After replacing expired SAML certificate with new certificate in AWS for GOOGLE ADP, getting below error while accessing AWS accounts via SAML method.
Response signature invalid (Service: AWSSecurityTokenV20111201; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: 255a397b-df46-457b-b88e-651342d045d0; Proxy: null). Please try again.
Tried updating SAML XML file via CLI following this doc, but issue is still there.
the certificate for signature didn't match the one uploaded in AWS, you can compare that the certificate used to sign the SAML assertion matches the one configured in AWS. This ensures that the SAML response is properly signed and trusted by AWS so first you need :
1 - Capture SAML assertion by attempting login to AWS, you can use SAML tracer plugin in chrome or other if you use other browsers. the SAML assertion is base64 encoded in response, so you need to decode it and check certificate used to sign the SAML assertion, look for tag <ds:X509Certificate> inside Signature tag.
2 - Check SAML metadata XML file that was uploaded to AWS, and look for <ds:X509Certificate> tag within the KeyDescriptor use="signing" element.
You can compare the two certificates, hope this answer your question.
