Application Loadbalancer authenticate with Cognito Internal 500 Error

Question

I have an AWS Cognito User Pool configured to talk to a SAML IDP and thats working fine, the SAML Assertion from the IDP to

https://XXXX.auth.eu-west-1.amazoncognito.com/saml2/idpresponse

works fine.

A request is then made to target group such as

https://xxxxxx:443/oauth2/idpresponse?code=2f6aab53-ad64....&state=.....

which is based on the settings in Cognito's App Client Settings (via the call back URL), and I am getting an internal server error.

HTTP/2.0 500 Internal Server Error
server: awselb/2.0

I have traced the logs and extracted the salient elements:

ELB Status Code: 500 Actions Executed: Authenticate Lambda Reason Error AuthTokenEpRequestTimeout

I am guessing that the Cognito ALB authenticate process uses Lambda as part of its internal process maybe to build the X-AMZN-OIDC* headers before forwarding to the Target Group.

Our application is not using Lambda, and the Cogito Client App has no triggers enabled (i.e., where you can customize the workflow) we have no customization on the workflow process.

So there seems some internal error during the authentication process, I can't see where this timeout AuthTokenEpRequestTimeout could be fixed.

Anyone have ideas why this issue might happen or pointers to help resolve?

I just want to clarify a little about the AWS: Load Balancer is internet facing. We allow internet traffic on port 443 and port 80. We have not outbound restrictions.

We can see that the SAML assertion is working fine.

Answer 1

In my case the issue related to the outbound rules on the Application Load Balancer. I had to ensure that port 443 was allowed in outbound mode.

Answer 2

Verify that the security groups for your load balancer and the network ACLs for your VPC allow outbound access to these endpoints. Verify that your VPC has internet access. If you have an internal-facing load balancer, use a NAT gateway to enable internet access.