AWS ECP with awscli-login
Morgan, Andrew Jason
morgan at oregonstate.edu
Thu Feb 20 12:54:31 EST 2020
I'm running into an issue with Illinois' awscli-login module. When I run "aws login" to perform the ECP authentication, awscli-login sends a SAMLRequest to my IDP's ECP endpoint. This generates the following error in my IDP logs:
WARN [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:410] - Profile Action PopulateBindingAndEndpointContexts: Unable to resolve outbound message endpoint for relying party 'urn:amazon:webservices': EndpointCriterion [type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService, Binding=urn:oasis:names:tc:SAML:2.0:bindings:PAOS, Location=https://signin.aws.amazon.com/saml, trusted=false]
WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: EndpointResolutionFailed
WARN [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:96] - Binding URI was not available, unable to lookup message encoder
ERROR [org.opensaml.profile.action.impl.EncodeMessage:122] - Profile Action EncodeMessage: Unable to locate an outbound message encoder
The metadata loaded dynamically from Amazon (https://signin.aws.amazon.com/static/saml-metadata.xml) has just 1 ACS entry:
<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://signin.aws.amazon.com/saml"/>
So, Shibboleth is definitely correct that there is no PAOS binding for this SP.
Am I doing something wrong? How have other awscli-login users solved this issue?
Thanks,
Andy Morgan
Identity & Access Management
Oregon State University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200220/9371c221/attachment.html>
More information about the users
mailing list