AWS ECP with awscli-login

Morgan, Andrew Jason morgan at
Thu Feb 20 12:54:31 EST 2020

I'm running into an issue with Illinois' awscli-login module.  When I run "aws login" to perform the ECP authentication, awscli-login sends a SAMLRequest to my IDP's ECP endpoint.  This generates the following error in my IDP logs:

WARN [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:410] - Profile Action PopulateBindingAndEndpointContexts: Unable to resolve outbound message endpoint for relying party 'urn:amazon:webservices': EndpointCriterion [type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService, Binding=urn:oasis:names:tc:SAML:2.0:bindings:PAOS, Location=, trusted=false]
WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: EndpointResolutionFailed
WARN [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:96] - Binding URI was not available, unable to lookup message encoder
ERROR [org.opensaml.profile.action.impl.EncodeMessage:122] - Profile Action EncodeMessage: Unable to locate an outbound message encoder

The metadata loaded dynamically from Amazon ( has just 1 ACS entry:

<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""/>

So, Shibboleth is definitely correct that there is no PAOS binding for this SP.

Am I doing something wrong?  How have other awscli-login users solved this issue?

Andy Morgan
Identity & Access Management
Oregon State University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list