By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Problem with SSO

4

Even with all the configuration done correctly in SSO, it is not possible to access the console.

Oops, something went wrong Provide your administrator with the following info: No access Request ID: 5e5e705c-ee95-47e2-93f0-6d53ea9d56b3 HTTP status: 403

Can you help us?

Thank You

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
Pompilio Santos
asked 2 years ago5602 views
2 Answers
5

I had the same problem. I am using Active Directory, but my solution below may have some generality to other IdP as well.

It seems that the AD user must have an email address set in the AD profile (on the Windows side). That email address is mapped (by the default mapping as can be seen pre-populated in AWS Console) to AWS SSO's user profile (as the Primary email field) and is used to compose the Federated Username in an AWS login session, e.g., AWSReservedSSO_ViewOnlyAccess_ee422b93fe9f787c/alice2@example.com.

Now for a real production AD configuration, in all likelihood every user's profile already has the email field populated. But that's not a mandatory field from AD's point of view. So, when you create a demo user, you might have neglected to populate that field. That's what happened to me.

So, populate that field in AD, and wait (for a non-deterministic amount of time -- why can't we have a "sync now" button?!) for AWS SSO to sync from AD. Here you'd encounter the next quirk... AWS SSO either doesn't seem to override the AWS-side previously-sync'ed email address or maybe I ran out of patience waiting for (again, a non-deterministic amount of time :) the next sync cycle. My hack is to delete the SSO User on the AWS side and wait (you guessed it, for a non-deterministic amount of time :):) for SSO to re-create that user during the next sync cycle.

Anyway, look into the SSO user profile (on the AWS side) to ensure that the Primary email field (not to be confused with the SSO Username field which is typically but coincidentally also in the format of an email address) has been populated (by the sync process.)

Vincent Yin
answered 2 years ago
  • danjbu
    2 years ago

    this was 100% the correct. thanks for posting this answer.

  • rePost-User-2944694
    a year ago

    Thanks for posting! Adding the email address into AD fixed it for me as well. I didn't need to delete the user - I just waited and the email showed up in the console. Then I was able to access the console successfully.

  • rePost-User-3199548
    a year ago

    That's it! I've just remapped userPrincipalName as mail attribute and it worked like a charm. Thanks a lot!

0

Thanks for the solution. I removed the optional field email from our SSO automation and users were not able to login into 3rd party apps using AWS SSO. I already encounter problem while creating new user without the the optional email field. New user was not able to set new password after signing with one time password. The error message from AWS console is: "There is some issue from AWS side. Try later." First I thought because of some software update on AWS side but now I know it is also related. AWS should make email field mandatory and not optional to avoid those issues!

Khanh Nguyen
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content