I have a user pool set up with AWS Cognito to which I have added a SAML identity provider. I also have users added directly to the user pool.
After following the documentation here I tried to log in via SP-initiated SSO. Cognito redirected me to the configured SAML IdP, where I was prompted for the credentials. I authenticate and the SAML response is POSTed back to the Cognito SAML ACS endpoint (which is https://<cognito auth domain>/saml2/idpresponse). At this point Cognito redirects me to an error page (/error?null) with this rather unhelpful error that I mention in the subject.
I've scoured for similar problems faced by anyone but haven't found anything yet (a similar error has been encountered by someone but in the context of AWS amplify and not when using SAML)
Not sure how to debug this; I believe I have done the right configuration in Cognito as well as the SAML IdP (Okta). Any pointers will be helpful.
Figured it out. The App Client was setup up before this SAML IdP was added to the Cognito user pool. When it was added it only had the native Cognito user pool enabled. When you add other IdP's for federation you have to go back to the App Client configuration and enable the IdPs explicitly. Once I did that, the error was gone.