I have been trying identity federation using SAML from Cloud based SAML provider to an application hosted on AWS S3 bucket. The SAML IdP is posting the SAMLResponse to the configured ACS(An API Gateway endpoint in the web-app). When I use this SAMLResponse with Postman to AssumeRoleWithSAML to get STS tokens, it works all fine with proper response 200. But the same SAMLResponse is not working using CLI (AWS Command Line Interface) getting below error. I tried with AWS CLI version 1.x as well latest 2.x, response is same.
Command :
aws sts assume-role-with-saml --role-arn arn:aws:iam::123456789:role/xxxxx --principal-arn arn:aws:iam::123456789:saml-provider/xxxx-saml-provider --saml-assertion file://samlresponse.log
Error:
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithSAML operation: Invalid base64 SAMLResponse (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException;
Could not find any good help in knowing whats wrong and the CLI is not giving any meaningful error such as "Token Expired" etc.
Following is a sample POST request using Postman that works fine
This is resolved. The SAMLResponse used was URL Encoded and for --assume-role-with-saml the base64 value was incompatible. Once the response was decoded with decodeURI function, it worked as expected.