I have setup my GSuite account as a SAML iDP for Cognito User Pools (not identity pools).
If i provide no attribute mappings a new user trying to signup via GSuite login gets the following error.
Error in SAML response processing: Invalid user attributes: email: Attribute is required.
However if I add an email mapping, the user can signup. But can't ever sign in again as they get this error (strange as email is writable by this app client)
Error in SAML response processing: Invalid user attributes: email: Attribute cannot be updated.
Ideas as to whats going on?
In browser, using Hosted UI.
Amazon Cognito supports authentication with identity providers (IdPs) through Security Assertion Markup Language 2.0 (SAML 2.0). You can use an IdP that supports SAML with Amazon Cognito to provide a simple onboarding flow for your users.
A SAML (Security Assertion Markup Language) attribute assertion contains information about a user in the form of a series of attributes. The Retrieve from SAML Attribute Assertion can retrieve these attributes and store them in the attribute. lookup.
If, when signing in to Apps on Demand, you see a message that says "Your request included an invalid SAML response," it means you are not included in the group authorized for access to this class's stream.
Amazon Cognito is the identity provider (IdP) to your app. The app is the service provider (SP) that retrieves tokens for authenticated users. However, when you use a third-party IdP to authenticate users, Amazon Cognito is the SP.
It turns out I had made the email address immutable during CloudFormation setup. Even though the email is not being modified, it needs to be mutable.
You can determine the mutability of email via the following command.
aws --output table cognito-idp describe-user-pool --user-pool-id <user pool id> | grep -B6 -A7 " | email "
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With