ExpiredTokenException when I SAML SSO login AWS from my local IdP

Question

I'm building a IdP in my local and I configured the IdP in AWS IAM settings, now I'd like to start an IdP initial SSO from my local and login AWS, however the error always shows in AWS page:

Response has expired (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ExpiredTokenException; Request ID: 18fc7e20-97eb-11e9-97e4-0f55a663916e). Please try again.

error page screenshot

What should I do for this situation? Any help would be appreciated.

Here is the SAML Response

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                 Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                 Destination="https://signin.aws.amazon.com/saml"
                 ID="_9119012392457125943"
                 IssueInstant="2019-06-26T07:26:21.686Z"
                 Version="2.0"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  >http://localhost/lighting/idp</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_9119012392457125943">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                PrefixList="xsd"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>dcPz91uzrgFsoVvQafIH0erSoy9SsGQqs+NrEhEzpQ8=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
J+U7AcD8QTXlgAvcGl4TIUrb5Q1CgJfJ/rP4VUEOeF67NvGQM12cA3HLzoFevMOxluwA4dleWuTd
I+Tsfc7QCuY6CZ9dsWCYhSP7jfpoAsbDwAGUqAiUf2sEC5jackNs5x1oobYac/9POzHesuelkQAF
Ld3zwxc7O+O3bH2pSC/FO0//b+mAZMdGVcYel2qyAgcW2Cwl41rl0YoSBv4zG435q17PqpIfh5tx
w/0UsYbuvdQIFcPE58okw8Q27XR8QdyD3b/9SGOm5s+v8JX/znapcf8KfeoNodvVu+hho9b/79i0
1H8aF/lTpOKq6xBL8zzK/m0Gqjjap8+Q7oR1xw==
</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDFjCCAf6gAwIBAgIVANvOACsHPeGyNtU+z6lwITrQht8JMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDTE5Mi4xNjguMi4yMzcwHhcNMTkwNjI1MDM0NDE1WhcNMzkwNjI1MDM0NDE1WjAYMRYw
FAYDVQQDDA0xOTIuMTY4LjIuMjM3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArgef
LeT3WJIXwsW4IkO6utW0C6ARGdd6p6Q6NyYqPvGKACxScl1hUjpKaUdMeTKme1gpsvz5ho33B6sx
uYVZwS+g9gA6VBcAguwnHViDAYrYL4meggBUXDgLv5YxgMtFoKzyvYHoZI6mU1LaOV4sFbk2/UBE
X0TajsgzRN+w7/9YJcvfEHArideYWPZtobTEv/JvLEg+10Tncpa6dW7m9Vqpkm0HWfiPMp+vvoPD
ebKgMWo6U79yHjqRayPkwccQfVuzyrynE90HdA1T4FIbznc++O+OY68nndTJqJz+BhbhZqoIqLLM
sHoRXcexc26usEk4bXSlAt2ZWHg6j2baKQIDAQABo1cwVTAdBgNVHQ4EFgQUhf/SjfLdHAsFiwqy
KEVHAyPmM3EwNAYDVR0RBC0wK4INMTkyLjE2OC4yLjIzN4YaMTkyLjE2OC4yLjIzNy9pZHAvbWV0
YWRhdGEwDQYJKoZIhvcNAQELBQADggEBABszuNtGLSrQHKOU35ucB58+Si84xbcFg2L9A7NSKCZp
KC1K8hf5/yBlWZeYANtbz9zBH+IE7HQfCqMmqYFRZIMV5bn1zz376iWOt/meUEIOTguDFBcE1d9P
1N08527e5VZZ8z4Quoar+UZsux2gRyftZCbiDPZ3jztWXZQH4kmjKfPfYnTHmAJyJ0BpZPGdItD/
cTUsFEO6aVi/q/dSnyuAIgifjv+GcsCLvr9mNgYqU1zbSNdfg/uE1brczOxdjX/dgKq8F9YV2X/k
W7f1+UDweMZ/jjY6wX7rGtMRI53y1AOexaT2m6qLjgykgr8mL10cA2zYFOY1IWdZaTtSmL4=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
        <saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                     ID="_4072804912448579929"
                     IssueInstant="2019-06-26T07:25:33.546Z"
                     Version="2.0"
                     >
        <saml2:Issuer>http://localhost/lighting/idp</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_4072804912448579929">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                    PrefixList="xsd"
                                                    />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>QE9YpUj05wSf69eoo/w+e3kcI458dSe/zfiFIGYJ9/s=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
ddCEn8eKvZQlqPXTf6NIzY2Y2OE3EvXYjQxNrvlWHUy5mD0J/hMpA1BjE1vMVsPtYs9+b8hqNMQC
vO3dBomyZ4fxMVeidUmKOVVxD/657zGeHpwKWWacb8bpvVptfv12SoSlCwR5daJmchv1D5VBJ7xU
2o7WXEx4mBH8M4Hq4jiysrVaqgCjbU6q8toNhvIo3fJSLpMQNMZt2oGQkAD1t520WSl6u7hL+FqW
z6PD/UlR/tlhNoyrlhK6SIkqqHC/xrVGXi/JDLWEZm8n6QwiSus/IlPHKmn7nXjwx6hQjRC0HjNt
/G+GdhSd+9Rz8VEKcrNZ19Fh/yQRvJgREEaALQ==
</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDFjCCAf6gAwIBAgIVANvOACsHPeGyNtU+z6lwITrQht8JMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDTE5Mi4xNjguMi4yMzcwHhcNMTkwNjI1MDM0NDE1WhcNMzkwNjI1MDM0NDE1WjAYMRYw
