Identity Center - SSO login - "AWS accounts are inaccessible at this time"

Question

Upon login into identity center provisioned by azure active directory, there is this message "AWS accounts are inaccessible at this time".

in the json error there is this json message.  There is no documentation about trouble shooting this in saml.

https://docs.aws.amazon.com/singlesignon/latest/userguide/troubleshooting.html

```
{
    "awsAccessAttributes": {
        "project": "sale"
    },
    "awsFederationStatus": "NOT_READY",
    "awsFederationNotReadyReasonDetails": {
        "DOES_NOT_FIT_REGEX": [
            "entreprise.costCenter"
        ]
    },
    "externalAttributes": {
        "https://aws.amazon.com/SAML/Attributes/AccessControl:User.Title": [
            "admin"
        ],
        "https://aws.amazon.com/SAML/Attributes/AccessControl:entreprise.costCenter": [
            "prod;uat;dev"
        ],
        "https://aws.amazon.com/SAML/Attributes/AccessControl:entreprise.division": [
            "sale"
        ]
    },
    "identityStoreUserId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "managedActiveDirectoryId": "xxxxxxxxxxxx"
}
```

Accepted Answer

I assume you have attribute based access control enabled. https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html

Can you verify that the mentioned attribute in the reason details under DOES_NOT_FIT_REGEX is correct both from an IdP (Azure AD) and the Identity Center (attribute mapping) perspective?

Identity Center - SSO login - "AWS accounts are inaccessible at this time"

Relevant content