By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Getting 403 on SSO through identity center

0

Hello Builders,

I am getting below from Okta SSO for AWS, I can see my users in Identity center from Okta and I have assigned them AdministratorAccess permission sets, and I can see under the hood it has created IAM role.

Could anyone guide what can be missing

403 ERROR The request could not be satisfied. This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner. If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.

Generated by cloudfront (CloudFront) Request ID: KJRxmtyoghlO6tfelFHmqiOQgtlrnHcyGy1eSfwL9NAxPzDwOwV1Jg==

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
Rishi
asked 7 months ago499 views
2 Answers
1
Accepted Answer

The error can be encountered when the ACS url of AWS SSO is incorrect on the Identity Provider end. Hence, in order to fix the issue you need to modify the ACS url on IdP end.

To fix the issue, please follow below steps:

  1. Find the ACS url from AWS IAM Identity Center.
  • You can find this field by navigating to AWS IAM Identity Center >> Settings >> Under Identity Source section click 'Actions' >> Manage Authentication.
  • Copy the 'IAM Identity Center Assertion Consumer Service (ACS) URL'

[+] https://catalog.workshops.aws/iam-identity-center/en-US/workshop/4-extracredits/4-externalidp-okta#configurechange-the-identity-source-in-identity-center

  1. Open AWS IAM Identity Center application in Okta and put the ACS value under 'Reply URL (Assertion Consumer Service URL)'

[+] https://catalog.workshops.aws/iam-identity-center/en-US/workshop/4-extracredits/4-externalidp-okta#configure-okta-iam-identity-center-sign-on-configuration

AWS
Makendran G
answered 7 months ago
  • Rishi
    7 months ago

    thanks that does seem to make some changes, after making above changes , 403 error is gone but now I am getting-->.

    It's not you, it's us We couldn't complete your request right now. Please try again later.

0

Hello,

From the error it seems the distribution with viewer protocol policy is not configured for HTTP and HTTPS. If the HTTP request is sent to a distribution with Viewer Protocol Policy setting of HTTPS only, then the request can return a 403 error.

Can you please check your settings accordingly and see if HTTP is enabled ?

Open the Amazon CloudFront console.

  1. Select the distribution that's returning the 403 error.
  2. Select the Behaviors tab.
  3. Select the behavior that matches the request. Then, choose Edit.
  4. For Viewer Protocol Policy, choose either HTTP and HTTPS or Redirect HTTP to HTTPS.
  5. Note: HTTP and HTTPS allows connections on both HTTP and HTTPS. Redirect HTTP to HTTPS automatically redirects HTTP requests to HTTPS.
  6. Save Changes.
AWS
Shekhar S
answered 7 months ago
  • Rishi
    7 months ago

    Hello, thanks for your tome but I don't have CloudFront, this an OKTA SSO, so when I login to my OKTa dahaboard and choose to login to AWS console from okta app SSO throws this error

  • Rishi
    7 months ago

    I delete the identity center and okta app, and created both again, it seems there was metadata somewhere which was causing the issue, but above steps is clearly right, thanks

  • Shekhar S
    7 months ago

    Thanks Rishi, if the steps helped can you please upvote or accept the answer ? that will help the community as well.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content