Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I troubleshoot IAM Identity Center SSO login failures?

7 minute read
0

I want to troubleshoot AWS IAM Identity Center single sign-on (SSO) login failures.

Resolution

IAM Identity Center login failures can occur for several reasons. Use the following sections to troubleshoot your issue.

Resolve the "It's not you, it is us" error message

If you incorrectly setup your IAM Identity Center instance or the external identity provide (IdP), then you receive the following error message:

"It's not you, it is us"

Make sure that you have the correct IdP certificate in IAM Identity Center and NameID format in the IdP metadata file. If you also have expired AD Connector service account credentials or time synchronization issues on the device that you use to sign in, you receive the "It's not you" error message.

To resolve this error, complete the following steps:

  1. Open the IAM Identity Center console.
  2. In the navigation pane, choose Settings.
  3. Choose the Identity source tab.
  4. Choose Actions, then choose Manage Authentication.
  5. Verify that the IdP certificate in IAM Identity Center matches the certificate from your external IdP. If the certificates don't match, then import the new certificate from your IdP.
  6. Confirm that the NameID format in your IdP metadata file is set to the urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress value.
  7. If you use AWS Directory Service AD Connector as your identity source, then verify that the AD Connector service account credentials are current and haven't expired. To update the credentials, see Updating your AD Connector service account credentials in AWS Management Console.
  8. Review your external IdP logs to identify specific authentication failures or SAML assertion errors that may explain the login failure. For example, Okta System Log or Microsoft Entra ID sign-in logs.

Note: To resolve time synchronization issues, set the date and time on your device to update automatically. If automatic updates are not available, then sync your device time to a known Network Time Protocol (NTP) server such as time.gov on the NIST website.

Resolve the "An unexpected error has occurred" error message when you sign in with an external IdP

If you sign in with an external IdP and the SAML configuration is incorrectly configured, you might receive the following error:

"An unexpected error has occurred"

Note: This error can also appear for other SAML validation failures, such as invalid assertions, expired responses, or signature issues.

To resolve this error, complete the following steps:

  1. Open the IAM Identity Center console.
  2. In the navigation pane, choose Users.
  3. Select for the affected user, and then confirm that the user has the Active status.
  4. Verify that the SAML nameID value sent by your IdP exactly matches the case-sensitive username in IAM Identity Center. The match is based on username, not email address.
  5. Confirm that the ACS URL configured in your external IdP matches the ACS URL provided by your IAM Identity Center instance. To find the IAM Identity Center ACS URL, choose Settings, then choose the Identity source tab.
  6. To further investigate the failure, open the CloudTrail console and filter events by the event name ExternalIdPDirectoryLogin.

Resolve the "An unexpected error has occurred" error when you register or sign in with an authenticator app

Time-based one-time password (TOTP) systems require time synchronization between the client and the server. If you register or sign in with an authenticator app and the time on the device is out of sync with the server, you might receive the following error message:

"An unexpected error has occurred"

To resolve this error, complete the following steps:

  1. On the device that you installed your authenticator app, open the date and time settings.
  2. Set the date and time to update automatically.
  3. If automatic updates aren't available, then manually set the time to match a reliable time source. A time source such as time.gov on the NIST website or your local NTP equivalent.
  4. After you sync the time, retry the sign-in or registration.

Resolve an invalid MFA credentials error

If you receive an invalid multi-factor authentication (MFA) credentials error, then you have a provisioning issue. Make sure that the user account from the external IdP is fully provisioned to IAM Identity Center by the SCIM protocol.

To resolve this error, complete the following steps:

  1. Check the provisioning logs in your external IdP. For example, check the provisioning logs in your external IdP to confirm that the user account was successfully provisioned to IAM Identity Center.
  2. Confirm that the user account from the external IdP is fully provisioned to IAM Identity Center by the System for Cross-domain Identity Management (SCIM) protocol.
  3. After provisioning completes, request that the user to retries to sign-in.

Note: If you use an external IdP as your identity source, then MFA is managed by the external IdP, not by IAM Identity Center. Configure MFA settings in your external IdP.

Verify user assignment and permission sets

If you can sign in to IAM Identity Center but can't access your assigned AWS accounts, then the user or group assignment to the permission set is incorrect.

To verify user assignment, complete the following steps:

  1. Open the IAM Identity Center console.
  2. In the navigation pane, choose AWS accounts.
  3. Select the AWS account that the user needs to access.
  4. Choose the Users and groups tab.
  5. Confirm that the user or the user's group appears in the list with the correct permission set assigned.
    Note: If the user isn't assigned to the group, then choose Assign users or groups and configure access to the AWS account.

Debug SAML assertion issues

Important: This resolution works on Windows 10 with Firefox, Chrome, and Edge. Other browser configurations and operating systems may not support this procedure.

If you receive login errors that suggest SAML configuration issues, such as 'Invalid SAML response' or 'Assertion validation failed'. Then you can view the SAML assertion details directly from the AWS access portal to identify the specific problem.

To view SAML assertion details in the IAM Identity Center AWS access portal, complete the following steps:

  1. Sign in to your AWS access portal.
  2. Right-click the application tile, then choose View SAML Response from the context menu.
  3. Review the information on the You are now in administrator mode page.
  4. Choose Copy XML to save the assertion details for review.
  5. Verify that the assertion contains the correct NameID format, NameID value, and a valid certificate signature.
  6. Choose Send to in order to continue sending the assertion to the service provider.

Check CloudTrail logs for sign-in failures

CloudTrail logs sign-in events for IAM Identity Center. To identify the root cause of sign-in failures, review your logs.

To review your CloudTrail logs, complete the following steps:

  1. Open the CloudTrail console.
  2. In the navigation pane, choose Event history.
    Note: Event history shows only the past 90 days of CloudTrail logs.
  3. In the Lookup attributes dropdown list, choose Event source.
  4. Enter sso.amazonaws.com or signin.amazonaws.com in the search field.
  5. Review events with the following names to identify failures:
    UserAuthentication
    ExternalIdPDirectoryLogin
    CredentialChallenge
    CredentialVerification
  6. Select an event, and then review the ErrorMessage field in the event details to identify the specific failure reason.

Related information

Troubleshooting IAM Identity Center issues

How to connect to an external identity provider

Using SAML and SCIM identity federation with external identity providers

Troubleshooting AWS account sign-in issues

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
AWS OFFICIALUpdated 2 months ago
No comments

Relevant content