First login to AWS IAM Identity center fails

I am running into an odd issue with the AWS IAM identity center. I have been following this guide to setup Zitadel as IdP for the AWS IAM Identity center:
https://zitadel.com/docs/guides/integrate/services/aws-saml

When I am logging into the AWS Identity Center via the identity center login url (https://d-xxxxxxxx.awsapps.com/start), I get redirected to Zitadel, I log in with my user, after the login I am redirected to an AWS IAM Identity Center error page. With a not very helpful error message:

missingInfoErrorHeading
missingInfoErrorText

missingInfoErrorHeading
missingInfoErrorText

missingInfoErrorHeading
missingInfoErrorText

missingInfoErrorHeading
missingInfoErrorText

Now, the interesting part is:

Just re-opening the login url (https://d-xxxxxxxx.awsapps.com/start) redirects me again but this time successfully logs me in and I am able to to see my AWS accounts and assigned permission sets.

It seems like the initial redirect on a freh login is wrong. Did anyone encounter similar issues?

Here the SAML Metadata file received from AWS, the metadata file is used in the SAML Application in Zitadel

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    entityID="https://eu-central-1.signin.aws.amazon.com/platform/saml/d-xxxxxxxxxx">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://eu-central-1.signin.aws.amazon.com/platform/saml/acs/xxxxxxxxxxxxxxxx-xxxx-4xxx-xxxx-xxxxxxxxxxxx"
            index="0" isDefault="true" />
    </md:SPSSODescriptor>
</md:EntityDescriptor>

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    entityID="https://eu-central-1.signin.aws.amazon.com/platform/saml/d-xxxxxxxxxx">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://eu-central-1.signin.aws.amazon.com/platform/saml/acs/xxxxxxxxxxxxxxxx-xxxx-4xxx-xxxx-xxxxxxxxxxxx"
            index="0" isDefault="true" />
    </md:SPSSODescriptor>
</md:EntityDescriptor>

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    entityID="https://eu-central-1.signin.aws.amazon.com/platform/saml/d-xxxxxxxxxx">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://eu-central-1.signin.aws.amazon.com/platform/saml/acs/xxxxxxxxxxxxxxxx-xxxx-4xxx-xxxx-xxxxxxxxxxxx"
            index="0" isDefault="true" />
    </md:SPSSODescriptor>
</md:EntityDescriptor>

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    entityID="https://eu-central-1.signin.aws.amazon.com/platform/saml/d-xxxxxxxxxx">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://eu-central-1.signin.aws.amazon.com/platform/saml/acs/xxxxxxxxxxxxxxxx-xxxx-4xxx-xxxx-xxxxxxxxxxxx"
            index="0" isDefault="true" />
    </md:SPSSODescriptor>
</md:EntityDescriptor>

I have attached the SAML IDP configuration in AWS, and the "error message" as screenshots

ZITADEL Docs

This guide shows how to enable login with ZITADEL on AWS SSO.

Ask Inkeep•11/19/25, 2:02 PM

Hi @sebastianhutter, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•11/19/25, 2:03 PM

Answer

Based on your description, the missingInfoErrorHeadingmissingInfoErrorHeading / missingInfoErrorTextmissingInfoErrorText error on first login suggests AWS IAM Identity Center isn't receiving required SAML attributes in the initial response (1) . The second attempt works because ZITADEL has already established a session .

Check your SAML attribute mappings:

AWS IAM Identity Center requires specific SAML attributes to be sent in the assertion . You need to configure ZITADEL to send the required attributes using Actions .

Create an Action that runs on complementSAMLResponsecomplementSAMLResponse to add the necessary AWS attributes :

function saml_assert_meta(ctx, api) {
  const metadata = ctx.v1.user.getMetadata() ;
  
  if (metadata && metadata.metadata) {
    const userMetadata = metadata.metadata;
    for (const metadataItem of userMetadata) {
      if (metadataItem.key && metadataItem.value) {
        api.v1.attributes.setCustomAttribute(
          `<https://aws.amazon.com/SAML/Attributes/AccessControl:$%7BmetadataItem.key%7D%60,>
          'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',
          metadataItem.value
        ) ;
      }
    }
  }
}

function saml_assert_meta(ctx, api) {
  const metadata = ctx.v1.user.getMetadata() ;
  
  if (metadata && metadata.metadata) {
    const userMetadata = metadata.metadata;
    for (const metadataItem of userMetadata) {
      if (metadataItem.key && metadataItem.value) {
        api.v1.attributes.setCustomAttribute(
          `<https://aws.amazon.com/SAML/Attributes/AccessControl:$%7BmetadataItem.key%7D%60,>
          'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',
          metadataItem.value
        ) ;
      }
    }
  }
}

Ask Inkeep•11/19/25, 2:03 PM

Key steps:

Add metadata fields to your users (e.g., team, costCenter)
Enable ABAC in AWS IAM Identity Center to consume these fields
Create the Action above and configure it to trigger on complementSAMLResponsecomplementSAMLResponse

The Action will inject the required attributes into the SAML response, which should resolve the missing information error on first login .

Additional verification:

Ensure your SAML application in ZITADEL has the correct NameID format set to emailAddressemailAddress to match your AWS metadata (2) . The SAML response must include assertions with user information such as email, first name, and last name .

Ask Inkeep•11/19/25, 2:03 PM

To learn more, see the sources I considered:

[1] How to do SAML assertion with AWS IAM Identity Center
[2] Authenticate users with SAML

Ask Inkeep•11/19/25, 2:03 PM

Feel free to tag @Ask Inkeep with additional questions.