FAYDVQQDDA0xOTIuMTY4LjIuMjM3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArgef
LeT3WJIXwsW4IkO6utW0C6ARGdd6p6Q6NyYqPvGKACxScl1hUjpKaUdMeTKme1gpsvz5ho33B6sx
uYVZwS+g9gA6VBcAguwnHViDAYrYL4meggBUXDgLv5YxgMtFoKzyvYHoZI6mU1LaOV4sFbk2/UBE
X0TajsgzRN+w7/9YJcvfEHArideYWPZtobTEv/JvLEg+10Tncpa6dW7m9Vqpkm0HWfiPMp+vvoPD
ebKgMWo6U79yHjqRayPkwccQfVuzyrynE90HdA1T4FIbznc++O+OY68nndTJqJz+BhbhZqoIqLLM
sHoRXcexc26usEk4bXSlAt2ZWHg6j2baKQIDAQABo1cwVTAdBgNVHQ4EFgQUhf/SjfLdHAsFiwqy
KEVHAyPmM3EwNAYDVR0RBC0wK4INMTkyLjE2OC4yLjIzN4YaMTkyLjE2OC4yLjIzNy9pZHAvbWV0
YWRhdGEwDQYJKoZIhvcNAQELBQADggEBABszuNtGLSrQHKOU35ucB58+Si84xbcFg2L9A7NSKCZp
KC1K8hf5/yBlWZeYANtbz9zBH+IE7HQfCqMmqYFRZIMV5bn1zz376iWOt/meUEIOTguDFBcE1d9P
1N08527e5VZZ8z4Quoar+UZsux2gRyftZCbiDPZ3jztWXZQH4kmjKfPfYnTHmAJyJ0BpZPGdItD/
cTUsFEO6aVi/q/dSnyuAIgifjv+GcsCLvr9mNgYqU1zbSNdfg/uE1brczOxdjX/dgKq8F9YV2X/k
W7f1+UDweMZ/jjY6wX7rGtMRI53y1AOexaT2m6qLjgykgr8mL10cA2zYFOY1IWdZaTtSmL4=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">fengAWS</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData NotOnOrAfter="2019-06-26T07:25:28.267Z"
                                               Recipient="https://signin.aws.amazon.com/saml"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2019-06-26T07:25:36.485Z"
                          NotOnOrAfter="2019-06-26T07:58:56.485Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>urn:amazon:webservices</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2019-06-26T07:25:28.267Z"
                              SessionIndex="_320981710988786175"
                              >
            <saml2:SubjectLocality Address="urn:amazon:webservices" />
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute FriendlyName="isFromNewLogin"
                             Name="isFromNewLogin"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >false</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="authenticationDate"
                             Name="authenticationDate"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >2019-06-26T15:25:18.192+08:00[Asia/Shanghai]</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="authenticationMethod"
                             Name="authenticationMethod"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >QueryDatabaseAuthenticationHandler</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="successfulAuthenticationHandlers"
                             Name="successfulAuthenticationHandlers"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >QueryDatabaseAuthenticationHandler</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
                             Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >fengAWS</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed"
                             Name="longTermAuthenticationRequestTokenUsed"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >false</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/Role"
                             Name="https://aws.amazon.com/SAML/Attributes/Role"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >arn:aws:iam::490595513456:role/ParaSSO,arn:aws:iam::490595513456:saml-provider/Para</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="username"
                             Name="username"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >fengAWS</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

Answer 1

Question 1: I'm building a IdP in my local and I configured the IdP in AWS IAM settings, now I'd like to start an IdP initial SSO from my local and login AWS, however the error always shows in AWS page:

Response has expired (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ExpiredTokenException; Request ID: 18fc7e20-97eb-11e9-97e4-0f55a663916e). Please try again.

What should I do for this situation? Any help would be appreciated.

