Snowflake integration with Jumpcloud throws http 400 error - amazon-web-services

I have enabled AWS private link to access snowflake and there is no Issue with the Link, when Integrating with SSO using Jumpcloud, after login it just throws 400 Error
For Troubleshhot I have tried but they didn't work
https://support.snowflake.net/s/article/Error-400-Bad-Request-while-SSO-login-to-Snowflake
https://community.snowflake.com/s/article/Configuring-your-IDP-to-Snowflake-by-providing-required-properties-in-a-SAML-Response
This is JumpCloud SSO Setting
Here is complete SAML Response, but still getting 400 Error any Idea from snowflake troubleshooting will help to resolve this Issue
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://8GWIFI.ORG.SG.AP-SOUTHEAST-1.AWS.PRIVATELINK.snowflakecomputing.com/fed/login/"
ID="AUZZ04QP5VMGW46F5YJZROMK164PY2C1QQ6XNXJJ"
InResponseTo="id-6417485141254017599_-1"
IssueInstant="2020-05-13T07:59:21.927Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://8gwifi.org</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="OVOSTV678D3AU2SQM6PSUDG2YHNSQMN4HJR9SGI2"
IssueInstant="2020-05-13T07:59:21.927Z"
Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://8gwifi.org</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#OVOSTV678D3AU2SQM6PSUDG2YHNSQMN4HJR9SGI2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>nxftTo6YnJGZR+qhRSJlPoMuNMMFwoxftmNAX/YDQaI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
cvamdwGY/8VZ+n4gDoLoEt+z6fZCLmPuvv/u4qeYOZd/fMg28Jz7kt2FU27WDHbOkx21LEFJ/g2Mlt8X++MP8hhHNqqb8x42YZzyHTv4dmfz3xapSQ17iDJILlfsc2odr5xPjkScz+wNPxCTUsA8kCrfeTfnGJOyn7t6uq7zMh87uUmlIob04CYbV/1SZpD2Xz6Jij9UsBiP82QSbTWAs4gePDcnS0TKe0HGfkNYxhCQBlIR40tBrte4KRpxuoXo00aMXXR0f0qilfU2nvYWeZVnQFBLfFOKZmlKxuhRUyiEYr9iVTjI8uxLt9oJ/XFFC5cuZjRl1FlKExGwouGbcpHUt7Gx9XeCPlVD3z9bi33X4Hi8mwbD6uX0lcgcJQ82RbppIya+7Q0bTzSh5nCKAu+vIlTXNKlHnwM5ax7HNxfDJedcLgEpaJ0qntnH67TyjFQg/NPOb54wtjkOi9/qxnI/ND2EMnWP4O6jMlmwknLLEuW2iqgF9wBN0mM4EfmgniaUjixWVvr0aT2sFNcC7BalUkdBJWXCN6PYabm2exye4zYb2C9FyiDjzrsLYuctXCU19js1vhukIftYMG13ds+ZSL6enseFSHKqI1EYNWOogmGkgZJWOeH7BL5Xgeq5HhBn8teUvGc519p7J/2LkoGfEyJ4K0SPyTLoC1R5poA=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
M=........
.................
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">anish2good#yahoo.co.in</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="id-6417485141254017599_-1"
NotOnOrAfter="2020-05-13T08:04:21.927Z"
Recipient="https://8GWIFI.ORG.SG.AP-SOUTHEAST-1.AWS.PRIVATELINK.snowflakecomputing.com/fed/login/" /></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-05-13T07:54:21.927Z"
NotOnOrAfter="2020-05-13T08:04:21.927Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://8GWIFI.ORG.SG.AP-SOUTHEAST-1.AWS.PRIVATELINK.snowflakecomputing.com/fed/login/</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-05-13T07:59:21.927Z"
SessionIndex="ed8df976-6c7d-458e-ad23-1657133d3a00">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>


To get SSO to work with PrivateLink, you need to contact support.
By default you can configure SSO only on Public URL or Private URL. You cannot have SSO configured for both the URls.
Also SSO by default is enabled on the Public URL. You can check this out by using the Public URL in the JumpBox configuration and confirm if this works.
So if this works and you want to have SSO over Private URL, contact support and they will enable the SSO for the PrivateLink.

Related

djangosaml2 metadata and django settings

I am trying to change my login into SAML2 for a Django project. I just have a metadata URL where can I see the settings and the certificate for that.
In that metadata, there is just one certificate content and ds:SignatureValue which is generating uniquely on every request.
Do I also need a certificate key? And is there any way to get those settings directly from METADATA?
https://login.entry.com/login/saml/idp/metadata
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_895c6e0e-1111-1111-1111-4eb316fa43cc" entityID="entity.com" validUntil="2026-12-29T09:54:08.000Z">
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_895c6e0e-2920-4a24-839f-4eb316fa43cc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>RfLCex+sdsafdsfddsFDS+U=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>FSdfsdFDSfds...==</ds:SignatureValue>
</ds:Signature>
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDezCCAmOgAwIBAgIEdKfywTANBgkqhkiG9w0Bx...==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.entity.com/login/saml/idp"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.entity.com/login/saml/idp"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

Authorization error in samlWebSso20 config on WebSphere Liberty with WSO2 server as Identity Provider

