Users in the registered domain work fine. Users in a sub-domain are unable to access the SES console. A user account was created, but after authentication an error 400 is shown.

Example: mydomain.com users work. sub.mydomain.com users cannot access the console.

Contact Support to have new IDP created for each sub-domain that requires users to access the console. They will need the metadata from the provider. A link should be available on the SAML configuration section of the provider.

Once provided and an IDP has been created, two URLs will be provided to be configured within the SAML configuration of your provider. For example: