iam: SamlConsolePrincipal does not work in aws.amazon.com-regions

[tonnico]

Describe the bug

With #24034 the default SAML:aud changed from aws.amazon.com to "Ref": "AWS::URLSuffix" which is resolves to amazonaws.com.

Expected Behavior

When not in china, it should resolves to aws.amazon.com.

Current Behavior

it is "Ref": "AWS::URLSuffix", which resolves to amazonaws.com.

Reproduction Steps

install 2.65.0
create an iam.SamlConsolePrincipal

Possible Solution

https://github.com/zorrofox/aws-cdk/blob/f8fe1d292feb3fc39a99687bf454a829302c4ff5/packages/%40aws-cdk/aws-iam/lib/principals.ts#L740

      StringEquals: {
-        'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': `https://signin.${cdk.Aws.URL_SUFFIX}/saml`,
+        'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': `https://signin.aws.amazon.com/saml`, 
      },

Additional Information/Context

No response

CDK CLI Version

2.65.0

Framework Version

No response

Node.js Version

OS

Language

Python

Language Version

No response

Other information

No response

[tonnico]

Here is the list of all possible endpoints: https://docs.aws.amazon.com/general/latest/gr/signin-service.html

I'm wondering, that i did not find amazonaws.cn in this list as in #24034 introduced.
Little bit hidden: https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html

[pahud]

Yes I think you are right.

According to the doc, urlsuffix is typically amazonaws.com in non-china AWS commercial regions while aws.amazon.com should be use instead here.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.