I'm doing a proof of concept for federating SAML into Cognito. I've setup Shibboleth v3, and once I finally got the log level set, I can see the SAML being sent back to Cognito, which just redirects to my configured page with ?error_description=Error+in+SAML+response+processing%3A+Invalid+SAML+metadata.+&error=server_error
in the URL. The user pool in Cognito is set to require an email address, and I think I've got the attribute mapping set correctly, but it's not really easy to tell. Here's the SAML I'm seeing in the logs (minus a couple of URLs for anonymization's sake):
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
Destination="https://{DOMAIN}.auth.us-east-1.amazoncognito.com/saml2/idpresponse"
ID="_cc28aebe7ae433f549a7df77e8a2fbaa"
InResponseTo="_d34b0821-c6eb-408d-b687-5fb2b71422dd"
IssueInstant="2019-06-10T18:00:23.314Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp1.example.com:8443/idp/shibboleth
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
URI="#_cc28aebe7ae433f549a7df77e8a2fbaa">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>3wL9vw0MsEuSGO+0bir/6GQV1FVNQHw4fLgAXteHQK0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
LvCSLdm87hWsK480jhv/8JXBciPmGmAeUVxkGpAKUal5omnmpASXflSBHutkRwyPzD6mXMgSk3xL
f0IfWwspbA3ixmbbeEwQciel+2Y4WxwPpWreV1aLHMLYSj8x8ZdiDSioczMwRpQSqVo6RCX98ayo
riTBwTaoIQTHcE6xdDb98zDVCL+tCvrgkT3fhl0Z9HBxDvdy/YyrEuv0QVTj9SHiTI6heY5AhvA8
3qCAaGdbsNc0jqvy6AUAp1VBy8QJGpWMvChXJnO8srUEKkVBhGRfScCaO2uDcpa90zAlSuD1B7Q7
vVVrahRCB2lJHEmAyM2XeNNwN+DbyFU2Lcz4Kg==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDVDCCAjygAwIBAgIUIBWSFzIstjdAx2yVXLC40xKOIYAwDQYJKoZIhvcNAQELBQAwJzElMCMG
A1UEAwwcaXAtMTAtMjAzLTEwLTkxLmVjMi5pbnRlcm5hbDAeFw0xOTA2MDQyMTU1MDhaFw0zOTA2
MDQyMTU1MDhaMCcxJTAjBgNVBAMMHGlwLTEwLTIwMy0xMC05MS5lYzIuaW50ZXJuYWwwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaaLJ5lqB8eWuIiKPhDVsxOBncTnVS7wjjQOJ6pkSJ
El8G1MnMIb5xaQBv9luwq88+EcmWIZDzt4Yj326tmz4lwweWa4VI3iVfk6eZl7Zpwlcj57dtvA8B
MhcmbqX56Kb3pmTLf4VAI8hPoHdmKNYFapy+uM4b6ubvLx1NxlzgWfZ3o0ZrTuOpNpFgXJB+FGMS
au4lOCvOVchU7ymch2qwP/iFSUnNcviL9k/M4tSIkbf+Tb9o9SQrJhwcBMdQDfsLKnDhEtvovX12
H70smzVCg/H3AVUE+Qne5Cget90xKKRtQcSV2Q4jIS0mRGc5XVEQEiVzOLvx6DyLXUs926JxAgMB
AAGjeDB2MB0GA1UdDgQWBBT0+FXPDXOe+gtZsNA+dnzPvJysWzBVBgNVHREETjBMghxpcC0xMC0y
MDMtMTAtOTEuZWMyLmludGVybmFshixodHRwczovL2lkcDEuZXhhbXBsZS5jb206ODQ0My9pZHAv
c2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAaM1kS0CoKBy4l1wRihbvsfX78FCmKk4woWEk
a0st/c42ntf7nU8b/4C6SV9Jl7rhij18um6tF6dv+pVsH5KrDQbdH3xwF24ekDqosEaHSxcmY79k
1TePd00xH8/udeKRFc+78LnkygnzulZZ748XKj9/ehUkfbrhWhGP3333Nruj5Ptlv7d4upCxtQ+g
dYmHIzFt26MHR5jxcwYWPd/4M1ElakevscWOBjKTpScOnMYOikzyZpS+p7hD5/z4OfKv6AWLPdek
eWVXGlZhRKhtp15tRrUpQucZFMh+YNOm9IlBRBeh5Qw4KQgg1KvkNy1+iA9vfptn+f2CtPhF+cxx
3Q==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="_4df74e3ced3d853e5a0c329e0f7c83cb"
IssueInstant="2019-06-10T18:00:23.314Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://idp1.example.com:8443/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp1.example.com:8443/idp/shibboleth" SPNameQualifier="urn:amazon:cognito:sp:us-east-1_MyLIE83bf">AAdzZWNyZXQxrczu0aLzz4zQafYgy5VN8rTutrL827I6iPTAGPVAGJlJKAcQIHAdkWP1uqtsYqAccnsy0GPpTNx8GgTudWw6Q5ovEh/zSlYq+A/eExrAuT5sJlatEGua7boJDq63t1fESo4qOmz3uW+Pbik=
</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="10.203.10.25"
