Our company's Active Directory accounts are somehow used to login to AWS using federation.
The last few days I've started getting this error, however, and I'm wondering if anyone knows what it means:
ERROR: error logging into role&{arn:aws:iam::111111111111:role/myrole arn:aws:iam::111111111111:saml-provider/MyCompanyPingID }: error retrieving STS credentials using SAML: InvalidIdentityToken: Invalid base64 SAMLResponse (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException; Request ID: 11111111-1111-1111-1111-111111111111; Proxy: null) status code: 400, request id: 22222222-2222-2222-2222-222222222222
My own interpretation is that arn:aws:iam::111111111111:saml-provider/MyCompanyPingID is returning a response to AWSOpenIdDiscoveryService that is not base64-encoded, but AWSOpenIdDiscoveryService expects it to be base64 encoded.
It seems this must be an issue with my account because I've asked other people in my team and they don't have this issue.
My question is, does anyone know what the error even means, and what is likely to cause it? Is it an incorrect encoding for example?
Edit:
I see that there are a couple of similar questions if I search for AuthSamlInvalidSamlResponseException:
- IAM SAML federation from local fails
- AWS SSO Custom App SAML Authentication error (InvalidIdentityToken, Invalid Base64 SAMLResponse
- How do I get AssumeRolewithSAML to work with CLI when same request works with Postman
- Get SAMLAssertion for AWS STS's assumeRoleWithSAML
- How to call AssumeRoleWithSAMLAsync without AmazonSecurityTokenServiceClient
- Invalid base64 SAMLResponse when trying to call AssumeRoleWithSAML
