AWS SSO - "Request nameID format does not match our record"

Question

I'm trying to get a test app working with the AWS single sign-on service. When I hit the SSO login url and enter my credentials, it logs in fine, but then Amazon displays the error:

Requeest nameID format does not match our record

My request contains:

<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true" />

and the IdP metadata xml that Amazon comes up with for my app has a blank <md:NameIDFormat/> tag. I'm guessing that has something to do with it. However, I'm not seeing anywhere, in the Amazon UI, where the nameIDFormat can be specified.

My questions:

1. How/where can I specify the nameIDFormat that my AWS SSO app accepts? This is assuming the blank <md:NameIDFormat/> is (part of the) issue. Maybe that has nothing to do with the issue, in which case:
2. What does the above error message mean?

Answer 1

You can change NameID format at AWS SSO "Applications" page:

1. Go to AWS SSO->Applications->My App Name
2. Set ${user:subject} as attribute value (second column) and select necessary NameID format in third column.

Once this will be done you can send a corresponding NameID format by NameIDPolicy tag:

<saml2p:NameIDPolicy 
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>

BTW : by using a NameIDPolicy tag, SP requests from IdP a corresponding NameID format (email, transient, persistent etc.). Your AWS IdP doesn't have a requested mapping and don't know what should be returned by default or what is allowed and throws an error you see.

Answer 2

I was having the same exact problem, spoke with Twilio's tech support and they put me on a plugin that lets you trace the SAML stuff -> https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch

Once I corrected my issues, nameid-format:unspecified to emailAddress it worked!