By using AWS re:Post, you agree to the Terms of Use
/Problem with SSO/

Problem with SSO

1

Even with all the configuration done correctly in SSO, it is not possible to access the console.

Oops, something went wrong Provide your administrator with the following info: No access Request ID: 5e5e705c-ee95-47e2-93f0-6d53ea9d56b3 HTTP status: 403

Can you help us?

Thank You

1 Answers
2

I had the same problem. I am using Active Directory, but my solution below may have some generality to other IdP as well.

It seems that the AD user must have an email address set in the AD profile (on the Windows side). That email address is mapped (by the default mapping as can be seen pre-populated in AWS Console) to AWS SSO's user profile (as the Primary email field) and is used to compose the Federated Username in an AWS login session, e.g., AWSReservedSSO_ViewOnlyAccess_ee422b93fe9f787c/alice2@example.com.

Now for a real production AD configuration, in all likelihood every user's profile already has the email field populated. But that's not a mandatory field from AD's point of view. So, when you create a demo user, you might have neglected to populate that field. That's what happened to me.

So, populate that field in AD, and wait (for a non-deterministic amount of time -- why can't we have a "sync now" button?!) for AWS SSO to sync from AD. Here you'd encounter the next quirk... AWS SSO either doesn't seem to override the AWS-side previously-sync'ed email address or maybe I ran out of patience waiting for (again, a non-deterministic amount of time :) the next sync cycle. My hack is to delete the SSO User on the AWS side and wait (you guessed it, for a non-deterministic amount of time :):) for SSO to re-create that user during the next sync cycle.

Anyway, look into the SSO user profile (on the AWS side) to ensure that the Primary email field (not to be confused with the SSO Username field which is typically but coincidentally also in the format of an email address) has been populated (by the sync process.)

answered 2 months ago
  • this was 100% the correct. thanks for posting this answer.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions