AWS ECP with awscli-login

Morgan, Andrew Jason morgan at
Thu Feb 20 14:00:56 EST 2020


Okay, I suspected it might be something like that.  🙂

I have awscli-login working in my test environment after making that change.

Next question - Does anyone have this working with v2 of the aws cli?  I installed that first, but it uses an embedded Python interpreter.  When I ran "pip3 install awscli-login", it pulled v1.18.3 of the aws cli into pip (which is what I used for testing).


From: users <users-bounces at> on behalf of Wessel, Keith <kwessel at>
Sent: Thursday, February 20, 2020 10:29 AM
To: Shib Users <users at>
Subject: RE: AWS ECP with awscli-login


You've hit upon the dirty part of the implementation. I believe this is documented in the readme or the Github wiki for the project. If not, somebody please let me know so we can add it. The basic idea is:

Step 1: take Scott's advice and don't remotely consume Amazon's metadata. You can pull it down once, but then store it locally and don't refresh it.
Step 2: Add an ECP endpoint. The same ACS URL that you use to send web-based ACS responses to can be used. We added this:

    <AssertionConsumerService index="2" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location=""/>

Note you'll need to mke the same modification to the AWS Gov metadata if you're using that separate AWS instance.


From: users <users-bounces at> On Behalf Of Morgan, Andrew Jason
Sent: Thursday, February 20, 2020 11:55 AM
To: users at
Subject: AWS ECP with awscli-login

I'm running into an issue with Illinois' awscli-login module.  When I run "aws login" to perform the ECP authentication, awscli-login sends a SAMLRequest to my IDP's ECP endpoint.  This generates the following error in my IDP logs:

WARN [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:410] - Profile Action PopulateBindingAndEndpointContexts: Unable to resolve outbound message endpoint for relying party 'urn:amazon:webservices': EndpointCriterion [type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService, Binding=urn:oasis:names:tc:SAML:2.0:bindings:PAOS, Location=, trusted=false]
WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: EndpointResolutionFailed
WARN [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:96] - Binding URI was not available, unable to lookup message encoder
ERROR [org.opensaml.profile.action.impl.EncodeMessage:122] - Profile Action EncodeMessage: Unable to locate an outbound message encoder

The metadata loaded dynamically from Amazon ( has just 1 ACS entry:

<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="

So, Shibboleth is definitely correct that there is no PAOS binding for this SP.

Am I doing something wrong?  How have other awscli-login users solved this issue?

Andy Morgan
Identity & Access Management
Oregon State University
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list