AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
A company has implemented SAML-based SSO with a third-party identity provider for its AWS accounts. Recently, the identity provider renewed its expired signing certificate, which has caused users to encounter a 'Response Signature Invalid' error when attempting to log in to AWS. This error is reported with the details: 'Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken'. The security engineer is tasked with resolving this issue while ensuring minimal operational impact. Which of the following solutions should the engineer adopt to address this issue effectively?
A company has implemented SAML-based SSO with a third-party identity provider for its AWS accounts. Recently, the identity provider renewed its expired signing certificate, which has caused users to encounter a 'Response Signature Invalid' error when attempting to log in to AWS. This error is reported with the details: 'Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken'. The security engineer is tasked with resolving this issue while ensuring minimal operational impact. Which of the following solutions should the engineer adopt to address this issue effectively?
Explanation:
The correct answer is C. The issue stems from the third-party identity provider renewing its signing certificate, leading to the 'Response Signature Invalid' error during SAML authentication. The appropriate solution is to download the updated SAML metadata file from the identity service provider and update this file in the AWS identity provider entity defined in AWS Identity and Access Management (IAM) using the AWS CLI. This action ensures that AWS IAM has the latest metadata and certificate information, correcting the signature validation problem and minimizing operational overhead.