Import error from AWS SSO SAML metadata

Hi all,

I’m trying to configure AWS SSO as an Identity Provider to Keycloak. I’m using the functionality in Keycloak that allows you to update the IdP’s SAML metadata file to prepopulate fields in the Keycloak IdP configuration. They SAML metadata file I was given is below. As you can see, it specifies transient for the NameIDFormat, but it doesn’t like that the Principal Type is still set to Subject NameID, giving the following error when I try to save the IdP in Keycloak:

Error! Can not have Transient NameID Policy Format together with SUBJECT Principal Type

Does anyone have a suggestion of what I’m doing wrong? I’m sorry, but my SAML expertise is lacking.

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://portal.sso.us-west-2.amazonaws.com/saml/assertion/NTQ0NDcxNzUzOTUxX2lucy1lNWFkMTgzNWQ2ZDY2N2Ux">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDAzCCAeugAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMRYwFAYDVQQDDA1hbWF6b25hd3MuY29tMQ0wCwYDVQQLDARJREFTMQ8wDQYDVQQKDAZBbWF6b24xCzAJBgNVBAYTAlVTMB4XDTIyMDEwNzIwMDIyN1oXDTI3MDEwNzIwMDIyN1owRTEWMBQGA1UEAwwNYW1hem9uYXdzLmNvbTENMAsGA1UECwwESURBUzEPMA0GA1UECgwGQW1hem9uMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWGDLpN/TeJzMVPykM373dQVeyIrQJZPoaa2biudQEQkDEgreWfP8C4BqPlketAxwtZABAPwRaN/9BDmbFdET8vPpbMBaeaq02K4pnNO31rSp7p7QLl4a/Ssj9TB19/h6BgEoJ2SKXSFjc743UYlPqNRGKXb25mwV7TQhn9CzYC2GYMtFgbc6c/M6Egk1S7mlL6vgZi9W55QoAzv/lE3IA6ojrJ0yW90elgF3MikXzEqIugIRIv8Xl5m3rssSIY/++aqoq07jZmip9bX9V3yYdxIvoC1zku8fTJ/Z20+ztj9nKVpdR4K5yNrEuDEGRK4LMvCZTwiAn/OEFdC2qqoSkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAOOCTToBqy5ohlCTq8/4PBtUw7lsI1kCMn0zakuxKw3vK9APdygH7F5dy5p5JF4CPY/5q2tHGkWQIU32OqEmVMYiNdQJjfoVm2E1Eu5hIi7c1wr2Dc9NC8oqB+5axmMDqevJmmcc7Z2l4wXJEkk0Fn/dDsulRY8ERBbBWGsWyP9TfaLWbQKrlbpa8jE4FNjfHlS63Wzn6LQgbVRp19067EKIZLNrY7/sguCwfjn3bKbFQi5lOhgFt2JP3jZAIyUU2DR8JX5/RQN2Bdov1ARPOrztorbKHQ3zw5IWNTGJ/SA037KTXEYCAWXoneZugeJ3WhU6Gca1iZyti2Uc0qKncdw==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.us-west-2.amazonaws.com/saml/logout/NTQ0NDcxNzUzOTUxX2lucy1lNWFkMTgzNWQ2ZDY2N2Ux"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.us-west-2.amazonaws.com/saml/logout/NTQ0NDcxNzUzOTUxX2lucy1lNWFkMTgzNWQ2ZDY2N2Ux"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.us-west-2.amazonaws.com/saml/assertion/NTQ0NDcxNzUzOTUxX2lucy1lNWFkMTgzNWQ2ZDY2N2Ux"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.us-west-2.amazonaws.com/saml/assertion/NTQ0NDcxNzUzOTUxX2lucy1lNWFkMTgzNWQ2ZDY2N2Ux"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Thank you and best wishes,
G

I would say that metadata doesn’t contain all details. You as and IDP admin should configure more details.

Transient means that Name ID will contain opaque identifier with (pseudo) random value, so it can’t be used to identify user by the Keycloak (it will be different value for each session), e.g.:

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">c5dc66cd-37c8-47ed-a037-78a54b474eb1</saml:NameID>

You as Keycloak admin needs to decide, which SAML attribute from the SAML response will be used to identify external users - it must be unique, e.g. uid/username/email. Blind guess:

1 Like

That’s what I was missing. Thanks for the help.