I am trying to achieve SSO to Websphere Liberty adminCenter console using SAML with WSO2 as Identity Provider. I have configured samlWebSso20 on liberty as per the settings mentioned here:
https://www.ibm.com/support/knowledgecenter/en/SSCKRH_1.0.2/platform/sso_liberty.html
However, the authorization fails at the liberty side as I receive the following error in messages.log:
CWWKS9104A: Authorization failed for user admin while invoking com.ibm.ws.management.security.resource on /. The user is not granted access to any of the required roles: [Administrator].
It seems that liberty is not able to identify roles of the user. What could possibly be wrong in my configuration?
server.xml:
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<featureManager>
<feature>webProfile-7.0</feature>
<feature>adminCenter-1.0</feature>
<feature>websocket-1.1</feature>
<feature>samlWeb-2.0</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9080"
httpsPort="9443" />
<applicationManager autoExpand="true"/>
<basicRegistry id="basic">
<user name="admin" password="admin" />
</basicRegistry>
<administrator-role>
<user-access-id> user:ws02is510/admin</user-access-id>
</administrator-role>
<keyStore id="defaultKeyStore" password="liberty" />
<samlWebSso20 enabled="true" id="defaultSP" nameIDFormat="email" wantAssertionsSigned="false">
</samlWebSso20>
<variable name="defaultHostName" value="wasl9" />
</server>
Authenticated Response Token from WSO2:
<saml2p:Response Destination="https://wasl9:9443/ibm/saml20/defaultSP/acs"
ID="_3a43e5d918468a66dfe72be986c6655e"
InResponseTo="_qmj6w34tYpe67bP0QNHuFi6hjAyjEogS"
IssueInstant="2020-03-31T12:54:42.492Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>ws02is510</saml2:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_3a43e5d918468a66dfe72be986c6655e">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>tIwEGcLKGUgicewNgegWCXirH5ma/oPYfTVeeu/eHFI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
E0yABNNUvmiDaSf3pxC3K4K/wOsvcEUA5y3uWmLi1d452LskX28ak099yZz4dDqTe+CXTTR+cM0O
gmBHPsuJLOmXjuO+UF7mAASQmL04UlU9gVyEuNYcRa37g5YFR0kzjm4iP5HWTV03xE3T0SprUahJ
QZdPy+LDBibrsF2sYy3HTel04vXzQc9h8hZJQnCMYfnS/hZXQ3mGJkfbgCIRjoDpGoHQk3gpFJlm
CgPvmkjY6+BM8rryG3Pn5F9JAoiH5j5NRbsdlvIYI334TNu21i4Se5v8dqItG3RvWwOnjlQ4j1Jy
AFP1MH6TffMhS6bEg2is9Kmyl9VVIcsDfpIIMg==
</SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDVzCCAj+gAwIBAgIEKGtdMzANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJQSzEQMA4GA1UE
CBMHRmVkZXJhbDEMMAoGA1UEBxMDSVNCMQwwCgYDVQQKEwNIUlQxCzAJBgNVBAsTAklUMRIwEAYD
VQQDEwl3czAyaXM1MTAwHhcNMjAwMzI4MTgwMDM5WhcNMjAwNjI2MTgwMDM5WjBcMQswCQYDVQQG
EwJQSzEQMA4GA1UECBMHRmVkZXJhbDEMMAoGA1UEBxMDSVNCMQwwCgYDVQQKEwNIUlQxCzAJBgNV
BAsTAklUMRIwEAYDVQQDEwl3czAyaXM1MTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCOmKIT4B+pCr1HNL6VOoe2Ps+J4/nrt9L3m4I7zHc8iAiqBMdwtfPGYGefEATn+l7AduzLVfre
qS8nqJjfnjh6Jx6abCP1z3eReaVjm5GLX325JGyIbkBtGdEHo9vSj5hgr0Z6hmSdupMZCV/86bpp
rGEOkiptejZT1Qtb3RobViI2mgJbgfThaJaqFQNZALcR7WM7KPrBU4jgPBh9XZAxfBi+RqSmS3Sr
MhAQ6z+/HHb6ef9BWoFXqpFuilZnoZZZzpjGazMFPncccNlGWqBWnLr7VbFgLJFiBz+GzbcgTjo4
