SSO between Google Apps (G Suite) and AWS Console
August 27th, 2020
Help for anyone experiencing the dreaded
Your request included an invalid SAML response. To logout, click here error when setting up SSO between Google Apps (G Suite) and AWS.
So I wanted to play with SAML SSO using my Google Apps (G Suite) service as my IDP and my AWS account as the client. I diligently followed the directions at Google to do so, but kept getting this error from AWS whenever I attempted to sign in:
Your request included an invalid SAML response. To logout, click here
I couldn't understand what the hell was going wrong, as I'd base64-decoded my SAML responses and saw everything I was supposed to have in there, until I finally came across this AWS troubleshooting page.
It finally made sense:
The attribute must contain one or more AttributeValue elements, each containing a comma-separated pair of strings
Aha! Back to the Google console, I edited my custom user attributes for my Amazon role. Originally I'd had the ARN of the role I had mapped in there, like so:
I had to concatenate it onto the ARN of the SAML provider I'd set up for Google, comma-separated like so:
OK, so start a new browser session, log into my Google Apps (GSuite) account, and click on the AWS app, then:
Hallelujah, all working! The top right now shows the role name (in this case, I called it "Google", and my email address). I'm in, baby!