ExpiredTokenException when I SAML SSO login AWS from my local IdP
I\'m building a IdP in my local and I configured the IdP in AWS IAM settings, now I\'d like to start an IdP initial SSO from my local and login AWS, however the error always sho
-
Question 1: I'm building a IdP in my local and I configured the IdP in AWS IAM settings, now I'd like to start an IdP initial SSO from my local and login AWS, however the error always shows in AWS page:
Response has expired (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ExpiredTokenException; Request ID: 18fc7e20-97eb-11e9-97e4-0f55a663916e). Please try again.
What should I do for this situation? Any help would be appreciated.
Answer:
This is a typical AWS-SAML IdP federated user error (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ExpiredTokenException).
SAML Response/Asserion/Token must be redeemed within 5 minutes of Issuance provided by your SAML IdP.
Resolution:
(I) Check whether your SAML IdP Server's time is synchronized with NTP server.(II) After your SAML IdP Server's time has been synchronized with AWS server time zone (within 1 minute or less), restart your SAML IdP.
Question 2: error page screenshot
Here is the SAML Response
Answer:
Your error page screenshot indicates that your AWS role is MySSO, but your SAML response indicates that your AWS role is ParaSSO. This will cause another AWS-SAML IdP federated user error.
I have shared my Single Sign On (SSO) success experience on Shibboleth SAML IdP with Amazon AWS in another StackOverflow question Why is Cognito rejecting my SAML assertion?.
My SAML response for successful login to AWS is provided below for your reference.
<saml2p:Response Destination="https://signin.aws.amazon.com/saml" ID="_fc89710799c4c2c540341e94bf7132d5" IssueInstant="2019-06-11T18:49:38.300Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/idp/shibboleth</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:Assertion ID="_91749d5ecb8512c0c5d658a77cb25928" IssueInstant="2019-06-11T18:49:38.300Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" > <saml2:Issuer>https://idp.example.com/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_91749d5ecb8512c0c5d658a77cb25928"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>mDAgwb9ZJxc+01sC99lAlAIAOEoiTgzHVTm4F9bdn/0=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> LWiL3+CdU6y86zBLx3vG6na1o46EUgiN7iV+b4J2lPvZK7+Oeu6XSenJlzo/cUMT19pYYrDMM652 3lDAJCuOKPx4zTRIcabGrgzTKgmen0SHqWPxeL7t23RB6+v5AUvVw02tXqQhlggKEe3H+1T1k5q0 cGc1xw5CQtI8zE6GK7nG1INnU7mo872H9x+zM1zy3yyvrWOkHHhVFqQQ1Tu+0ev4BIhTQaVgC+pM /ZvpctNjDMl1q4RSt1qumC+KFsYZlbrsLG7AvGJuR39wt/HV7F8Je3AUGGwMtGjkpRDuN1lIHrMq VzFf/5eKUv20rEk3aOxoV/sMfcuhWo27+NjE1g== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDPDCCAiSgAwIBAgIVALPPoC598LJ6ZJJJXCA2ESASlN4AMA0GCSqGSIb3DQEBCwUAMB8xHTAb BgNVBAMMFGlkcXNhbWwuaWRxdWFudGEuY29tMB4XDTE3MDYwMjIxNDI0NloXDTM3MDYwMjIxNDI0 NlowHzEdMBsGA1UEAwwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAs4ml4G592b059YDgyD/MLWQKaKrc0/24Ufbl/JY7wOI1RpxW8DlbCvibzQge6Tu /8LVy4GIDb8QLxmCfFKYn97HC68TgXVJ+m+sQm+e4SVg6V2q+JY94LLcoFVe8+78ZIYT23KLkTv2 RlHzes/sL1YaPSK4UuN+/ezppyX2t9BGNfuiUKA0KCf7wMFuQ07Fr65FTcGXQyxhPyaNrXjrNMJa LqwpCaesVdVzoqPevYVN3+nzAvOWoEbi6IcwnF07D0FYren/GPRXPAk5sP6fF3X0rJCkSq+d5t5P 0gWONlvm9WlUrKadmeiibCtR2lGQ/dZGmyUzIILsuOwu4yp/EsI3AgMBAAGjbzBtMB0GA1UdDgQW BBREpZrZlnm8YrbSFcl59WRR5IY2FTBMBgNVHREERTBDghRpZHFzYW1sLmlkcXVhbnRhLmNvbYYr aHR0cHM6Ly9pZHFzYWQCV63ubc+tsfzCvL48k35RzLAD15DIdbS9pZHAvc2hpYmJvbGV0aDANBgk AAOCAQEAEvrdnSvK2C2rcRr7kXn4Q/NaEovuUeqaNs1k/2+dSqs8rroM+m3Iq8RlBcmKnP/+mET3 wwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiLRXay9y1uJXyZx37RDkGu8SD7+zf8znM+TCsX/qAP 6Ve95WAeX4uB8Aeol3LULe1dePsRb/1RNpKsm8NomVzCwBXK9vyv8t3IVN40jZMaaTtR0YR22fTu qTyIMarMPO0Eh0f1FHraYaXfyop1OJcYlISpYe+c4vNvAXwEtHkZD2Iu/2aEMGcvBo3uq6OYVDXO fI3CvoB7sRtxURtj+vVSZKjDe6s7+lRcE1tpDkwOEEuDzA==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.example.com/idp/shibboleth" SPNameQualifier="urn:amazon:webservices" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >AAdzZWNyZXQx/wu+MEcVaUwjGOXhDKAO/5KXLD2AcDGnu1DyoP2C4ztOF01Su6tTJDytykrsv7W2dSV4FkL42ORYDiipBEuwiRSbnvViKbFBkHYN4YUmQzttx3DPNW/w42tMjLrY2iyn7sAUgQSVNGRHyMAH</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="192.168.150.10" NotOnOrAfter="2019-06-11T18:54:38.412Z" Recipient="https://signin.aws.amazon.com/saml" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2019-06-11T18:49:38.300Z" NotOnOrAfter="2019-06-11T18:54:38.300Z" > <saml2:AudienceRestriction> <saml2:Audience>urn:amazon:webservices</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2019-06-11T18:49:38.041Z" SessionIndex="_79ee919a4e3fcd2f6d13702b60bfd357" > <saml2:SubjectLocality