InResponseTo="_d34b0821-c6eb-408d-b687-5fb2b71422dd"
NotOnOrAfter="2019-06-10T18:05:23.730Z" Recipient="https://{DOMAIN}.auth.us-east-1.amazoncognito.com/saml2/idpresponse"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-10T18:00:23.314Z" NotOnOrAfter="2019-06-10T18:05:23.314Z">
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:cognito:sp:us-east-1_MyLIE83bf</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-10T18:00:12.508Z" SessionIndex="_c1e143fa5c01b3642d1ce4573bfe9465">
<saml2:SubjectLocality Address="10.203.10.25"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>bob@example.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="Role" Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">arn:aws:iam::{ACCOUNT}:role/FederationWorkshop-ReadOnly,arn:aws:iam::{ACCOUNT}:saml-provider/idp1 </saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">bob</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Is there something simple I'm missing (the intricacies of SAML and SSO are definitely not my wheelhouse at this point in time).
Question: "Why is Cognito rejecting my SAML assertion?"
Quick Response:
Your SAML assertion does NOT carry/deliver all the attributes required by Cognito (see the detailed answer and resolution below).
Question: "The user pool in Cognito is set to require an email address, and I think I've got the attribute mapping set correctly, but it's not really easy to tell."
Answer:
Your SAML response indicates that your attribute mapping is NOT set correctly.
(1) Attribute "RoleSessionName" carried by your Shibboleth IdP v3 SAML response to Cognito is NOT required by Cognito.
<saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">bob</saml2:AttributeValue>
</saml2:Attribute>
The correct attribute "RoleSessionName" carried by Shibboleth IdP v3 SAML response to Cognito should be your E-mail address "bob@example.com" instead of your given name "bob".
<saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">bob@example.com</saml2:AttributeValue> </saml2:Attribute>
(2) Resolution:(minor revision may be required depending on your data repository such as LDAP)
Add attribute resolution
<resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Simple" sourceAttributeID="employeeType">
<resolver:Dependency ref="myLDAP"/>
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/Role"
friendlyName="Role" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="awsRoleSessionName" xsi:type="ad:Simple" sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP"/>
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
friendlyName="RoleSessionName" />
</resolver:AttributeDefinition>
into "attribute-resolver-full.xml" or "attribute-resolver.xml" (depending on your Shibboleth IdP configuration). Shibboleth IdP Attribute Resolver Example.
Note that OpenLDAP attribute "employeeType" is used to carry the role of Amazon AWS. Your data store/repository may use different attribute to carry the role of Amazon AWS.
(I) The following OpenLDAP attributes have been mapped with AWS configuration through AWS administration console.
mail: winston.hong@example.com
employeeType: arn:aws:iam::{ACCOUNT}:role/shibbolethidp,arn:aws:iam::{ACCOUNT}:saml-provider/Shibboleth-IdP
(II) Important Remarks on Role
OpenLDAP attribute "employeeType" is Role in my validation experiment with AWS console.
The following selected configuration steps (performed through AWS administration console) ensure that OpenLDAP attribute "employeeType" is mapped with your AWS configuration setting "Role":
(II.a) Log in to Amazon AWS Management Console
......
(II.b) On the Identity providers screen, click Create Provider.
On the Configure Provider screen,
Select SAML from the drop-down list of Provider Type,
Input Provider Name of Shibboleth identity provider (e.g., Shibboleth-IdP, which will be converted by AWS into arn:aws:iam::{ACCOUNT}:saml-provider/Shibboleth-IdP).
Click Choose File of Metadata Document to upload the SAML IdP metadata file (e.g., shibboleth-saml-idp.xml) of Shibboleth identity provider,
Click Next Step.
......
(II.c) On the Select type of trusted entity screen,
Select SAML 2.0 federation,
Select Shibboleth-IdP identity provider from the drop-down list of SAML provider,
Select Allow programmatic and AWS Management Console access,
Keep the auto-selected Attribute and the default Value of AWS SAML login URL unchanged,
Click Next: Permissions.
......
(II.d) On the Review role screen,
Input Role name (e.g., shibbolethidp, which will be converted by AWS into arn:aws:iam::{ACCOUNT}:role/shibbolethidp)
Input Role description (e.g., SAML SSO provided by Shibboleth IdP),
Click Create role.
(III) For your convenience, I have made the 9th commit to upload the Amazon AWS SP metadata and corresponding SAML configuration to How to build and run Shibboleth SAML IdP and SP using Docker container.
Note that I have logged in to Amazon AWS account ("my-aws-id", e.g., 123456789012) with username "winston.hong@example.com" successfully using Shibboleth IdP running with Docker Container with the 9th commit.
By performing the Shibboleth SAML IdP configuration with reference to the 9th commit to How to build and run Shibboleth SAML IdP and SP using Docker container, you can log in to your Amazon AWS account ("my-aws-id", e.g., 123456789012) with your username (such as "winston.hong@your-company.com") federated by Shibboleth IdP..
(IV) My SAML response for successful login to AWS is provided below for your reference.
<saml2p:Response Destination="https://signin.aws.amazon.com/saml"
ID="_fc89710799c4c2c540341e94bf7132d5"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_91749d5ecb8512c0c5d658a77cb25928"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer>https://idp.example.com/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_91749d5ecb8512c0c5d658a77cb25928">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>mDAgwb9ZJxc+01sC99lAlAIAOEoiTgzHVTm4F9bdn/0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
LWiL3+CdU6y86zBLx3vG6na1o46EUgiN7iV+b4J2lPvZK7+Oeu6XSenJlzo/cUMT19pYYrDMM652
3lDAJCuOKPx4zTRIcabGrgzTKgmen0SHqWPxeL7t23RB6+v5AUvVw02tXqQhlggKEe3H+1T1k5q0
cGc1xw5CQtI8zE6GK7nG1INnU7mo872H9x+zM1zy3yyvrWOkHHhVFqQQ1Tu+0ev4BIhTQaVgC+pM
/ZvpctNjDMl1q4RSt1qumC+KFsYZlbrsLG7AvGJuR39wt/HV7F8Je3AUGGwMtGjkpRDuN1lIHrMq
VzFf/5eKUv20rEk3aOxoV/sMfcuhWo27+NjE1g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDPDCCAiSgAwIBAgIVALPPoC598LJ6ZJJJXCA2ESASlN4AMA0GCSqGSIb3DQEBCwUAMB8xHTAb
BgNVBAMMFGlkcXNhbWwuaWRxdWFudGEuY29tMB4XDTE3MDYwMjIxNDI0NloXDTM3MDYwMjIxNDI0
NlowHzEdMBsGA1UEAwwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAs4ml4G592b059YDgyD/MLWQKaKrc0/24Ufbl/JY7wOI1RpxW8DlbCvibzQge6Tu
/8LVy4GIDb8QLxmCfFKYn97HC68TgXVJ+m+sQm+e4SVg6V2q+JY94LLcoFVe8+78ZIYT23KLkTv2
