Specified provider doesn’t exist
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Bugs | AWS Security | Secure Code | Network Security
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Error Message: Specified provider doesn’t exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException;(Service: AWSSecurityTokenV20111201; Status Code: 400;
I wrote about an issue with the AWS documentation in this post, which I still feel is an issue. I also a bit of a runaround from Okta support trying to solve this problem. I was asked to do a screen share which I don’t feel was necessary. At one point I was told that this was a “custom integration” that Okta doesn’t support. Not true.
What took three days to resolve should have taken three minutes if people building and documenting these systems took a tad more time to consider the end user — and the support staff was a bit more well trained. I provided information to Okta support to help them respond to customers with the correct information in the future for this one.
I ended up resolving the problem myself by looking at every single setting and scouring the documentation for what I had missed. What I know is that somewhere, in Okta, I had to enter something and whatever it was didn’t match what AWS was expecting.
I knew that things on the AWS side were pretty simple (despite the mountains of unnecessary verbiage in the documentation, sorry AWS it’s true). The Okta side had many more points of configuration and the steps were a bit jumbled in the documentation so I figured it must be in Okta somewhere.
Now the clue is the error message from AWS which could be a lot more helpful. “Specified provider doesn’t exist.” What does that even mean? So I search on it and I find this in the AWS documentation:
Error: Specified provider doesn’t exist.
This error can occur if the name of the provider that you specify in the SAML assertion does not match the name of the provider configured in IAM. For more information about viewing the provider name, see Creating IAM SAML identity providers.
Well that’s not super helpful because it doesn’t tell me what I need to reconfigure. What would be super helpful and would have helped me instantly resolve this problem is if the error message said:
Specified provider doesn’t exist: [NAME OF PROVIDER]; Expecting [NAME OF AWS Identity Provider]
Always consider how someone is going to use your error message to troubleshoot a problem:
I would have immediately seen that the name of the provider being passed over was a value that I was supposed to replace in the Role Value Pattern in Okta.
Additionally, I realized that I had forgotten to enter the AWS Identity Provider ARN in the settings above this one, but I think this name was the primary problem that was causing my error.
Once I fixed those two things everything worked.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