Answer:

This is a typical AWS-SAML IdP federated user error (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ExpiredTokenException).

SAML Response/Asserion/Token must be redeemed within 5 minutes of Issuance provided by your SAML IdP.

Resolution:
(I) Check whether your SAML IdP Server's time is synchronized with NTP server.

(II) After your SAML IdP Server's time has been synchronized with AWS server time zone (within 1 minute or less), restart your SAML IdP.

Question 2: error page screenshot

Here is the SAML Response

Answer:

Your error page screenshot indicates that your AWS role is MySSO, but your SAML response indicates that your AWS role is ParaSSO. This will cause another AWS-SAML IdP federated user error.

I have shared my Single Sign On (SSO) success experience on Shibboleth SAML IdP with Amazon AWS in another StackOverflow question Why is Cognito rejecting my SAML assertion?.

My SAML response for successful login to AWS is provided below for your reference.

<saml2p:Response Destination="https://signin.aws.amazon.com/saml"
                 ID="_fc89710799c4c2c540341e94bf7132d5"
                 IssueInstant="2019-06-11T18:49:38.300Z"
                 Version="2.0"
                 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/idp/shibboleth</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion ID="_91749d5ecb8512c0c5d658a77cb25928"
                     IssueInstant="2019-06-11T18:49:38.300Z"
                     Version="2.0"
                     xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                     >
        <saml2:Issuer>https://idp.example.com/idp/shibboleth</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_91749d5ecb8512c0c5d658a77cb25928">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="xsd"
                                                    xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                    />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>mDAgwb9ZJxc+01sC99lAlAIAOEoiTgzHVTm4F9bdn/0=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
LWiL3+CdU6y86zBLx3vG6na1o46EUgiN7iV+b4J2lPvZK7+Oeu6XSenJlzo/cUMT19pYYrDMM652
3lDAJCuOKPx4zTRIcabGrgzTKgmen0SHqWPxeL7t23RB6+v5AUvVw02tXqQhlggKEe3H+1T1k5q0
cGc1xw5CQtI8zE6GK7nG1INnU7mo872H9x+zM1zy3yyvrWOkHHhVFqQQ1Tu+0ev4BIhTQaVgC+pM
/ZvpctNjDMl1q4RSt1qumC+KFsYZlbrsLG7AvGJuR39wt/HV7F8Je3AUGGwMtGjkpRDuN1lIHrMq
VzFf/5eKUv20rEk3aOxoV/sMfcuhWo27+NjE1g==
</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDPDCCAiSgAwIBAgIVALPPoC598LJ6ZJJJXCA2ESASlN4AMA0GCSqGSIb3DQEBCwUAMB8xHTAb
BgNVBAMMFGlkcXNhbWwuaWRxdWFudGEuY29tMB4XDTE3MDYwMjIxNDI0NloXDTM3MDYwMjIxNDI0
NlowHzEdMBsGA1UEAwwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAs4ml4G592b059YDgyD/MLWQKaKrc0/24Ufbl/JY7wOI1RpxW8DlbCvibzQge6Tu
/8LVy4GIDb8QLxmCfFKYn97HC68TgXVJ+m+sQm+e4SVg6V2q+JY94LLcoFVe8+78ZIYT23KLkTv2
RlHzes/sL1YaPSK4UuN+/ezppyX2t9BGNfuiUKA0KCf7wMFuQ07Fr65FTcGXQyxhPyaNrXjrNMJa
LqwpCaesVdVzoqPevYVN3+nzAvOWoEbi6IcwnF07D0FYren/GPRXPAk5sP6fF3X0rJCkSq+d5t5P
0gWONlvm9WlUrKadmeiibCtR2lGQ/dZGmyUzIILsuOwu4yp/EsI3AgMBAAGjbzBtMB0GA1UdDgQW
BBREpZrZlnm8YrbSFcl59WRR5IY2FTBMBgNVHREERTBDghRpZHFzYW1sLmlkcXVhbnRhLmNvbYYr
aHR0cHM6Ly9pZHFzYWQCV63ubc+tsfzCvL48k35RzLAD15DIdbS9pZHAvc2hpYmJvbGV0aDANBgk
AAOCAQEAEvrdnSvK2C2rcRr7kXn4Q/NaEovuUeqaNs1k/2+dSqs8rroM+m3Iq8RlBcmKnP/+mET3
wwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiLRXay9y1uJXyZx37RDkGu8SD7+zf8znM+TCsX/qAP
6Ve95WAeX4uB8Aeol3LULe1dePsRb/1RNpKsm8NomVzCwBXK9vyv8t3IVN40jZMaaTtR0YR22fTu
qTyIMarMPO0Eh0f1FHraYaXfyop1OJcYlISpYe+c4vNvAXwEtHkZD2Iu/2aEMGcvBo3uq6OYVDXO
fI3CvoB7sRtxURtj+vVSZKjDe6s7+lRcE1tpDkwOEEuDzA==</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                          NameQualifier="https://idp.example.com/idp/shibboleth"
                          SPNameQualifier="urn:amazon:webservices"
                          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                          >AAdzZWNyZXQx/wu+MEcVaUwjGOXhDKAO/5KXLD2AcDGnu1DyoP2C4ztOF01Su6tTJDytykrsv7W2dSV4FkL42ORYDiipBEuwiRSbnvViKbFBkHYN4YUmQzttx3DPNW/w42tMjLrY2iyn7sAUgQSVNGRHyMAH</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData Address="192.168.150.10"
                                               NotOnOrAfter="2019-06-11T18:54:38.412Z"
                                               Recipient="https://signin.aws.amazon.com/saml"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2019-06-11T18:49:38.300Z"
                          NotOnOrAfter="2019-06-11T18:54:38.300Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>urn:amazon:webservices</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2019-06-11T18:49:38.041Z"
                              SessionIndex="_79ee919a4e3fcd2f6d13702b60bfd357"
                              >
            <saml2:SubjectLocality Address="192.168.150.10" />
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute FriendlyName="Role"
                             Name="https://aws.amazon.com/SAML/Attributes/Role"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="RoleSessionName"
                             Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                             >
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >winston.hong@example.com</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