RlHzes/sL1YaPSK4UuN+/ezppyX2t9BGNfuiUKA0KCf7wMFuQ07Fr65FTcGXQyxhPyaNrXjrNMJa
LqwpCaesVdVzoqPevYVN3+nzAvOWoEbi6IcwnF07D0FYren/GPRXPAk5sP6fF3X0rJCkSq+d5t5P
0gWONlvm9WlUrKadmeiibCtR2lGQ/dZGmyUzIILsuOwu4yp/EsI3AgMBAAGjbzBtMB0GA1UdDgQW
BBREpZrZlnm8YrbSFcl59WRR5IY2FTBMBgNVHREERTBDghRpZHFzYW1sLmlkcXVhbnRhLmNvbYYr
aHR0cHM6Ly9pZHFzYWQCV63ubc+tsfzCvL48k35RzLAD15DIdbS9pZHAvc2hpYmJvbGV0aDANBgk
AAOCAQEAEvrdnSvK2C2rcRr7kXn4Q/NaEovuUeqaNs1k/2+dSqs8rroM+m3Iq8RlBcmKnP/+mET3
wwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiLRXay9y1uJXyZx37RDkGu8SD7+zf8znM+TCsX/qAP
6Ve95WAeX4uB8Aeol3LULe1dePsRb/1RNpKsm8NomVzCwBXK9vyv8t3IVN40jZMaaTtR0YR22fTu
qTyIMarMPO0Eh0f1FHraYaXfyop1OJcYlISpYe+c4vNvAXwEtHkZD2Iu/2aEMGcvBo3uq6OYVDXO
fI3CvoB7sRtxURtj+vVSZKjDe6s7+lRcE1tpDkwOEEuDzA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.example.com/idp/shibboleth"
SPNameQualifier="urn:amazon:webservices"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>AAdzZWNyZXQx/wu+MEcVaUwjGOXhDKAO/5KXLD2AcDGnu1DyoP2C4ztOF01Su6tTJDytykrsv7W2dSV4FkL42ORYDiipBEuwiRSbnvViKbFBkHYN4YUmQzttx3DPNW/w42tMjLrY2iyn7sAUgQSVNGRHyMAH</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="192.168.150.10"
NotOnOrAfter="2019-06-11T18:54:38.412Z"
Recipient="https://signin.aws.amazon.com/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-11T18:49:38.300Z"
NotOnOrAfter="2019-06-11T18:54:38.300Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-11T18:49:38.041Z"
SessionIndex="_79ee919a4e3fcd2f6d13702b60bfd357"
>
<saml2:SubjectLocality Address="192.168.150.10" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="Role"
Name="https://aws.amazon.com/SAML/Attributes/Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="RoleSessionName"
Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>winston.hong@example.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
(3) Amazon AWS provides the configuration guide How to Use Shibboleth for Single Sign-On to the AWS Management Console.
Shibboleth provides the configuration guide Shibboleth IdP with Amazon Cognito
(4) How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building a SAML-based Authentication/Authorization Provider using Shibboleth SAML IdP and OpenLDAP.
(I) I have validated SAML Single Sign-On (SSO) provided by Docker-running Shibboleth SAML IdP (Identity Provider) and OpenLDAP for the following enterprise applications. In other words, I leveraged Docker-running Shibboleth SAML IdP and OpenLDAP to log in to the following enterprise applications successfully.
Microsoft Office 365
Google G Suite
Salesforce
Dropbox
Box
Amazon AWS
OpenStack
Citrix NetScaler
VMware vCloud Director
Oracle NetSuite
(II) I have validated Shibboleth IdP with Amazon AWS Management Console with reference to How to Use Shibboleth for Single Sign-On to the AWS Management Console
(III) We developed our former version of Zero-Password Authentication and Authorization System in Java and leveraged Shibboleth IdP to provide SAML SSO for enterprise applications.
We developed our current version of Zero-Password Authentication and Authorization System with scalability and high availability in Scala to provide SAML SSO natively for enterprise applications without Shibboleth IdP.
Another StackOverflow question "Setting up a new Shibboleth IdP to work with an existing SAML SP" provides valuable information and discussions on Shibboleth SAML configuration.