Generic SAML 2.0 app cannot emit AWS Role attributes from group profile attributes (works in AWS Federation app)

Questions SAML
1

Hi Okta Team,

We would like to explain our full use case and request clarification on a limitation we are encountering when using a Generic SAML 2.0 application with AWS.

Background

  • We federate Okta → AWS using SAML

  • We currently use the built-in Amazon Web Services (AWS Federation) application

  • In the AWS Federation app:

    • Group-based AWS role assignment works perfectly

    • Okta dynamically emits
      https://aws.amazon.com/SAML/Attributes/Role

    • Users can assume multiple AWS roles based on group membership

Why we cannot use the AWS Federation app

Our AWS setup requires a region-specific Sign On URL, for example:

https://us-west-2.signin.aws.amazon.com/saml

However:

  • The built-in AWS Federation app does not allow modifying the Sign On URL

  • Because of this limitation, we attempted to use a Generic SAML 2.0 application, where the Sign On URL is configurable

What we tried with the Generic SAML 2.0 app

Configuration

  • Created a group profile attribute:

    awsSamlRole =
arn:aws:iam::<account-id>:role/<role-name>,
arn:aws:iam::<account-id>:saml-provider/OKTA

  • Group naming pattern:

    r_amzn_*

  • Users assigned to multiple AWS role groups

Approaches tested

We tested all documented and commonly suggested approaches:

  1. Attribute Statements using Okta Expression Language

    • getFilteredGroups()

    • String.join()

  2. Group Attribute Statements

  3. Referencing:

    • group.awsSamlRole

    • Filtered groups via regex / startsWith

Results observed

  • Expressions either fail validation or are not evaluated

  • The resulting SAML assertion:

    • Does not contain valid AWS Role attributes

    • In some cases, expressions are emitted literally as strings, for example:

      String.join(";", getFilteredGroups("startsWith","r_amzn_",100).awsSamlRole)

Errors seen in Okta UI

  • Property 'String' not found

  • Property 'join' not found

Key observation

  • This exact group-to-role mapping works correctly in the AWS Federation app

  • The same behavior is not achievable in a Generic SAML 2.0 application

This strongly suggests that:

  • Group profile attributes are not expanded in Generic SAML apps

  • The AWS Federation app likely contains internal, app-specific logic for AWS role handling

What we have already verified

  • AWS IAM role trust policies are correct

  • SAML provider configuration is correct

  • Group assignments and attributes are correct

Questions / Clarification Requested

Given the above, could you please confirm:

  1. Do Generic SAML 2.0 applications support emitting AWS Role attributes
    (https://aws.amazon.com/SAML/Attributes/Role)
    derived from group profile attributes using Okta Expression Language?

  2. If not, is this capability intentionally limited to the built-in AWS Federation application?

  3. Is there any supported way to customize the Sign On URL (region-specific) in the AWS Federation app?

  4. If none of the above are possible today, can you please confirm that using an external broker (for example, Lambda with AssumeRoleWithSAML) is the only supported option for this requirement?

If this is a known limitation, we would also appreciate confirmation on whether this capability is planned or considered for the roadmap.

Thank you for your time and guidance.