Using SAML as external provider does not deploy in Gen 2

[ideen1]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

``` # Put output below this line System: OS: macOS 13.1 CPU: (10) arm64 Apple M1 Pro Memory: 259.36 MB / 16.00 GB Shell: 5.8.1 - /bin/zsh Binaries: Node: 16.17.0 - /usr/local/bin/node Yarn: 1.22.19 - /usr/local/bin/yarn npm: 8.15.0 - /usr/local/bin/npm Browsers: Chrome: 120.0.6099.129 Safari: 16.2 npmPackages: @ampproject/toolbox-optimizer: undefined () @aws-amplify/backend: ^0.6.0 => 0.6.0 @aws-amplify/backend-cli: ^0.9.2 => 0.9.2 @aws-amplify/ui-react: ^6.0.7 => 6.0.7 @aws-amplify/ui-react-internal: undefined () @aws-cdk/dns_validated_certificate_handler: 0.0.0 @babel/core: undefined () @babel/runtime: 7.15.4 @edge-runtime/cookies: 4.0.2 @edge-runtime/ponyfill: 2.4.1 @edge-runtime/primitives: 4.0.2 @emotion/react: ^11.11.1 => 11.11.1 @emotion/styled: ^11.11.0 => 11.11.0 @hapi/accept: undefined () @lexical/react: ^0.12.2 => 0.12.2 @mswjs/interceptors: undefined () @mui/icons-material: ^5.14.16 => 5.14.16 @mui/material: ^5.14.17 => 5.14.17 @mui/x-data-grid: ^6.18.1 => 6.18.1 @napi-rs/triples: undefined () @next/font: undefined () @next/react-dev-overlay: undefined () @opentelemetry/api: undefined () @segment/ajv-human-errors: undefined () @types/aws-lambda: ^8.10.130 => 8.10.130 @types/fast-levenshtein: ^0.0.4 => 0.0.4 @types/lodash: ^4.14.201 => 4.14.201 @types/node: 20.8.9 => 20.8.9 (20.10.5) @types/react: 18.2.33 => 18.2.33 @types/react-dom: 18.2.14 => 18.2.14 @types/unzipper: ^0.10.9 => 0.10.9 @vercel/nft: undefined () @vercel/og: undefined () acorn: undefined () amphtml-validator: undefined () anser: undefined () arg: undefined () assert: undefined () async-retry: undefined () async-sema: undefined () autoprefixer: 10.4.16 => 10.4.16 aws-amplify: ^6.0.9 => 6.0.9 aws-amplify/adapter-core: undefined () aws-amplify/analytics: undefined () aws-amplify/analytics/kinesis: undefined () aws-amplify/analytics/kinesis-firehose: undefined () aws-amplify/analytics/personalize: undefined () aws-amplify/analytics/pinpoint: undefined () aws-amplify/api: undefined () aws-amplify/api/server: undefined () aws-amplify/auth: undefined () aws-amplify/auth/cognito: undefined () aws-amplify/auth/cognito/server: undefined () aws-amplify/auth/server: undefined () aws-amplify/datastore: undefined () aws-amplify/in-app-messaging: undefined () aws-amplify/in-app-messaging/pinpoint: undefined () aws-amplify/push-notifications: undefined () aws-amplify/push-notifications/pinpoint: undefined () aws-amplify/storage: undefined () aws-amplify/storage/s3: undefined () aws-amplify/storage/s3/server: undefined () aws-amplify/storage/server: undefined () aws-amplify/utils: undefined () aws-cdk-lib: ^2.110.1 => 2.110.1 aws-lambda: ^1.0.7 => 1.0.7 babel-packages: undefined () browserify-zlib: undefined () browserslist: undefined () buffer: undefined () bytes: undefined () ci-info: undefined () cli-select: undefined () client-only: 0.0.1 comment-json: undefined () compression: undefined () conf: undefined () constants-browserify: undefined () content-disposition: undefined () content-type: undefined () cookie: undefined () cross-spawn: undefined () crypto-browserify: undefined () css.escape: undefined () data-uri-to-buffer: undefined () debug: undefined () devalue: undefined () domain-browser: undefined () edge-runtime: undefined () eslint: 8.52.0 => 8.52.0 eslint-config-next: 13.5.6 => 13.5.6 events: undefined () fast-levenshtein: ^3.0.0 => 3.0.0 (2.0.6) find-cache-dir: undefined () find-up: undefined () fresh: undefined () get-orientation: undefined () glob: undefined () gzip-size: undefined () http-proxy: undefined () http-proxy-agent: undefined () https-browserify: undefined () https-proxy-agent: undefined () icss-utils: undefined () ignore-loader: undefined () image-size: undefined () is-animated: undefined () is-docker: undefined () is-wsl: undefined () jest-worker: undefined () json5: undefined () jsonwebtoken: undefined () katex: ^0.16.9 => 0.16.9 lexical: ^0.12.2 => 0.12.2 loader-runner: undefined () loader-utils: undefined () lodash.curry: undefined () lru-cache: undefined () micromatch: undefined () mini-css-extract-plugin: undefined () moment: ^2.29.4 => 2.29.4 nanoid: undefined () native-url: undefined () neo-async: undefined () next: 13.5.6 => 13.5.6 node-fetch: undefined () node-html-parser: undefined () ora: undefined () os-browserify: undefined () p-limit: undefined () path-browserify: undefined () platform: undefined () postcss: 8.4.31 => 8.4.31 postcss-flexbugs-fixes: undefined () postcss-modules-extract-imports: undefined () postcss-modules-local-by-default: undefined () postcss-modules-scope: undefined () postcss-modules-values: undefined () postcss-preset-env: undefined () postcss-safe-parser: undefined () postcss-scss: undefined () postcss-value-parser: undefined () process: undefined () punycode: undefined () querystring-es3: undefined () raw-body: undefined () react: 18.2.0 => 18.2.0 react-builtin: undefined () react-dom: 18.2.0 => 18.2.0 react-dom-builtin: undefined () react-dom-experimental-builtin: undefined () react-experimental-builtin: undefined () react-is: 18.2.0 react-pdf: ^7.6.0 => 7.6.0 react-refresh: 0.12.0 react-server-dom-turbopack-builtin: undefined () react-server-dom-turbopack-experimental-builtin: undefined () react-server-dom-webpack-builtin: undefined () react-server-dom-webpack-experimental-builtin: undefined () regenerator-runtime: 0.13.4 sass-loader: undefined () scheduler-builtin: undefined () scheduler-experimental-builtin: undefined () schema-utils: undefined () semver: undefined () send: undefined () server-only: 0.0.1 setimmediate: undefined () shell-quote: undefined () source-map: undefined () stacktrace-parser: undefined () stream-browserify: undefined () stream-http: undefined () string-hash: undefined () string_decoder: undefined () strip-ansi: undefined () superstruct: undefined () tailwindcss: 3.3.5 => 3.3.5 tar: undefined () terser: undefined () text-table: undefined () timers-browserify: undefined () tty-browserify: undefined () typescript: ^5.3.3 => 5.3.3 (4.4.4) ua-parser-js: undefined () undici: undefined () unistore: undefined () unzipper: ^0.10.14 => 0.10.14 util: undefined () vm-browserify: undefined () watchpack: undefined () web-vitals: undefined () webpack: undefined () webpack-sources: undefined () ws: undefined () zod: undefined () npmGlobalPackages: @angular/cli: 14.2.2 @aws-amplify/cli: 10.0.0 corepack: 0.12.1 eslint: 8.29.0 firebase-tools: 11.24.0 http-server: 14.1.1 npm: 8.15.0 yarn: 1.22.19 ```

Describe the bug

When using the new defineAuth function in Gen 2, with the saml external provider, the sandbox fails to deploy the Cognito resources with the following error:

Identity provider arn:ca-central-1:iam::<AWS Account ID>:saml-provider/testSaml is not valid for account <AWS Account ID> (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: NotAuthorizedException; Request ID: <REDACTED>; Proxy: null)

Expected behavior

I would expect the Cognito resources to be created/updated with the SAML provider.

Reproduction steps

Create the defineAuth function with the config defined below under Code Snippet. Run npx amplify sandbox or push to repo for deployment

Code Snippet

// Put your code below this line.
externalProviders: {
      saml: {
        metadata: UserPoolIdentityProviderSamlMetadata.url(
          "<REDACTED>"
        ),
        idpSignout: true,
        attributeMapping: {
          email: ProviderAttribute.other(
            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
          ),
          givenName: ProviderAttribute.other(
            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
          ),
          familyName: ProviderAttribute.other(
            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
          ),
          fullname: ProviderAttribute.other(
            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
          ),
        },
      },
      callbackUrls: [
        "http://localhost:3000/",
        "<REDACTED>",
      ],
      logoutUrls: [
        "http://localhost:3000/",
        "<REDACTED>",
      ],
    },

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[cwomack]

Hello, @ideen1 and sorry to hear the sandbox is giving you trouble with this. Is it working properly on a non-sandbox deployment for your Gen2 app, or are both giving this error?

It may be that the sandbox environment doesn't have the necessary permissions on the Cognito resources to be performing the SAML Auth flow. There may be some adjustments to the fields within defineAuth that may be needed as well. To ensure we can help get this answered better, I'll transfer this issue to our amplify-backend repo for better assistance.

[ideen1]

@cwomack The non-sandbox deployment is also hitting the same error

[ideen1]

After @cwomack moved this issue to the correct repo (this one), I identified a similar issue(#766) that is caused by (#796).

[ykethan]

Hey @ideen1, thank you for reaching out. As you have pointed out the issue is currently being tracked on https://github.com/aws-amplify/amplify-backend/issues/766, the Amplify team should provide an update on the issue linked once the fix rolls out. Closing the issue as duplicate, please feel free in adding any additional information on the issue linked.