AWS SAML Integration Guide
Suggest an editPrerequisites
- Administrator access to the AWS Management Console with IAM permissions
- A SplitSecure Identity Provider created and approved
- IAM permissions to create identity providers and roles (
iam:CreateSAMLProvider,iam:CreateRole) - A separate browser or browser profile with SplitSecure configured (for testing)
AWS IAM Configuration
1 Download SplitSecure Metadata
Before configuring AWS, download the SAML metadata from SplitSecure:
- In SplitSecure, go to Secure Accounts → SAML2 Identity Providers
- Click Details on the desired identity provider
- Click Download Metadata to save the XML file
2 Create a SAML Identity Provider in IAM
- Sign in to the AWS Management Console
- In the navigation pane, choose Identity providers
- Click Add provider
- Configure the provider:
| Field | Value |
|---|---|
| Provider type | SSO only |
| Provider name | (e.g., SplitSecure IdP) |
| Metadata document | Upload the XML file downloaded from SplitSecure |
- Click Add provider
3 Create an IAM Role for SAML Federation
- You can either:
- (If you are still in your Identity Provider’s page) at the top right of the page, click Assign role
- In the IAM console navigation pane, choose Roles. Then at the top right of the page, click Create role
Note
You can also use existing roles if they already have the appropriate trust policy.
- Fill the form like so:
Select trusted entity
| Field | Value |
|---|---|
| Trusted entity type | SAML 2.0 federation |
| SAML 2.0–based provider | Select the provider you created (e.g., “SplitSecure”) |
| Access to be allowed | Allow programmatic and AWS Management Console access |
| Sign-in endpoint type | Non-Regional endpoint |
| Sign-in URLs to include unique identifiers | With unique identifiers |
- Click Next
Add permissions
Permissions — Configure permissions in AWS for SAML federated principals
- Select the permissions policies for federated users (e.g., AdministratorAccess, ReadOnlyAccess, PowerUserAccess)
- Click Next
Name, review, and create
- Enter a Role name (e.g., SplitSecure-SAML-Role)
- (Optional) Enter a description
- Click Create Role
- Note the Role ARN for SplitSecure configuration (e.g.,
arn:aws:iam::<account-id>:role/SplitSecure-SAML-Role)
Note
In the Trust relashionships tab you can validate that the role uses the right IdP:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::894767036481:saml-provider/AWS-IS-AWESOME"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml/acs/SAMLSPAA1AA1AA1111AA1A"
}
}
}
]
}By clicking Edit trust policy you can use the Edit statement sidebar in order to edit access levels, principals, condition and more
SplitSecure Configuration
1 Download AWS SAML Metadata
- In SplitSecure, navigate to Secure Accounts → Create Account → AWS
- Enter a name for your account
- Select the Identity Provider used from which you took the metadata file
- Enter the sign-in URL and the IAM Identity Provider ARN (which can be found at AWS Management Console IAM → Identity providers → Your IdP)
- (Optional) In the default Role ARN field you can put the ARN found in the console at IAM → Roles → Your Role in the top corner
arn:aws:iam::111111111111:role/MyRole- Click Create Account
Test Authentication
Tip
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
1 Test IdP-Initiated Sign-In
- In SplitSecure, navigate to Secure Accounts
- Locate your AWS account and click Authenticate
- Choose your role, session name and session duration
- Click Request Access
- Complete the authentication flow
If authentication is successful, you will be redirected to the AWS Management Console with the selected role.
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| Response signature invalid | Certificate mismatch | Re-download metadata from SplitSecure and update the IAM provider |
| Not authorized to perform sts:AssumeRoleWithSAML | Trust policy misconfigured | Verify the Principal ARN matches your SAML provider exactly |
| Invalid SAML response | Metadata parsing error | Ensure metadata is UTF-8 encoded without BOM |
| RoleSessionName is required | Missing SAML attribute | Configure SplitSecure to send the RoleSessionName attribute |
| User redirected to wrong account | Multiple AWS accounts | Verify the correct Role ARN is configured in SplitSecure |
| Access denied after successful auth | Insufficient role permissions | Review and update the IAM role’s permissions policy |
| Session expires too quickly | Default session duration | Add SessionDuration attribute (up to 43200 seconds) |
| SAML assertion audience mismatch | Wrong ACS URL | Ensure SAML:aud matches https://signin.aws.amazon.com/saml or regional equivalent |
External Resources
- External Identity Providers — Managing identity sources in IAM Identity Center
- Connect to an External Identity Provider — Step-by-step IdP connection guide
- SAML 2.0 Federation — IAM SAML federation setup