LLdQ7VTXixQ1VCc92fbR++ChaZIWmREAIi/IdTQ/AgMBAAGjITAfMB0GA1UdDgQWBBS4KrNDNc+w
j6RyDqRWC80ivl7UBDANBgkqhkiG9w0BAQsFAAOCAQEAgSsPOyqPUceSvg4qiL2w1isc1fKFPfR/
bEc5ZXVhl6oRfAh9rAdhwk/GATdsMx3FiDB/Tv7Q1iKENwWIbJUb/JYQvRO81sEX3o7BczhKN9Fv
5wJOKdSGz0KLxOkLz4Gj9K87fJORSKKDjy1nz+LsZdieJjN62zW16OiggTLqf13mmmSb+jE5dYHC
SUB/k9WB+oDV0A0m9pTg1WCvrttm3KKd9DZ4QrH/mZv5lzVETpGBYFNGMmA2MQ+z2NCTaatUycnn
9nPHkpoIOGQQ11z5HCvYQ20gdvJoVJ40ZDRVaqJKeeStAd49TwYFE2kdZ9udf1LNsU8MrU89QXE5
1hiUkw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_a29d997b5f5eec9a7de1dea1e0a79391"
IssueInstant="2020-03-31T12:54:42.492Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">ws02is510</saml2:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_a29d997b5f5eec9a7de1dea1e0a79391">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>M6gJ6nCtngEQZvCwaFJj9mClOhtb6hWymvAHunhK3YU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
Hm4yL/STOxHmksgQr7xFwlv1GAkgrb2bicUTqkiWF46zuZKaN9u1yOBqfEHHB0Q5R3nwUqju93Ce
RI+yCsf0MabDhsWThpTkuiWaEeKa1xhdMqgGIYs2G4yMYbQevrxhxe8gjPKp29A3zNLnYmDiiqHn
DSE2qdWTu1rLj9IPp3YtP5nIZX84KbRq0GbTZf3mZWfYOVwUiemTYhArZf+fhTeKdNpt52eFf2Ef
WZRQIa69a0haor1/7Adt/TLlJSwSvKn6k20It43W48aj6w905tSOmCfx2Vdmiod7ezx+o2K37SrX
M6SYPC2jKWt5AoyZ4zjhlnYiRmF0iU31KoEOng==
</SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDVzCCAj+gAwIBAgIEKGtdMzANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJQSzEQMA4GA1UE
CBMHRmVkZXJhbDEMMAoGA1UEBxMDSVNCMQwwCgYDVQQKEwNIUlQxCzAJBgNVBAsTAklUMRIwEAYD
VQQDEwl3czAyaXM1MTAwHhcNMjAwMzI4MTgwMDM5WhcNMjAwNjI2MTgwMDM5WjBcMQswCQYDVQQG
EwJQSzEQMA4GA1UECBMHRmVkZXJhbDEMMAoGA1UEBxMDSVNCMQwwCgYDVQQKEwNIUlQxCzAJBgNV
BAsTAklUMRIwEAYDVQQDEwl3czAyaXM1MTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCOmKIT4B+pCr1HNL6VOoe2Ps+J4/nrt9L3m4I7zHc8iAiqBMdwtfPGYGefEATn+l7AduzLVfre
qS8nqJjfnjh6Jx6abCP1z3eReaVjm5GLX325JGyIbkBtGdEHo9vSj5hgr0Z6hmSdupMZCV/86bpp
rGEOkiptejZT1Qtb3RobViI2mgJbgfThaJaqFQNZALcR7WM7KPrBU4jgPBh9XZAxfBi+RqSmS3Sr
MhAQ6z+/HHb6ef9BWoFXqpFuilZnoZZZzpjGazMFPncccNlGWqBWnLr7VbFgLJFiBz+GzbcgTjo4
LLdQ7VTXixQ1VCc92fbR++ChaZIWmREAIi/IdTQ/AgMBAAGjITAfMB0GA1UdDgQWBBS4KrNDNc+w
j6RyDqRWC80ivl7UBDANBgkqhkiG9w0BAQsFAAOCAQEAgSsPOyqPUceSvg4qiL2w1isc1fKFPfR/
bEc5ZXVhl6oRfAh9rAdhwk/GATdsMx3FiDB/Tv7Q1iKENwWIbJUb/JYQvRO81sEX3o7BczhKN9Fv
5wJOKdSGz0KLxOkLz4Gj9K87fJORSKKDjy1nz+LsZdieJjN62zW16OiggTLqf13mmmSb+jE5dYHC
SUB/k9WB+oDV0A0m9pTg1WCvrttm3KKd9DZ4QrH/mZv5lzVETpGBYFNGMmA2MQ+z2NCTaatUycnn
9nPHkpoIOGQQ11z5HCvYQ20gdvJoVJ40ZDRVaqJKeeStAd49TwYFE2kdZ9udf1LNsU8MrU89QXE5
1hiUkw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_qmj6w34tYpe67bP0QNHuFi6hjAyjEogS"
NotOnOrAfter="2020-03-31T12:59:42.492Z"
Recipient="https://wasl9:9443/ibm/saml20/defaultSP/acs"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-03-31T12:54:42.492Z"
NotOnOrAfter="2020-03-31T12:59:42.492Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://wasl9:9443/ibm/saml20/defaultSP</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-03-31T12:54:42.477Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>

