You’re using an external SAML 2.0 identity provider (Ping Identity, AD FS, or a custom SAML provider) with AWS IAM Identity Center. Everything looks configured correctly. But when users try to log in, they get a generic error: “Your request could not be completed.” No details. No error code. Just that message. In this post, I’ll show you how to dig into the SAML response and find out what’s actually wrong.

The Problem

Using an external SAML IdP with IAM Identity Center. Login fails with “Your request could not be completed” or a specific SAML error code. Sometimes the error page gives no indication of what went wrong.

Common SAML error codes and what they mean:

SAML Error Meaning
InResponseTo mismatch SAML response references wrong request ID
NotBefore / NotOnOrAfter Assertion is outside its validity window
Audience mismatch Assertion audience URI doesn’t match AWS
Signature validation failed Certificate is expired or wrong cert is uploaded
NameID missing or wrong format IdP not sending required NameID claim
Missing Assertion Consumer Service IdP doesn’t recognize AWS ACS endpoint

Why Does This Happen?

  • InResponseTo mismatch: AWS sends a SAML request with a unique ID. The IdP’s response must reference that same ID in the InResponseTo field. If they don’t match, AWS rejects the response.

  • Assertion timing issues: The SAML assertion has NotBefore and NotOnOrAfter timestamps. If the current time is outside this window (due to clock skew), the assertion is invalid.

  • AudienceRestriction mismatch: The assertion specifies which service it’s valid for (the “audience”). AWS expects the audience to be https://signin.aws.amazon.com/saml.

  • Signature validation failure: The assertion is signed with a certificate. If the certificate in IAM Identity Center doesn’t match the one the IdP uses to sign, validation fails.

  • NameID format mismatch: AWS requires a NameID to identify the user. The IdP might be sending it in the wrong format (transient vs. persistent vs. emailAddress).

  • Certificate expired: If the IdP’s certificate has expired, or AWS is using an expired copy of the certificate, signature validation fails.

The Fix

Step 1: Install SAML Debugging Tool

The easiest way to diagnose SAML issues is to see the actual SAML response. Install the SAML-tracer browser extension:

  • Firefox: Search for “SAML-tracer” on addons.mozilla.org
  • Chrome: Search for “SAML-tracer” on the Chrome Web Store

Step 2: Capture the SAML Response

  1. Open the extension (icon appears in the browser toolbar)
  2. Navigate to your IAM Identity Center Access Portal URL
  3. Start the login flow
  4. Authenticate with your IdP
  5. The extension will capture the SAML request and response
  6. Click on the SAML Response (POST) to view it

Step 3: Decode and Inspect the Assertion

The SAML Response appears in base64. The extension decodes it automatically. Look for these fields in the decoded XML:

<saml:Assertion
  IssueInstant="2026-02-12T14:30:00Z"
  NotBefore="2026-02-12T14:25:00Z"
  NotOnOrAfter="2026-02-12T14:35:00Z">
  ...
  <saml:AudienceRestriction>
    <saml:Audience>https://signin.aws.amazon.com/saml</saml:Audience>
  </saml:AudienceRestriction>
  ...
  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
    user@example.com
  </saml:NameID>
  ...
</saml:Assertion>

Checklist: Verify Assertion Validity

Use this checklist to diagnose:

  • NotBefore timestamp has passed (current time > NotBefore)
  • NotOnOrAfter timestamp has not yet passed (current time < NotOnOrAfter)
  • Current time is within the window (use a timestamp converter if needed)
  • AudienceRestriction contains https://signin.aws.amazon.com/saml
  • NameID is populated and in a reasonable format
  • Issuer matches the expected IdP entity ID
  • XML signature is present (look for <ds:Signature>)

Step 4: Verify Certificate in IAM Identity Center

Go to IAM Identity Center > Settings > Identity source > Manage metadata.

Download the metadata XML from your IdP and compare the certificate in the XML to the certificate configured in IAM Identity Center.

If they don’t match:

  1. Copy the certificate from the IdP’s metadata
  2. Upload it to IAM Identity Center metadata
  3. Save changes

Step 5: Verify IdP Configuration

Check your IdP’s SAML configuration:

Assertion Consumer Service (ACS) URL: Should be https://signin.aws.amazon.com/saml (or your custom domain)

Service Provider (SP) Entity ID / Audience: Should match what you see in IAM Identity Center

NameID Format: Should be set to emailAddress or persistent (check what AWS expects in the metadata)

Assertion Expiry: Typically 5 minutes (300 seconds). If it’s longer or shorter, adjust it.

Step 6: Check Clock Skew

If NotBefore and NotOnOrAfter are close together and your current time is outside the window, there’s clock skew.

Ensure both the IdP server and AWS are synchronized to NTP:

# On IdP server
timedatectl status

# On your local machine
timedatectl status

If clocks are off by more than 5 minutes, sync them to NTP.

How to Run This

  1. Install SAML-tracer extension
  2. Navigate to the Access Portal and start login
  3. Authenticate with IdP
  4. Open SAML-tracer and view the SAML Response
  5. Decode the response and check the assertion validity window
  6. Verify audience, NameID, and issuer
  7. Compare certificate in IdP metadata to certificate in IAM Identity Center
  8. Update metadata if certificate is out of sync
  9. Retry login

Is This Safe?

Yes. SAML-tracer is a read-only debugging extension. It doesn’t modify anything—it only captures the SAML requests and responses between your IdP and AWS. The SAML assertion is temporary and expires in minutes.

Key Takeaway

SAML errors are usually cryptic, but the actual error is in the assertion itself. Use SAML-tracer to see what the IdP is sending. Check the assertion validity window, audience, and certificate. Once you can see the actual SAML response, debugging becomes straightforward.

Have questions or ran into a different SSO issue? Connect with me on LinkedIn or X.