SSO between Google Apps (G Suite) and AWS Console

August 27th, 2020

Help for anyone experiencing the dreaded Your request included an invalid SAML response. To logout, click here error when setting up SSO between Google Apps (G Suite) and AWS.

So I wanted to play with SAML SSO using my Google Apps (G Suite) service as my IDP and my AWS account as the client. I diligently followed the directions at Google to do so, but kept getting this error from AWS whenever I attempted to sign in:

Your request included an invalid SAML response. To logout, click here

I couldn't understand what the hell was going wrong, as I'd base64-decoded my SAML responses and saw everything I was supposed to have in there, until I finally came across this AWS troubleshooting page.

It finally made sense:

The attribute must contain one or more AttributeValue elements, each containing a comma-separated pair of strings

Aha! Back to the Google console, I edited my custom user attributes for my Amazon role. Originally I'd had the ARN of the role I had mapped in there, like so:

Broken AWS role attribute in Google Apps

I had to concatenate it onto the ARN of the SAML provider I'd set up for Google, comma-separated like so:

Google role ARN concatenated onto SAML provider ARN

OK, so start a new browser session, log into my Google Apps (GSuite) account, and click on the AWS app, then:

A working console!

Hallelujah, all working! The top right now shows the role name (in this case, I called it "Google", and my email address). I'm in, baby!


SAML

GSuite

Google Apps

SSO

aws