Thanks to #Piraveena and #Chunlong for supporting, specifically to #Chunlong for working out till end to help resolve issue completely. I have got it working now by making the following changes in WAS Liberty server.xml file:
Adding property realm="ws02is510" in basicRegistry tag
Adding admin under
Adding property disableLtpaCookie="false" in samlWebSso20 tag

SubjectConfirmationData missing recipient field

I'm still kind of new to WSO2 but have successfully setup many different applications to work with it. I am running into an issue currently trying to connect our Salesforce instance with WSO2. I keep getting a validation error saying "One of the SubjectConfirmationData elements is missing a recipient field" When looking at the SAML response it is not including a recipient field at all. I'm not sure how to get it in there.
We are currently on WSO2 Carbon Version 5.1.0. Under my service provider for Salesforce I have enabled recipient validation and added urls to that list, but it still doesn't add a recipient to the SubjectConfirmationData element. Any ideas on what to do?
Here is the response:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="llikhiplnckepadmgibmamebigbbbbgfhggdbjgf" IssueInstant="2020-01-02T22:31:11.217Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://example.com/samlsso</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="elgkemhepilbljfckgfgchapaefibpocgjpbcnpn" IssueInstant="2020-01-02T22:31:11.217Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://example.com/samlsso</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#elgkemhepilbljfckgfgchapaefibpocgjpbcnpn">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>DUTHXbKOU45H9dpv81sleR8z+UZLnNBLICiyooxph0M=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>blah blah blah</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>blah blah blah</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">ktest</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2020-01-02T22:36:11.217Z" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-01-02T22:31:11.217Z" NotOnOrAfter="2020-01-02T22:36:11.217Z">
<saml2:AudienceRestriction>
<saml2:Audience>MySite</saml2:Audience>
<saml2:Audience>https://saml.salesforce.com</saml2:Audience>
<saml2:Audience>https://example.com/samlsso</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-01-02T22:31:11.217Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement />
</saml2:Assertion>
</saml2p:Response>
Main
SAML Settings
Salesforce Settings