Follow-up Question 3: I changed the skewAllowance and the ExpiredTokenException has gone, but still got AccessDenied error, do you have some ideas?

Answer:
I extract SAML attribute "Role" from SAML assertion (as shown below). One can see that "Role" attribute consists of two values "role" and "saml-provider".

<saml2:Attribute FriendlyName="Role"
                  Name="https://aws.amazon.com/SAML/Attributes/Role"                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"                       >
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                            xsi:type="xsd:string"
                            >arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
</saml2:Attribute>

You need to ensure that both values of "Role" attribute (carried by SAML assertion/SAML response) should be exactly the same as you declare through Amazon AWS admin console. Example #1: ParaSSO and Para for your local IdP; Example #2: shibbolethidp and Shibboleth-IdP for my SAML IdP. Any slight difference will cause "Error Code: AccessDenied;".

Sub-question (3.a): I tried with okta/onelogin and it can SAML access my AWS successfully, and checked the saml response/aws iam configuration, didn't see many differences from my local IdP, I started my IdP server in internal network 192.168.2.237, is it because there is some AWS restriction on local address or something? Any help would be appreciated.

Response:
(I) There is NO AWS restriction on local address, as shown by my SAML response for successful login to AWS. I have also used the local Shibboleth IdP to log into Amazon AWS admin console successfully.

<saml2:SubjectLocality Address="192.168.150.10" />

(II) In addition to "Role" attribute and "RoleSessionName" attribute, you need to ensure that SAML IdP metadata of your local IdP contains the complete and accurate SAML authentication information required by Amazon AWS, at least public certificate/key for verifying the signed assertion and SAML IdP issuer.

(II.a) A typical Access Denied error is that your local IdP metadata provides the wrong public certificate/key for verifying the signed assertion to Amazon AWS.

(II.b) For your convenience, How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides a Shibboleth SAML IdP metadata "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml" which has been validated with a successful SSO for Amazon AWS. This Shibboleth SAML IdP metadata consists of three signing certificates (sign Responses, sign Assertions, and encrypt Assertions).

(II.c) Amazon AWS will extract public certificate/key for sign Assertions from your SAML IdP metadata. In my Shibboleth IdP metadata "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml" provided by the above link at GitHub repository, the 2nd public certificate/key (or signing certificate) is used by Amazon AWS to verify the signed assertion.

(III) For your convenience, I have made the 9th commit to upload the Amazon AWS SP metadata and corresponding SAML configuration to How to build and run Shibboleth SAML IdP and SP using Docker container.
Note that I have logged in to Amazon AWS account ("my-aws-id", e.g., 123456789012) with username "winston.hong@example.com" successfully using Shibboleth IdP running with Docker Container with the 9th commit.

By performing the Shibboleth SAML IdP configuration with reference to the 9th commit to How to build and run Shibboleth SAML IdP and SP using Docker container, you can log in to your Amazon AWS account ("my-aws-id", e.g., 123456789012) with your username (such as "winston.hong@your-company.com") federated by Shibboleth IdP.

(IV) I have shared my successful SAML configuration experience on Shibboleth IdP SSO for Amazon AWS at another StackOverflow question Why is Cognito rejecting my SAML assertion?.