Problem with SSO
Even with all the configuration done correctly in SSO, it is not possible to access the console.
Oops, something went wrong Provide your administrator with the following info: No access Request ID: 5e5e705c-ee95-47e2-93f0-6d53ea9d56b3 HTTP status: 403
Can you help us?
I had the same problem. I am using Active Directory, but my solution below may have some generality to other IdP as well.
It seems that the AD user must have an email address set in the AD profile (on the Windows side). That email address is mapped (by the default mapping as can be seen pre-populated in AWS Console) to AWS SSO's user profile (as the
Primary email field) and is used to compose the Federated Username in an AWS login session, e.g.,
Now for a real production AD configuration, in all likelihood every user's profile already has the email field populated. But that's not a mandatory field from AD's point of view. So, when you create a demo user, you might have neglected to populate that field. That's what happened to me.
So, populate that field in AD, and wait (for a non-deterministic amount of time -- why can't we have a "sync now" button?!) for AWS SSO to sync from AD. Here you'd encounter the next quirk... AWS SSO either doesn't seem to override the AWS-side previously-sync'ed email address or maybe I ran out of patience waiting for (again, a non-deterministic amount of time :) the next sync cycle. My hack is to delete the SSO User on the AWS side and wait (you guessed it, for a non-deterministic amount of time :):) for SSO to re-create that user during the next sync cycle.
Anyway, look into the SSO user profile (on the AWS side) to ensure that the
Primary email field (not to be confused with the SSO
Username field which is typically but coincidentally also in the format of an email address) has been populated (by the sync process.)
this was 100% the correct. thanks for posting this answer.
AWS SSO user with AdministratorAccess cannot access root owned resourcesasked 4 months ago
issues with AWS SSO linking to Google WorkspacesAccepted Answerasked 5 months ago
AWS SSO with Microsoft AD as IdPasked 5 months ago
AWS SSO with GSuite external identify with AWS VPN Client Endpointasked a year ago
Is it possible to give AWS SSO users Lake Formation data access?asked 7 months ago
Implementing SSO with on-site systemasked 5 months ago
AWS SSO. Changing default authorization form.asked 2 months ago
AWS Service Catalog. Grant SSO Users to the Portfolioasked 2 months ago
Problem with SSOasked 2 months ago
Forbbiden 403 access denied with AWS SSO SAML application from Gitlab integrationAccepted Answerasked 3 months ago