Address="192.168.150.10" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="Role" Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string" >arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string" >winston.hong@example.com</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response>Follow-up Question 3: I changed the skewAllowance and the ExpiredTokenException has gone, but still got AccessDenied error, do you have some ideas?
Answer:
I extract SAML attribute "Role" from SAML assertion (as shown below). One can see that "Role" attribute consists of two values "role" and "saml-provider".<saml2:Attribute FriendlyName="Role" Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string" >arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue> </saml2:Attribute>You need to ensure that both values of "Role" attribute (carried by SAML assertion/SAML response) should be exactly the same as you declare through Amazon AWS admin console. Example #1: ParaSSO and Para for your local IdP; Example #2: shibbolethidp and Shibboleth-IdP for my SAML IdP. Any slight difference will cause "Error Code: AccessDenied;".
Sub-question (3.a): I tried with okta/onelogin and it can SAML access my AWS successfully, and checked the saml response/aws iam configuration, didn't see many differences from my local IdP, I started my IdP server in internal network 192.168.2.237, is it because there is some AWS restriction on local address or something? Any help would be appreciated.
Response:
(I) There is NO AWS restriction on local address, as shown by my SAML response for successful login to AWS. I have also used the local Shibboleth IdP to log into Amazon AWS admin console successfully.<saml2:SubjectLocality Address="192.168.150.10" />(II) In addition to "Role" attribute and "RoleSessionName" attribute, you need to ensure that SAML IdP metadata of your local IdP contains the complete and accurate SAML authentication information required by Amazon AWS, at least public certificate/key for verifying the signed assertion and SAML IdP issuer.
(II.a) A typical Access Denied error is that your local IdP metadata provides the wrong public certificate/key for verifying the signed assertion to Amazon AWS.
(II.b) For your convenience, How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides a Shibboleth SAML IdP metadata "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml" which has been validated with a successful SSO for Amazon AWS. This Shibboleth SAML IdP metadata consists of three signing certificates (sign Responses, sign Assertions, and encrypt Assertions).
(II.c) Amazon AWS will extract public certificate/key for sign Assertions from your SAML IdP metadata. In my Shibboleth IdP metadata "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml" provided by the above link at GitHub repository, the 2nd public certificate/key (or signing certificate) is used by Amazon AWS to verify the signed assertion.
(III) For your convenience, I have made the 9th commit to upload the Amazon AWS SP metadata and corresponding SAML configuration to How to build and run Shibboleth SAML IdP and SP using Docker container.
Note that I have logged in to Amazon AWS account ("my-aws-id", e.g., 123456789012) with username "winston.hong@example.com" successfully using Shibboleth IdP running with Docker Container with the 9th commit.By performing the Shibboleth SAML IdP configuration with reference to the 9th commit to How to build and run Shibboleth SAML IdP and SP using Docker container, you can log in to your Amazon AWS account ("my-aws-id", e.g., 123456789012) with your username (such as "winston.hong@your-company.com") federated by Shibboleth IdP.
(IV) I have shared my successful SAML configuration experience on Shibboleth IdP SSO for Amazon AWS at another StackOverflow question Why is Cognito rejecting my SAML assertion?.
讨论(0)
加载中...
- 热议问题