ExpiredTokenException when I SAML SSO login AWS from my local IdP

I'm building a IdP in my local and I configured the IdP in AWS IAM settings, now I'd like to start an IdP initial SSO from my local and login AWS, however the error always shows in AWS page:
Response has expired (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ExpiredTokenException; Request ID: 18fc7e20-97eb-11e9-97e4-0f55a663916e). Please try again.
error page screenshot
What should I do for this situation?
Any help would be appreciated.
Here is the SAML Response
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://signin.aws.amazon.com/saml"
ID="_9119012392457125943"
IssueInstant="2019-06-26T07:26:21.686Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>http://localhost/lighting/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_9119012392457125943">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>dcPz91uzrgFsoVvQafIH0erSoy9SsGQqs+NrEhEzpQ8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
J+U7AcD8QTXlgAvcGl4TIUrb5Q1CgJfJ/rP4VUEOeF67NvGQM12cA3HLzoFevMOxluwA4dleWuTd
I+Tsfc7QCuY6CZ9dsWCYhSP7jfpoAsbDwAGUqAiUf2sEC5jackNs5x1oobYac/9POzHesuelkQAF
Ld3zwxc7O+O3bH2pSC/FO0//b+mAZMdGVcYel2qyAgcW2Cwl41rl0YoSBv4zG435q17PqpIfh5tx
w/0UsYbuvdQIFcPE58okw8Q27XR8QdyD3b/9SGOm5s+v8JX/znapcf8KfeoNodvVu+hho9b/79i0
1H8aF/lTpOKq6xBL8zzK/m0Gqjjap8+Q7oR1xw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDFjCCAf6gAwIBAgIVANvOACsHPeGyNtU+z6lwITrQht8JMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDTE5Mi4xNjguMi4yMzcwHhcNMTkwNjI1MDM0NDE1WhcNMzkwNjI1MDM0NDE1WjAYMRYw
FAYDVQQDDA0xOTIuMTY4LjIuMjM3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArgef
LeT3WJIXwsW4IkO6utW0C6ARGdd6p6Q6NyYqPvGKACxScl1hUjpKaUdMeTKme1gpsvz5ho33B6sx
uYVZwS+g9gA6VBcAguwnHViDAYrYL4meggBUXDgLv5YxgMtFoKzyvYHoZI6mU1LaOV4sFbk2/UBE
X0TajsgzRN+w7/9YJcvfEHArideYWPZtobTEv/JvLEg+10Tncpa6dW7m9Vqpkm0HWfiPMp+vvoPD
ebKgMWo6U79yHjqRayPkwccQfVuzyrynE90HdA1T4FIbznc++O+OY68nndTJqJz+BhbhZqoIqLLM
sHoRXcexc26usEk4bXSlAt2ZWHg6j2baKQIDAQABo1cwVTAdBgNVHQ4EFgQUhf/SjfLdHAsFiwqy
KEVHAyPmM3EwNAYDVR0RBC0wK4INMTkyLjE2OC4yLjIzN4YaMTkyLjE2OC4yLjIzNy9pZHAvbWV0
YWRhdGEwDQYJKoZIhvcNAQELBQADggEBABszuNtGLSrQHKOU35ucB58+Si84xbcFg2L9A7NSKCZp
KC1K8hf5/yBlWZeYANtbz9zBH+IE7HQfCqMmqYFRZIMV5bn1zz376iWOt/meUEIOTguDFBcE1d9P
1N08527e5VZZ8z4Quoar+UZsux2gRyftZCbiDPZ3jztWXZQH4kmjKfPfYnTHmAJyJ0BpZPGdItD/
cTUsFEO6aVi/q/dSnyuAIgifjv+GcsCLvr9mNgYqU1zbSNdfg/uE1brczOxdjX/dgKq8F9YV2X/k
W7f1+UDweMZ/jjY6wX7rGtMRI53y1AOexaT2m6qLjgykgr8mL10cA2zYFOY1IWdZaTtSmL4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
<saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
ID="_4072804912448579929"
IssueInstant="2019-06-26T07:25:33.546Z"
Version="2.0"
>
<saml2:Issuer>http://localhost/lighting/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_4072804912448579929">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>QE9YpUj05wSf69eoo/w+e3kcI458dSe/zfiFIGYJ9/s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ddCEn8eKvZQlqPXTf6NIzY2Y2OE3EvXYjQxNrvlWHUy5mD0J/hMpA1BjE1vMVsPtYs9+b8hqNMQC
vO3dBomyZ4fxMVeidUmKOVVxD/657zGeHpwKWWacb8bpvVptfv12SoSlCwR5daJmchv1D5VBJ7xU
2o7WXEx4mBH8M4Hq4jiysrVaqgCjbU6q8toNhvIo3fJSLpMQNMZt2oGQkAD1t520WSl6u7hL+FqW
z6PD/UlR/tlhNoyrlhK6SIkqqHC/xrVGXi/JDLWEZm8n6QwiSus/IlPHKmn7nXjwx6hQjRC0HjNt
/G+GdhSd+9Rz8VEKcrNZ19Fh/yQRvJgREEaALQ==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDFjCCAf6gAwIBAgIVANvOACsHPeGyNtU+z6lwITrQht8JMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDTE5Mi4xNjguMi4yMzcwHhcNMTkwNjI1MDM0NDE1WhcNMzkwNjI1MDM0NDE1WjAYMRYw
FAYDVQQDDA0xOTIuMTY4LjIuMjM3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArgef
LeT3WJIXwsW4IkO6utW0C6ARGdd6p6Q6NyYqPvGKACxScl1hUjpKaUdMeTKme1gpsvz5ho33B6sx
uYVZwS+g9gA6VBcAguwnHViDAYrYL4meggBUXDgLv5YxgMtFoKzyvYHoZI6mU1LaOV4sFbk2/UBE
X0TajsgzRN+w7/9YJcvfEHArideYWPZtobTEv/JvLEg+10Tncpa6dW7m9Vqpkm0HWfiPMp+vvoPD
ebKgMWo6U79yHjqRayPkwccQfVuzyrynE90HdA1T4FIbznc++O+OY68nndTJqJz+BhbhZqoIqLLM
sHoRXcexc26usEk4bXSlAt2ZWHg6j2baKQIDAQABo1cwVTAdBgNVHQ4EFgQUhf/SjfLdHAsFiwqy
KEVHAyPmM3EwNAYDVR0RBC0wK4INMTkyLjE2OC4yLjIzN4YaMTkyLjE2OC4yLjIzNy9pZHAvbWV0
YWRhdGEwDQYJKoZIhvcNAQELBQADggEBABszuNtGLSrQHKOU35ucB58+Si84xbcFg2L9A7NSKCZp
KC1K8hf5/yBlWZeYANtbz9zBH+IE7HQfCqMmqYFRZIMV5bn1zz376iWOt/meUEIOTguDFBcE1d9P
1N08527e5VZZ8z4Quoar+UZsux2gRyftZCbiDPZ3jztWXZQH4kmjKfPfYnTHmAJyJ0BpZPGdItD/
cTUsFEO6aVi/q/dSnyuAIgifjv+GcsCLvr9mNgYqU1zbSNdfg/uE1brczOxdjX/dgKq8F9YV2X/k
W7f1+UDweMZ/jjY6wX7rGtMRI53y1AOexaT2m6qLjgykgr8mL10cA2zYFOY1IWdZaTtSmL4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">fengAWS</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2019-06-26T07:25:28.267Z"
Recipient="https://signin.aws.amazon.com/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-26T07:25:36.485Z"
NotOnOrAfter="2019-06-26T07:58:56.485Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-26T07:25:28.267Z"
SessionIndex="_320981710988786175"
>
<saml2:SubjectLocality Address="urn:amazon:webservices" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="isFromNewLogin"
Name="isFromNewLogin"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>false</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationDate"
Name="authenticationDate"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>2019-06-26T15:25:18.192+08:00[Asia/Shanghai]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationMethod"
Name="authenticationMethod"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>QueryDatabaseAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="successfulAuthenticationHandlers"
Name="successfulAuthenticationHandlers"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>QueryDatabaseAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>fengAWS</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed"
Name="longTermAuthenticationRequestTokenUsed"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>false</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/Role"
Name="https://aws.amazon.com/SAML/Attributes/Role"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::490595513456:role/ParaSSO,arn:aws:iam::490595513456:saml-provider/Para</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="username"
Name="username"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>fengAWS</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>

Question 1: I'm building a IdP in my local and I configured the IdP in AWS IAM settings, now I'd like to start an IdP initial SSO from my local and login AWS, however the error always shows in AWS page:
Response has expired (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ExpiredTokenException; Request ID: 18fc7e20-97eb-11e9-97e4-0f55a663916e). Please try again.
What should I do for this situation? Any help would be appreciated.
Answer:
This is a typical AWS-SAML IdP federated user error (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ExpiredTokenException).
SAML Response/Asserion/Token must be redeemed within 5 minutes of Issuance provided by your SAML IdP.
Resolution:
(I) Check whether your SAML IdP Server's time is synchronized with NTP server.
(II) After your SAML IdP Server's time has been synchronized with AWS server time zone (within 1 minute or less), restart your SAML IdP.
Question 2: error page screenshot
Here is the SAML Response
Answer:
Your error page screenshot indicates that your AWS role is MySSO, but your SAML response indicates that your AWS role is ParaSSO. This will cause another AWS-SAML IdP federated user error.
I have shared my Single Sign On (SSO) success experience on Shibboleth SAML IdP with Amazon AWS in another StackOverflow question Why is Cognito rejecting my SAML assertion?.
My SAML response for successful login to AWS is provided below for your reference.
<saml2p:Response Destination="https://signin.aws.amazon.com/saml"
ID="_fc89710799c4c2c540341e94bf7132d5"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_91749d5ecb8512c0c5d658a77cb25928"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer>https://idp.example.com/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_91749d5ecb8512c0c5d658a77cb25928">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>mDAgwb9ZJxc+01sC99lAlAIAOEoiTgzHVTm4F9bdn/0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
LWiL3+CdU6y86zBLx3vG6na1o46EUgiN7iV+b4J2lPvZK7+Oeu6XSenJlzo/cUMT19pYYrDMM652
3lDAJCuOKPx4zTRIcabGrgzTKgmen0SHqWPxeL7t23RB6+v5AUvVw02tXqQhlggKEe3H+1T1k5q0
cGc1xw5CQtI8zE6GK7nG1INnU7mo872H9x+zM1zy3yyvrWOkHHhVFqQQ1Tu+0ev4BIhTQaVgC+pM
/ZvpctNjDMl1q4RSt1qumC+KFsYZlbrsLG7AvGJuR39wt/HV7F8Je3AUGGwMtGjkpRDuN1lIHrMq
VzFf/5eKUv20rEk3aOxoV/sMfcuhWo27+NjE1g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDPDCCAiSgAwIBAgIVALPPoC598LJ6ZJJJXCA2ESASlN4AMA0GCSqGSIb3DQEBCwUAMB8xHTAb
BgNVBAMMFGlkcXNhbWwuaWRxdWFudGEuY29tMB4XDTE3MDYwMjIxNDI0NloXDTM3MDYwMjIxNDI0
NlowHzEdMBsGA1UEAwwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAs4ml4G592b059YDgyD/MLWQKaKrc0/24Ufbl/JY7wOI1RpxW8DlbCvibzQge6Tu
/8LVy4GIDb8QLxmCfFKYn97HC68TgXVJ+m+sQm+e4SVg6V2q+JY94LLcoFVe8+78ZIYT23KLkTv2
RlHzes/sL1YaPSK4UuN+/ezppyX2t9BGNfuiUKA0KCf7wMFuQ07Fr65FTcGXQyxhPyaNrXjrNMJa
LqwpCaesVdVzoqPevYVN3+nzAvOWoEbi6IcwnF07D0FYren/GPRXPAk5sP6fF3X0rJCkSq+d5t5P
0gWONlvm9WlUrKadmeiibCtR2lGQ/dZGmyUzIILsuOwu4yp/EsI3AgMBAAGjbzBtMB0GA1UdDgQW
BBREpZrZlnm8YrbSFcl59WRR5IY2FTBMBgNVHREERTBDghRpZHFzYW1sLmlkcXVhbnRhLmNvbYYr
aHR0cHM6Ly9pZHFzYWQCV63ubc+tsfzCvL48k35RzLAD15DIdbS9pZHAvc2hpYmJvbGV0aDANBgk
AAOCAQEAEvrdnSvK2C2rcRr7kXn4Q/NaEovuUeqaNs1k/2+dSqs8rroM+m3Iq8RlBcmKnP/+mET3
wwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiLRXay9y1uJXyZx37RDkGu8SD7+zf8znM+TCsX/qAP
6Ve95WAeX4uB8Aeol3LULe1dePsRb/1RNpKsm8NomVzCwBXK9vyv8t3IVN40jZMaaTtR0YR22fTu
qTyIMarMPO0Eh0f1FHraYaXfyop1OJcYlISpYe+c4vNvAXwEtHkZD2Iu/2aEMGcvBo3uq6OYVDXO
fI3CvoB7sRtxURtj+vVSZKjDe6s7+lRcE1tpDkwOEEuDzA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.example.com/idp/shibboleth"
SPNameQualifier="urn:amazon:webservices"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>AAdzZWNyZXQx/wu+MEcVaUwjGOXhDKAO/5KXLD2AcDGnu1DyoP2C4ztOF01Su6tTJDytykrsv7W2dSV4FkL42ORYDiipBEuwiRSbnvViKbFBkHYN4YUmQzttx3DPNW/w42tMjLrY2iyn7sAUgQSVNGRHyMAH</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="192.168.150.10"
NotOnOrAfter="2019-06-11T18:54:38.412Z"
Recipient="https://signin.aws.amazon.com/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-11T18:49:38.300Z"
