avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3032

Abstract

   <div>
          <div>
            <h2>Creating IAM SAML identity providers</h2>
            <div><h3>An IAM SAML 2.0 identity provider is an entity in IAM that describes an external identity provider (IdP) service that…</h3></div>
            <div><p>docs.aws.amazon.com</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div>
          </div>
        </div>
      </a>
    </div><p id="b70c">I am simply uploading the metadata I received from the IdP service.</p><p id="16f9">Some additional information would be helpful in the documentation from either Okta or AWS to resolve this error.</p><p id="4643">Clearly something is happening correctly because the Group in Okta is correctly aligning with the role in AWS and that is the only thing I really had to configure, other than plugging the Okta metadata into the AWS IdP.</p><p id="ccce">The Okta logs only indicate a successful federation login to AWS.</p><p id="20d3">Welp, back at this more later. Sometimes you wish things would just work and the instructions would all be very clear.</p><p id="e965">Update 2/22/2023</p><p id="3b83">Apparently other people are having the same issue with no answer.</p><div id="4522" class="link-block">
      <a href="https://support.okta.com/help/s/question/0D50Z00008C3jo0SAB/aws-error-specified-provider-doesnt-exist?language=en_US">
        <div>
          <div>
            <h2>Okta Help Center (Lightning)</h2>
            <div><h3>Edit description</h3></div>
            <div><p>support.okta.com</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div>
          </div>
        </div>
      </a>
    </div><figure id="18c6"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*x9Arwg0ooCbbgxtOj6q57Q.png"><figcaption></figcaption></figure><p id="b56e">If Okta could add the proper resolution to this post would help.</p><p id="1fec">I’ve checked all the following:</p><ul><li>My Identity Provider name in Okta is AWS.</li><li>The ARN is output in a CloudFormation stack with that name.</li><li>The Output is used to populate the ARN in my CloudFormation template for the role trust policy.</li><li>I double checked the role trust policy has the correct ARN.</li><li>I verified that the ARN is populated in Okta in the signing settings for the AWS application.</li><li>I re-generated the metadata and added it into AWS and redeployed everything.</li></ul><p id="a509">I am not sure where the name is coming into play at this point but I presume it is passed by Okta during the SAML process to AWS and whatever Okta is sending does not match what is in AWS. There is not a lot to configure on the AWS side so I presume the problem is with Okta.</p><p id="72a6">This may be a clue:</p><div id="9310" class="link-block">
      <a href="http

Options

s://stackoverflow.com/questions/44041002/iam-saml-federation-from-local-fails"> <div> <div> <h2>IAM SAML federation from local fails</h2> <div><h3>Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question. Provide details and share…</h3></div> <div><p>stackoverflow.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*A03Da5yQC8cGf6mX)"></div> </div> </div> </a> </div><p id="3648">Well, have to go make dinner. Back for more troubleshooting later.</p><p id="12ae">I resolved this problem here:</p><div id="9402" class="link-block"> <a href="https://readmedium.com/specified-provider-doesnt-exist-9391b4229222"> <div> <div> <h2>Specified provider doesn’t exist</h2> <div><h3>Error Message: Specified provider doesn’t exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code…</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*4oxP4LXk8l8c3mpRvO7ejg.png)"></div> </div> </div> </a> </div><p id="d5da">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="46f6"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="550c"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*4oxP4LXk8l8c3mpRvO7ejg.png"><figcaption></figcaption></figure></article></body>

Problem with Documentation and Error Message: AWS Federation to Okta IdP using SAML

Specified provider doesn’t exist

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | Secure Code | CloudFormation

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

While trying to integrate Okta and AWS using the SAML instructions retrieved from the Okta Console, I got it to work but then at the top of the login screen for AWS I get this error:

Specified provider doesn’t exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: ; Proxy: null) (Service: AWSSecurityTokenV20111201; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: ; Proxy: null). Please try again.

Initially I had “bug” in the title of this blog post — which is accurate. To be clear I am not sure if the bug is:

  • In the AWS Implementation
  • In the Okta Implementation
  • In my own configuration

The problem is that I cannot easily figure that out because the documentation is not clear as to how I need to solve this problem.

The AWS description is not helpful:

Error: Specified provider doesn’t exist.

This error can occur if the name of the provider that you specify in the SAML assertion does not match the name of the provider configured in IAM. For more information about viewing the provider name, see Creating IAM SAML identity providers.

The AWS documentation does not say that I need to name my identity provider anything in particular:

I am simply uploading the metadata I received from the IdP service.

Some additional information would be helpful in the documentation from either Okta or AWS to resolve this error.

Clearly something is happening correctly because the Group in Okta is correctly aligning with the role in AWS and that is the only thing I really had to configure, other than plugging the Okta metadata into the AWS IdP.

The Okta logs only indicate a successful federation login to AWS.

Welp, back at this more later. Sometimes you wish things would just work and the instructions would all be very clear.

Update 2/22/2023

Apparently other people are having the same issue with no answer.

If Okta could add the proper resolution to this post would help.

I’ve checked all the following:

  • My Identity Provider name in Okta is AWS.
  • The ARN is output in a CloudFormation stack with that name.
  • The Output is used to populate the ARN in my CloudFormation template for the role trust policy.
  • I double checked the role trust policy has the correct ARN.
  • I verified that the ARN is populated in Okta in the signing settings for the AWS application.
  • I re-generated the metadata and added it into AWS and redeployed everything.

I am not sure where the name is coming into play at this point but I presume it is passed by Okta during the SAML process to AWS and whatever Okta is sending does not match what is in AWS. There is not a lot to configure on the AWS side so I presume the problem is with Okta.

This may be a clue:

Well, have to go make dinner. Back for more troubleshooting later.

I resolved this problem here:

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Bug
AWS
Okta
Identity Provider
Recommended from ReadMedium