By using AWS re:Post, you agree to the Terms of Use

SSO issue working with Fleet Manager and RDP: SSO is not shared in a org

1

I'm trying to follow this post https://aws.amazon.com/blogs/security/how-to-enable-secure-seamless-single-sign-on-to-amazon-ec2-windows-instances-with-aws-sso/ But I have an error message related with SSO "An error occurred while calling the ListDirectoryAssociations API operation. SSO features are disabled. AccessDeniedException: SSO is not shared in org: xxxxx" I have configured SSO with AzureAD as external provider. Can somebody help me with this issue? Regards

  • Hi Hernan. I have the same issue; did you get anywhere with it? For me it works when SSOing into the AWS Organizations management account, but not on an invited account. On the latter, there's no option in Fleet Manager to use SSO as an authentication method, and the errors you mention crop up in the browser network debug log. I'll post here if/when I figure it out 👍

2 Answers
0

Hello, my suggestion is that you check that "trusted access" for SSO is enabled in the organization, please go to AWS Organizations>Services>Single Sign On and make sure "trusted access" is enabled, if that is enabled, then it may be a permissions issue, in this guide https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-sso.html you can check the role and it's permissions

answered 6 months ago
  • Thanks for your answer. Trustes Access was enable and related to permission, it seems the role has the needed ones. But I don't know if the permission should be related with the ec2 role o related with the user role.

0

In the AWS Fleet Manager documentation, it mentions -

Fleet Manager supports AWS SSO authenticated RDP connections in the same AWS Region where you enabled AWS SSO

I have instances in multiple regions and it wasn't until I re-read the docs that I noticed this colossal limitation and understood why I wasn't getting anywhere. I'm guessing you're in the same boat.

The regional limitation of SSO is also mentioned here.

I'm still finding it hard to believe such a fundamental feature isn't supported by AWS SSO 😢

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions