Create a New Role to create a role which will define the permissions.
10. Select Set role name. This name will be displayed next to the login name on the AWS console.
11. Select Role for Identity Provider Access.
12. Select Grant Web Single Sign-On (WebSSO) access to SAML providers. Click Next Step.
13. Leave the Establish trust settings as they are. Click Next Step.
14. Use the Attach policy settings to define the policies your Federated Users will have. Click Next Step.
15. On the following page, review your settings, then click Create the Role.
16. Select your Google service from the identity providers list and note the Provider ARN. This contains your AWS Account ID and the name of the provider (example: arn:aws:iam::ACCOUNT_NUMBER:saml-provider/GoogleApps).
17. Click Save to save the Federated Web single sign-on configuration details.
Important Remarks on Role
(a) OpenLDAP attribute "employeeType" is Role in my validation experiment with AWS console.
(b) Ensure that OpenLDAP attribute "employeeType" is mapped with your AWS configuration setting "Role"**
(c) Replace "GoogleApps" with "Shibboleth-IdP" for Provider Type
(d) Set role name (e.g., shibbolethidp or googleapps, which will be converted by AWS into arn:aws:iam::ACCOUNT_NUMBER:role/shibbolethidp or arn:aws:iam::ACCOUNT_NUMBER:role/googleapps)
(III) For your convenience, I have made the 9th commit to upload the Amazon AWS SP metadata and corresponding SAML configuration to How to build and run Shibboleth SAML IdP and SP using Docker container.
Note that I have logged in to Amazon AWS account ("ACCOUNT_NUMBER", e.g., 123456789012) with username "winston.hong@example.com" successfully using Shibboleth IdP running with Docker Container with the 9th commit.
By performing the Shibboleth SAML IdP configuration with reference to the 9th commit to How to build and run Shibboleth SAML IdP and SP using Docker container, you can log in to your Amazon AWS account ("ACCOUNT_NUMBER", e.g., 123456789012) with your username (such as "winston.hong@your-company.com") federated by Shibboleth IdP..
(IV) My SAML response for successful login to AWS is provided below for your reference.
<saml2p:Response Destination="https://signin.aws.amazon.com/saml"
ID="_fc89710799c4c2c540341e94bf7132d5"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_91749d5ecb8512c0c5d658a77cb25928"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer>https://idp.example.com/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_91749d5ecb8512c0c5d658a77cb25928">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>mDAgwb9ZJxc+01sC99lAlAIAOEoiTgzHVTm4F9bdn/0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
LWiL3+CdU6y86zBLx3vG6na1o46EUgiN7iV+b4J2lPvZK7+Oeu6XSenJlzo/cUMT19pYYrDMM652
3lDAJCuOKPx4zTRIcabGrgzTKgmen0SHqWPxeL7t23RB6+v5AUvVw02tXqQhlggKEe3H+1T1k5q0
cGc1xw5CQtI8zE6GK7nG1INnU7mo872H9x+zM1zy3yyvrWOkHHhVFqQQ1Tu+0ev4BIhTQaVgC+pM
/ZvpctNjDMl1q4RSt1qumC+KFsYZlbrsLG7AvGJuR39wt/HV7F8Je3AUGGwMtGjkpRDuN1lIHrMq
VzFf/5eKUv20rEk3aOxoV/sMfcuhWo27+NjE1g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDPDCCAiSgAwIBAgIVALPPoC598LJ6ZJJJXCA2ESASlN4AMA0GCSqGSIb3DQEBCwUAMB8xHTAb
BgNVBAMMFGlkcXNhbWwuaWRxdWFudGEuY29tMB4XDTE3MDYwMjIxNDI0NloXDTM3MDYwMjIxNDI0
NlowHzEdMBsGA1UEAwwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAs4ml4G592b059YDgyD/MLWQKaKrc0/24Ufbl/JY7wOI1RpxW8DlbCvibzQge6Tu
/8LVy4GIDb8QLxmCfFKYn97HC68TgXVJ+m+sQm+e4SVg6V2q+JY94LLcoFVe8+78ZIYT23KLkTv2
