Reputation: 2624
AWS SSO 'no access error' with Custom SAML application
I am trying to setup a Custom SAML 2.0 application with AWS SSO. However I have the following error from network tab:
Status code 403
{"message":"No access","__type":"com.amazonaws.switchboard.portal#ForbiddenException"}
And this one displayed in the UI:
Two considerations that might cause this error:
- My SP testing server is running in localhost
- I am using self-signed certificates:
openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=localhost:9000"
If this still does not tell you anything then I will describe more below.
More details
This is the server code which is from the the library I am using
func hello(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello, %s!", samlsp.AttributeFromContext(r.Context(), "cn"))
}
func main() {
keyPair, err := tls.LoadX509KeyPair("myservice.cert", "myservice.key")
if err != nil {
panic(err) // TODO handle error
}
keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
if err != nil {
panic(err) // TODO handle error
}
idpMetadataURL, err := url.Parse("https://portal.sso.<my aws region>.amazonaws.com/saml/metadata/<some jewbrish id>")
if err != nil {
panic(err) // TODO handle error
}
idpMetadata, err := samlsp.FetchMetadata(context.Background(), http.DefaultClient,
*idpMetadataURL)
if err != nil {
panic(err) // TODO handle error
}
rootURL, err := url.Parse("http://localhost:9000")
if err != nil {
panic(err) // TODO handle error
}
samlSP, _ := samlsp.New(samlsp.Options{
URL: *rootURL,
Key: keyPair.PrivateKey.(*rsa.PrivateKey),
Certificate: keyPair.Leaf,
IDPMetadata: idpMetadata,
})
app := http.HandlerFunc(hello)
http.Handle("/hello", samlSP.RequireAccount(app))
http.Handle("/saml/", samlSP)
http.ListenAndServe(":8000", nil)
}
This server expose an endpoint where the IDP can get fetch my auto generated metadata.
curl -o metadata.xml http://localhost:9000/saml/metadata
Those are my metadata:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2021-09-13T03:37:23.951Z" entityID="http://localhost:9000/saml/metadata">
<SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2021-09-13T03:37:23.951204335Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>xxxxxxxxxx</X509Certificate>
</X509Data>
</KeyInfo>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/saml/slo" ResponseLocation="http://localhost:9000/saml/slo"></SingleLogoutService>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/saml/acs" index="1"></AssertionConsumerService>
</SPSSODescriptor>
</EntityDescriptor>
I have uploaded those into AWS SSO and it correctly parsed it, the following in the configuration of my AWS SSO Custom application:
When I hit the localhost:9000/hello the application will be successfully redirected to the AWS SSO login console, but the that error happens.
I have also tested the application using this website: https://samltest.id/upload.php and it worked fine.
Upvotes: 2
Views: 10117
Answers (3)
Reputation: 727
Another cause of this helpful error can be if the ACS URL is not correct; in the configuration of a SAML app you specify an ACS URL 'Assertion Consumer Service' which is the callback once you obtain the assertion.
With Cognito/ALB/SSO setup this URL should end with saml2/idpresponse; something like https://idp.mydomain.com/saml2/idpresponse
Upvotes: 0
Reputation: 2624
I have found the solution, the problem was in the attributes mapping, this is the configuration I had to use in order to make it work.
Note the transient format option, in my previous configuration it was unspecified
Upvotes: 9
Reputation: 11
I had the same issue. The problem was my Service Provider configuration entityId didn't end in a "/", but my "Application SAML audience" on the AWS SSO page did end in a "/".
Even when I removed the "/" from my Application SAML Audience, I needed a "/" on the SP configuration.
Upvotes: 1
Related Questions
- AWS SSO - "Request nameID format does not match our record"
- Azure custom application SSO using SAML and azure active directory
- AWS SSO - Your request included an invalid SAML response
- How to set up AWS SSO as an Auth0 Enterprise SAML Connection
- SAML SSO with WAS v 8.5
- AWS CLI SAML Integration
- SP Initiated SAML SSO gives error "Insufficient Privileges"
- How to use SSO with SAML2.0
- Is it possible to do sso for http://aws.amazon.com using saml?
- Sitecore SSO via SAML2- AuthenticateRequest not firing