Unable to set credentials: Root element is missing.

[KezHalls]

Describe the bug

Unable to set credentials: Root element is missing. I get this error when I try to create a connection to AWS.
The account I am using is MFA exempted and access to aws. I had a job logged with AWS and they said I need to log it with you as they cannot find the issue.

Followed all posts
https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up-windows.html
https://docs.aws.amazon.com/powershell/latest/userguide/saml-pst.html
https://repost.aws/knowledge-center/adfs-grant-ad-access-api-cli#

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

a successful connection to aws is made

Current Behavior

h endpoint to verify role data...
Set-AWSSamlRoleProfile:
Line |
11 | Set-AWSSamlRoleProfile -EndpointName $epName -NetworkCredential $cred …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Unable to set credentials: Root element is missing.

Reproduction Steps

#$credential = New-Object System.Management.Automation.PSCredential($userName, (ConvertTo-SecureString $password -AsPlainText -Force))
$Credential = Get-Credential -Message "Enter the domain credentials for the endpoint"
$endpoint = "https://launcher.myapps.microsoft.com......d"
$epName = Set-AWSSamlEndpoint -Endpoint "$endpoint" -StoreAs 'ADFS-Login' -AuthenticationType NTLM
Set-AWSSamlRoleProfile -EndpointName $epName -NetworkCredential $credential -StoreAs SAMLDemoProfile -Verbose

Possible Solution

No response

Additional Information/Context

No response

AWS Tools for PowerShell version used

AWS.Tools.EC2 3.7.403.1
AWS.Tools.SSO 3.7.400.5
AWS.Tools.SSOOIDC 3.7.400.5

PowerShell version used

Name Value

---

PSVersion 7.2.2
PSEdition Core
GitCommitId 7.2.2
OS Microsoft Windows 10.0.19045
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Operating System and version

windows 10

[ashishdhingra]

@KezHalls Good afternoon. Could you please share the following:

• Complete steps you took for your scenario? Kindly refer below reference
  • New Support for Federated Users in the AWS Tools for Windows PowerShell
  • Configure federated identity with the AWS Tools for PowerShell
• Enable response logging using steps Response Logging in AWS Tools for Windows PowerShell and share the detailed logs.
• Share the complete output while executing Set-AWSSamlRoleProfile with -Verbose parameter.

Just for reference, Set-AWSSamlRoleProfile CmdLet uses SAMLAuthenticationController here. SAMLAuthenticationController.GetSAMLAssertion() tries to parse response here.

Based on shared error line endpoint to verify role data,

• It appears in you case it gets past here and might have failed while calling SAMLAuthenticationController.GetSAMLAssertion().
• • It appears that it throws the error while returning AdfsAuthenticationResponseParser.Parse() which returns SAMLAssertion here (it could be empty assertion).
• In case of empty SAML assertion, it might fail in SAMLAssertion() constructor while calling ExtractRoleData(). It processes it as XmlDocument and while loading, empty string could throw Root element is missing. error.

If you refer How an Identity-Federated User Gets Federated Access to AWS Service APIs, in the 1st step, the client on federated user's computer authenticates against AD FS. If authentication succeeds, AD FS sends the user a SAML assertion. In your use case, SAML assertion might be missing/empty.

Thanks,
Ashish

[KezHalls]

Thankyou for such a thorough response. I think I see what you are saying in terms where the failure maybe occurring.

Unfortunately the response logging is not working... or at least not creating the log file so I am unable to share anything and am having troubleshooting that.

[KezHalls]

I wondered if there is anymore feedback on this. After conversations with MS this method will be the only way we will be able to achieve our goal.

[ashishdhingra]

Thankyou for such a thorough response. I think I see what you are saying in terms where the failure maybe occurring.

Unfortunately the response logging is not working... or at least not creating the log file so I am unable to share anything and am having troubleshooting that.

@KezHalls I'm unsure if you are -Source parameter for Add-AWSLoggingListener MyAWSLogs C:\logsaws.txt. Also note that c:\logsaws.txt is path to log file and it should be writable. This could be any path.

So at high level, we would use below commands:

Add-AWSLoggingListener MyAWSLogs C:\logsaws.txt
Set-AWSResponseLogging Always
Enable-AWSMetricsLogging

Once the logs are collected, we could turn off response logging:

Disable-AWSMetricsLogging
Remove-AWSLoggingListener Amazon MyAWSLog

Additionally, also check How to view a SAML response for troubleshooting.

Thanks,
Ashish

[KezHalls]

Apparently we use the AWS SSO service to handle the role mapping. We don't pass on the role mapping within the SAML assertion which is why this is not working and I won't be able to get it working. Back to the drawing board.
Thanks for the assistance.

[KezHalls]

closing

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.