NotOnOrAfter="2019-06-11T18:54:38.300Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-11T18:49:38.041Z"
SessionIndex="_79ee919a4e3fcd2f6d13702b60bfd357"
>
<saml2:SubjectLocality Address="192.168.150.10" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="Role"
Name="https://aws.amazon.com/SAML/Attributes/Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="RoleSessionName"
Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>winston.hong#example.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Follow-up Question 3: I changed the skewAllowance and the ExpiredTokenException has gone, but still got AccessDenied error, do you have some ideas?
Answer:
I extract SAML attribute "Role" from SAML assertion (as shown below). One can see that "Role" attribute consists of two values "role" and "saml-provider".
<saml2:Attribute FriendlyName="Role"
Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
</saml2:Attribute>
You need to ensure that both values of "Role" attribute (carried by SAML assertion/SAML response) should be exactly the same as you declare through Amazon AWS admin console. Example #1: ParaSSO and Para for your local IdP; Example #2: shibbolethidp and Shibboleth-IdP for my SAML IdP. Any slight difference will cause "Error Code: AccessDenied;".
Sub-question (3.a): I tried with okta/onelogin and it can SAML access my AWS successfully, and checked the saml response/aws iam configuration, didn't see many differences from my local IdP, I started my IdP server in internal network 192.168.2.237, is it because there is some AWS restriction on local address or something? Any help would be appreciated.
Response:
(I) There is NO AWS restriction on local address, as shown by my SAML response for successful login to AWS. I have also used the local Shibboleth IdP to log into Amazon AWS admin console successfully.
<saml2:SubjectLocality Address="192.168.150.10" />
(II) In addition to "Role" attribute and "RoleSessionName" attribute, you need to ensure that SAML IdP metadata of your local IdP contains the complete and accurate SAML authentication information required by Amazon AWS, at least public certificate/key for verifying the signed assertion and SAML IdP issuer.
(II.a) A typical Access Denied error is that your local IdP metadata provides the wrong public certificate/key for verifying the signed assertion to Amazon AWS.
(II.b) For your convenience, How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides a Shibboleth SAML IdP metadata "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml" which has been validated with a successful SSO for Amazon AWS. This Shibboleth SAML IdP metadata consists of three signing certificates (sign Responses, sign Assertions, and encrypt Assertions).
(II.c) Amazon AWS will extract public certificate/key for sign Assertions from your SAML IdP metadata. In my Shibboleth IdP metadata "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml" provided by the above link at GitHub repository, the 2nd public certificate/key (or signing certificate) is used by Amazon AWS to verify the signed assertion.
(III) For your convenience, I have made the 9th commit to upload the Amazon AWS SP metadata and corresponding SAML configuration to How to build and run Shibboleth SAML IdP and SP using Docker container.
Note that I have logged in to Amazon AWS account ("my-aws-id", e.g., 123456789012) with username "winston.hong#example.com" successfully using Shibboleth IdP running with Docker Container with the 9th commit.
By performing the Shibboleth SAML IdP configuration with reference to the 9th commit to How to build and run Shibboleth SAML IdP and SP using Docker container, you can log in to your Amazon AWS account ("my-aws-id", e.g., 123456789012) with your username (such as "winston.hong#your-company.com") federated by Shibboleth IdP.
(IV) I have shared my successful SAML configuration experience on Shibboleth IdP SSO for Amazon AWS at another StackOverflow question Why is Cognito rejecting my SAML assertion?.

