SAML authentication method and AWS Identity Center

[jonsbun]

I am trying to configure the SAML authentication method via AWS Identity Center (formerly AWS SSO) on the CloudBeaver AWS instance.

The user can log in, but the https://aws.amazon.com/SAML/Attributes/Role attribute is not working properly and I am not sure why:

03-12-2024 07:17:39.995 [qtp2116839170-79] DEBUG i.c.a.p.aws.WebAwsAuthProvider - Try AWS authentication
03-12-2024 07:17:40.000 [qtp2116839170-79] INFO  i.c.a.p.aws.WebAwsAuthProvider - AssumeRoleWithSamlRequest:
        roleARN=arn:aws:iam::<hidden>:role/aws-reserved/sso.amazonaws.com/eu-west-2/<hidden>
        principalARN=arn:aws:iam::<hidden>:saml-provider/<hidden>
        UserId=<hidden>
03-12-2024 07:17:40.346 [qtp2116839170-79] ERROR i.c.s.servlet.FederatedAccessServlet - Error during authentication assume in 'aws'
software.amazon.awssdk.services.sts.model.InvalidIdentityTokenException: Issuer not present in specified provider (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException; Request ID: 0e8d1248-1b43-4ff5-8a45-2ae4c96a4d27; Proxy: null) (Service: Sts, Status Code: 400, Request ID: 7e0a600f-9676-4ea9-aad5-67b38a8f1c0e)

Also, the User group mapping attribute option is listed in the CloudBeaver AWS SAML configuration menu. However, CloudBeaver documentation does not explain how to use this option.

Any ideas on how to solve these issues?

[LonwoLonwo]

Hello @jonsbun

About the option: we updated the documentation https://github.com/dbeaver/cloudbeaver/wiki/AWS-SAML-database-access-via-Okta

Also, could you please check the latest CloudBeaver version? 24.3.0.
We added many updates for the AWS product version.