You’re trying to log into the AWS SSO Access Portal, and something goes wrong. Maybe you get stuck in a redirect loop where you’re bounced between the IdP and AWS repeatedly. Maybe the page goes blank after you enter your credentials. Or maybe you’re authenticated with your identity provider, but AWS refuses to let you in. In this post, I’ll show you how to diagnose and fix these issues.

The Problem

Users navigating to the AWS SSO Access Portal URL (e.g., https://d-xxxxxxxxxx.awsapps.com/start/) experience an infinite redirect loop, a blank screen after authentication, or are bounced back to the login page immediately after successful identity provider authentication.

Common behaviors you might observe:

Symptom Cause Category
Redirect loop between IdP and AWS SAML assertion issue or browser cookie problem
Blank white screen after login JavaScript failure or browser extension blocking resources
Authenticated with IdP but AWS shows login again SAML assertion timing or signature mismatch
Works in private/incognito mode but not normal mode Browser cookie or extension conflict
Works on mobile but not desktop Corporate proxy or DNS issue

Why Does This Happen?

  • Browser cookie issue: IAM Identity Center uses cookies to maintain session state across redirects. If cookies are blocked, disabled, or cleared mid-session, the portal can’t maintain state and loops.

  • Browser extension blocking third-party cookies: Ad blockers, privacy extensions, and cookie managers often block third-party cookies from awsapps.com. This breaks the redirect flow.

  • SAML assertion timing issue: SAML assertions have a time window (NotBefore and NotOnOrAfter). If there’s more than a 5-minute clock skew between the IdP and AWS, the assertion is invalid.

  • IdP session not established: If the user’s session with the IdP expires during the authentication flow, the SAML response will fail validation.

  • SAML signature validation failure: If the certificate used to sign the SAML assertion doesn’t match what AWS has on file, the signature validation fails.

The Fix

The quickest diagnostic is to test in a private/incognito browser window with no extensions:

1. Open an incognito/private window
2. Navigate to https://d-xxxxxxxxxx.awsapps.com/start/
3. Complete authentication
4. If it works, the issue is browser-related

Step 1: Clear Cookies and Cache

If the private window test works, the issue is likely cookies or cache:

  1. In your normal browser, open Developer Tools (F12)
  2. Go to Application > Cookies > Search for awsapps.com
  3. Delete all cookies for awsapps.com
  4. Go to Application > Local Storage > Delete entries for https://d-xxxxxxxxxx.awsapps.com
  5. Clear browser cache
  6. Try logging in again

Step 2: Disable Browser Extensions Temporarily

If clearing cookies doesn’t work, disable all extensions:

  1. Open Chrome: chrome://extensions > Disable all
  2. Open Firefox: about:addons > Disable all extensions
  3. Try accessing the portal
  4. If it works, re-enable extensions one by one to find the culprit

Common problematic extensions: uBlock Origin, Privacy Badger, 1Password, LastPass

Step 3: Check for Clock Skew

Clock skew between IdP and AWS can cause assertion validation failures. Ensure both systems are synchronized to NTP:

# Check your local system time
timedatectl status

# Compare with AWS NTP
ntpdate -q time.aws.amazon.com

If clock is off by more than 5 minutes, sync it:

sudo timedatectl set-ntp on

Step 4: Analyze SAML Response

Use a SAML debugging browser extension (SAML-tracer for Firefox/Chrome):

  1. Install SAML-tracer extension
  2. Attempt to log in
  3. Open SAML-tracer and find the SAML Response
  4. Click the response to view the decoded XML
  5. Check:
    • <saml:Assertion NotBefore="..." and NotOnOrAfter="..." timestamps are valid
    • Current time is within this window
    • <saml:AudienceRestriction> contains https://signin.aws.amazon.com/saml
    • No signature validation warnings

How to Run This

  1. Test in private/incognito mode first
  2. If it works, clear cookies and cache in normal mode
  3. Disable all extensions and test
  4. Check system clock synchronization
  5. Use SAML-tracer to inspect the actual SAML response
  6. Verify IdP session is active and not expired
  7. Try from a different network (to rule out proxy/firewall issues)

Is This Safe?

Yes. Clearing cookies, disabling extensions, and analyzing SAML responses don’t modify any AWS resources or configuration. Clock synchronization is a standard system maintenance task.

Key Takeaway

Most SSO login issues are caused by browser state (cookies, extensions, or cached data). Always test in a private window first. If that works, the problem is browser-related and not an IAM Identity Center configuration issue.

Have questions or ran into a different SSO issue? Connect with me on LinkedIn or X.