Connecting Shibboleth as a IdP and API Publisher as SP

The Plan
We went to configure shibboleth as the IdP so we can do SSO. We have shibboleth configured already for the many other things we do like email and account information, but when trying to add in our API publisher to the mix we seem to be getting an error. We believe it to be a wso2 configuration error. We been using this wso2 documentation as a template: How to Configure Shibboleth IdP as a Trusted Identity Provider
The Situation
So far we are able to get to the login screen and put in our credentials, but when it tries to redirect us we get a Error 401 : Authorization Required.
SAML code
<saml2p:Response
Destination="localhost"
ID="mbnfmmagbmefckldpefbmjopkadjahbkocadhmib"
InResponseTo="lihfmcpiofkdkhphfbahlndllmmemhldckammgaf"
IssueInstant="2016-12-05T16:20:37.939Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">IdsDev
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#mbnfmmagbmefckldpefbmjopkadjahbkocadhmib">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>9xbWKA7A+
7k7Vaz6O18z8Xliqbo=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>kX11Q4eCUyME+VP5M7+5iI6D45kqQgE6MIqth7hNosSmfdSD3kZS0dwlcNwVlrzA64LMUZxclU256xP6w6nn0TqEqLjKy/tGXeQbKjaYrPcXx6336kIp8YGajqDiBh7IJswFDxugLoRx70APaKGthJi5VwRea1oT3lE4RHJoMgiN7o5FO1N+8IE34zEJLmTIpt+lYdXQPJanN29GY9YfIouFe2TGfHfXd9PT2nt7Dmf+M69DM3giEyizbzljYHdkjJrTlqoYTlHBHNPq8NF/+1wwuL76SP0Bory4k/7JvelW6RSAz82pdjDc0ublBmuceTENza2GiC2sitVQPycl/
g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFejCCBGKgAwIBAgIQCKTAgWTgw/Ea7HQ+L665tTANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MjYwMDAwMDBaFw0xOTEwMDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVJZGFobzEQMA4GA1UEBxMHUmV4YnVyZzEnMCUGA1UEChMeQnJpZ2hhbSBZb3VuZyBVbml2ZXJzaXR5LUlkYWhvMRgwFgYDVQQDEw9pZHNkZXYuYnl1aS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeLpdcJnXbGKRYujiUIoCOFrjR3PZ2E+BmzGNNTSTbnxjRPCJpjoI/5OWXPV/59I4s+b/lMaVuth5G8FD/yGDE/cyOKHM79G8UR399aqflqVWCfBc5Kqf7oKByBiost5JQyLGUTlXOvOKvLNTSHEC1gZUYP6Sn9m7/HOtcaMji32N0Pr22NYk92LSbUZqwVUM5e71q7Yze4OTiAv/Sd3Us1M4YgD+qJpy15Rph5Uo7jq1J9YE38dVmznJKD5xKt6G5Bn/b7pWipnhfG9gNJhjkpP/IVOfkpsDIm4QDXOArjzV/qLck8GF6zr8+PiUM4k/peottkvq6UV0AKPiv/DPJAgMBAAGjggIMMIICCDAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQUgpnRRipdTainSlDqezFYUGdyKWgwPgYDVR0RBDcwNYIPaWRzZGV2LmJ5dWkuZWR1ghBJZHNEZXYxLmJ5dWkuZWR1ghBJZHNEZXYyLmJ5dWkuZWR1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBADAayQq4l5DqWmgste9KgnqWOkOkjWw7bxu7WOh++oPyaNlyzieaz2ZJXrf4bHHeF5pCA9FUzhpdwGg+iWzt5Wd8L3G50mEUBJKjKgAzkOr9ywoGlPio/GaqqNrMmKhmLQDz6hcIoCk3SXAR5GDzRCjn5PZvboL9l+uTCE0h6Sg8qCRjgIYvOHbN8FhMla2opx2B7mnX5jAnfzfnJgGQZERLDSy8dvYhtXBaxaCzDqfYwZFQjec+IRjHHHLQpAPKzB5ARNe5IYlSMfkbi71kNpaFQ1WAJtAO+9pld5zgA/
OvSamgXd5RBJbXq376LX3r9jcYGpQwJT3hqMl9Qa1B0pY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion
ID="gihomiibdbpcojhdmjofkecelaibhdcdonghhkpm"
IssueInstant="2016-12-05T16:20:37.939Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IdsDev
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#gihomiibdbpcojhdmjofkecelaibhdcdonghhkpm">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Z7DIvjwTk4JpF0TRMNzo3Z/
4sfc=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>h1Stjkbw306VU7TN5OEou2XII3nzvhr34GVbced5Gk7q+EZailZusYISkC11eJjk4Y+CejMa4RODelwnMAdpfeWmMYz6ukk0jh9RH97/uWPOWKfOp4n/oXVnYE3rdImGcb1egas/zprqM7Pl8mbwI7vK3ScMUagBg6Td1sxHfRgVBk6r8C+40sgTAG8LsOd+q8LKNYj5mSeZ5K34SBdkmMWNpAS9mOT9CSJfWOrd9uAvFXHeuWN31MbIgVV5seEMfUzC18I/4s3qXwWqIvQxIsF8l9WuIuMYsFPT+oQJBU/ltQVf54w29k50tvN+LyvmNbZCZANf+
3JXwygyImc2Yg==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFejCCBGKgAwIBAgIQCKTAgWTgw/Ea7HQ+L665tTANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MjYwMDAwMDBaFw0xOTEwMDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVJZGFobzEQMA4GA1UEBxMHUmV4YnVyZzEnMCUGA1UEChMeQnJpZ2hhbSBZb3VuZyBVbml2ZXJzaXR5LUlkYWhvMRgwFgYDVQQDEw9pZHNkZXYuYnl1aS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeLpdcJnXbGKRYujiUIoCOFrjR3PZ2E+BmzGNNTSTbnxjRPCJpjoI/5OWXPV/59I4s+b/lMaVuth5G8FD/yGDE/cyOKHM79G8UR399aqflqVWCfBc5Kqf7oKByBiost5JQyLGUTlXOvOKvLNTSHEC1gZUYP6Sn9m7/HOtcaMji32N0Pr22NYk92LSbUZqwVUM5e71q7Yze4OTiAv/Sd3Us1M4YgD+qJpy15Rph5Uo7jq1J9YE38dVmznJKD5xKt6G5Bn/b7pWipnhfG9gNJhjkpP/IVOfkpsDIm4QDXOArjzV/qLck8GF6zr8+PiUM4k/peottkvq6UV0AKPiv/DPJAgMBAAGjggIMMIICCDAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQUgpnRRipdTainSlDqezFYUGdyKWgwPgYDVR0RBDcwNYIPaWRzZGV2LmJ5dWkuZWR1ghBJZHNEZXYxLmJ5dWkuZWR1ghBJZHNEZXYyLmJ5dWkuZWR1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBADAayQq4l5DqWmgste9KgnqWOkOkjWw7bxu7WOh++oPyaNlyzieaz2ZJXrf4bHHeF5pCA9FUzhpdwGg+iWzt5Wd8L3G50mEUBJKjKgAzkOr9ywoGlPio/GaqqNrMmKhmLQDz6hcIoCk3SXAR5GDzRCjn5PZvboL9l+uTCE0h6Sg8qCRjgIYvOHbN8FhMla2opx2B7mnX5jAnfzfnJgGQZERLDSy8dvYhtXBaxaCzDqfYwZFQjec+IRjHHHLQpAPKzB5ARNe5IYlSMfkbi71kNpaFQ1WAJtAO+9pld5zgA/
OvSamgXd5RBJbXq376LX3r9jcYGpQwJT3hqMl9Qa1B0pY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">username
</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
InResponseTo="lihfmcpiofkdkhphfbahlndllmmemhldckammgaf"
NotOnOrAfter="2016-12-05T16:25:37.939Z"
Recipient="localhost"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions
NotBefore="2016-12-05T16:20:37.939Z"
NotOnOrAfter="2016-12-05T16:25:37.939Z">
<saml2:AudienceRestriction>
<saml2:Audience>API_PUBLISHER</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement
AuthnInstant="2016-12-05T16:20:37.941Z"
SessionIndex="cbc00514-954b-4de2-8e7b-b50edf9c5976">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute
Name="http://wso2.org/claims/fullname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">username
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
IdP Config
Shibboleth IDS configuration
Shibboleth IDS configuration

We solved the problem! So we couldn't get shibboleth 2 to send the right information in the subject/nameID in the SAML code, but when we tried shibboleth 3 the customization of the nameID was an easier thing to work with. Anyways, wso2 could not authorize access with just the username in the subject/nameID, it also needed the domain and formated like this domain/username. With that we got SSO to work.