RlHzes/sL1YaPSK4UuN+/ezppyX2t9BGNfuiUKA0KCf7wMFuQ07Fr65FTcGXQyxhPyaNrXjrNMJa
LqwpCaesVdVzoqPevYVN3+nzAvOWoEbi6IcwnF07D0FYren/GPRXPAk5sP6fF3X0rJCkSq+d5t5P
0gWONlvm9WlUrKadmeiibCtR2lGQ/dZGmyUzIILsuOwu4yp/EsI3AgMBAAGjbzBtMB0GA1UdDgQW
BBREpZrZlnm8YrbSFcl59WRR5IY2FTBMBgNVHREERTBDghRpZHFzYW1sLmlkcXVhbnRhLmNvbYYr
aHR0cHM6Ly9pZHFzYWQCV63ubc+tsfzCvL48k35RzLAD15DIdbS9pZHAvc2hpYmJvbGV0aDANBgk
AAOCAQEAEvrdnSvK2C2rcRr7kXn4Q/NaEovuUeqaNs1k/2+dSqs8rroM+m3Iq8RlBcmKnP/+mET3
wwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiLRXay9y1uJXyZx37RDkGu8SD7+zf8znM+TCsX/qAP
6Ve95WAeX4uB8Aeol3LULe1dePsRb/1RNpKsm8NomVzCwBXK9vyv8t3IVN40jZMaaTtR0YR22fTu
qTyIMarMPO0Eh0f1FHraYaXfyop1OJcYlISpYe+c4vNvAXwEtHkZD2Iu/2aEMGcvBo3uq6OYVDXO
fI3CvoB7sRtxURtj+vVSZKjDe6s7+lRcE1tpDkwOEEuDzA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.example.com/idp/shibboleth"
SPNameQualifier="urn:amazon:webservices"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>AAdzZWNyZXQx/wu+MEcVaUwjGOXhDKAO/5KXLD2AcDGnu1DyoP2C4ztOF01Su6tTJDytykrsv7W2dSV4FkL42ORYDiipBEuwiRSbnvViKbFBkHYN4YUmQzttx3DPNW/w42tMjLrY2iyn7sAUgQSVNGRHyMAH</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="192.168.150.10"
NotOnOrAfter="2019-06-11T18:54:38.412Z"
Recipient="https://signin.aws.amazon.com/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-11T18:49:38.300Z"
NotOnOrAfter="2019-06-11T18:54:38.300Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-11T18:49:38.041Z"
SessionIndex="_79ee919a4e3fcd2f6d13702b60bfd357"
>
<saml2:SubjectLocality Address="192.168.150.10" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="Role"
Name="https://aws.amazon.com/SAML/Attributes/Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="RoleSessionName"
Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>winston.hong@example.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
(3) Amazon AWS provides the configuration guide How to Use Shibboleth for Single Sign-On to the AWS Management Console.
Shibboleth provides the configuration guide Shibboleth IdP with Amazon Cognito
(4) How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building a SAML-based Authentication/Authorization Provider using Shibboleth SAML IdP and OpenLDAP.
(I) I have validated SAML Single Sign-On (SSO) provided by Docker-running Shibboleth SAML IdP (Identity Provider) and OpenLDAP for the following enterprise applications. In other words, I leveraged Docker-running Shibboleth SAML IdP and OpenLDAP to log in to the following enterprise applications successfully.
Microsoft Office 365
Google G Suite
Salesforce
Dropbox
Box
Amazon AWS
OpenStack
Citrix NetScaler
VMware vCloud Director
Oracle NetSuite
(II) I have validated Shibboleth IdP with Amazon AWS Management Console with reference to How to Use Shibboleth for Single Sign-On to the AWS Management Console
(III) We developed our former version of Zero-Password Authentication and Authorization System in Java and leveraged Shibboleth IdP to provide SAML SSO for enterprise applications.
We developed our current version of Zero-Password Authentication and Authorization System with scalability and high availability in Scala to provide SAML SSO natively for enterprise applications without Shibboleth IdP.
Another StackOverflow question "Setting up a new Shibboleth IdP to work with an existing SAML SP" provides valuable information and discussions on Shibboleth SAML configuration.
