Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

IAM Identity Center - "message":"No access" with users from Active Directory

0

I'm getting a "no access" response when I try to access to an account using SSO portal. I've configured AD directory with AD Connector and synced groups. I can login in web and aws cli, see the configured accounts and permissions sets but when I try to access I'm always getting this response:

'{"message":"No access","__type":"com.amazonaws.switchboard.portal#ForbiddenException"}'

Same response from web and aws cli. I tried to roll back to Identity Center directory (local users and groups) and with local users it's working fine. Only fails with AD users. I've checked SSO roles and identity providers are correctly created on every managed account.

Any idea about what is happening?

Thanks and regards, Guillem

Themen
Sicherheit, Identität & Konformität
Tags
AWS Identity and Access ManagementAWS Directory ServiceAWS IAM Identitätszentrum
Sprache
English
rePost-User-3199548
gefragt vor einem Jahr1100 Aufrufe
1 Antwort
1
Akzeptierte Antwort

SOLVED. As commented in https://repost.aws/questions/QUAqB5ERupRE2GY9RcUSA2zQ/problem-with-sso, a mail attribute it's needed for SAML assertions. In my case, mail was empty in our AD. I've mapped userPrincipalName to emails[?primary].value and then it worked.

rePost-User-3199548
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt