A company has implemented SAML-based SSO with a third-party identity provider for its AWS accounts. Recently, the identity provider renewed its expired signing certificate, which has caused users to encounter a 'Response Signature Invalid' error when attempting to log in to AWS. This error is reported with the details: 'Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken'. The security engineer is tasked with resolving this issue while ensuring minimal operational impact. Which of the following solutions should the engineer adopt to address this issue effectively?

Exam-Like

Upload the third-party signing certificate’s new private key to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS Management Console.

20.0%

Sign the identity provider's metadata file with the new public key. Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.

20.0%

Download the updated SAML metadata file from the identity service provider. Update the file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI.

40.0%

Configure the AWS identity provider entity defined in AWS Identity and Access Management (IAM) to synchronously fetch the new public key by using the AWS Management Console.

20.0%

AWS Certified Security - Specialty

Get started today

Comments