Any help/suggestions for troubleshooting the issue below, or suggestions for setting up an alternate SAML IDP provider for testing would be much appreciated.
Background:
For our multi-tenant app, we have been using PingFederate to provide SSO. We are in the process of replacing that with AWS Cognito.
I have gotten the basic code changes in place so that our application will call awscognito, authenticate, and return the tokens to the app. The final step is setting up the AWS User Pool to handle a SAML IDP.
In the past, when I needed to test PingFederate, I had our PingFederate test server set up to act as both an IDP and an SP. That way I could initiate the IDP request in our app, The IDP service part of PingFederate would answer the IDP request, and then invoke the SP handling, which would ultimately return to our application.
I'd like to use a similar setup for testing AWS Cognito, but I'm stuck getting PingFederate to integrate with AWS Cognito. When I try to create the provider in AWS Cognito I get the following error message:
We were unable to create identity provider: No SingleSignOn Http redirect binding location found in metadata. (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException; Request ID: 8f48b246-6513-11e8-a8a0-8177ff216d8a)
Here is what the uploaded export file looks like:
<md:EntityDescriptor entityID="OTIDPQA" cacheDuration="PT1440M"
ID="WRHOcPiQSytSdX73eJiSqU7NYk7"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate> encrypted certificate data
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified</md:NameIDFormat>
<md:SingleSignOnService Location="https://xxxxx-userpool-test.auth.us-east-2.amazoncognito.com/saml2/idpresponse"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:basic" Name="MiddleName"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:basic" Name="Email"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:basic" Name="generic1"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:basic" Name="subject"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:basic" Name="userId"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:basic" Name="restricted"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:basic" Name="FirstName"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:basic" Name="Role"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:basic" Name="UserName"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:basic" Name="LastName"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="administrative">
<md:Company>company data </md:Company>
<md:GivenName>first name data</md:GivenName>
<md:SurName>last name data</md:SurName>
<md:EmailAddress>email data</md:EmailAddress>
<md:TelephoneNumber>phone data</md:TelephoneNumber>
</md:ContactPerson>
</md:EntityDescriptor>
