Forbbiden 403 access denied with AWS SSO SAML application from Gitlab integration

Question

HI,

I have a setup with AWS SSO and its identity source is AWS SSO (not AD or external)

I have a problem with this integration, the gitlab configuration has the correct configuration (with IDP Okta has worked correctly with the same configuration by Gitlab).

The idea is to use AWS SSO as IdP and Gitlab as SP.

Gitlab settings:

```
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_auto_link_user'] = ['saml']
gitlab_rails['omniauth_external_providers'] = ['saml']
gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_providers'] = [
  {
    name: "saml",
    label: "Saml Provider",
    args: {
      assertion_consumer_service_url: "http://gitlab.domain/users/auth/saml/callback",
      idp_sso_target_url: "https://portal.sso.eu-west-1.amazonaws.com/saml/assertion/{assertion_id}",
      issuer: "https://portal.sso.eu-west-1.amazonaws.com/saml/assertion/{assertion_id}",
      name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
      idp_cert_fingerprint: "{fingerprint_cert}"
    }
  }
]

```

Into AWS SSO the config is:

![AWS SSO mappings](https://i.ibb.co/wJ50WTs/Captura-de-pantalla-de-2022-04-06-11-40-37.png "AWS SSO mappings") [image url](https://i.ibb.co/wJ50WTs/Captura-de-pantalla-de-2022-04-06-11-40-37.png)

The assigned users is a Administrator Group to which I belong

But I recivied this error:

![AWS SSO Error](https://i.ibb.co/VxtGN7Y/Captura-de-pantalla-de-2022-04-06-11-56-36.png "AWS SSO Error") [image url](https://i.ibb.co/VxtGN7Y/Captura-de-pantalla-de-2022-04-06-11-56-36.png)

I only see the SAML Request but I can't find the SAML Response, also when I go back to the gitlab url with the Cookie, I get the following message in it:  Could not authenticate you from SAML because "Saml response missing".

The assertions required by gitlab is: 
```
Field	Supported keys
Email (required)	email, mail
Full Name	name
First Name	first_name, firstname, firstName
Last Name	last_name, lastname, lastName
```

Regards!

Accepted Answer

Hi again,

FInally, the configuration that has worked correctly for me into AWS SSO is:

| Attribute APP | Attributte SSO | Format  |
| :---:    |    :----:   |    :---: |
| Subject | ${user:email} | emailAddress |
| name | ${user:name} | basic |
| last_name | ${user:familyName} | basic |
| first_name | ${user:givenName} | basic |
| email | ${user:email} | basic |

Regards!

Answer

I think the problem is related to setting up the trust between Gitlab - the service provider's application and AWS SSO, make sure to check the instruction manual AWS Single Sign-On (AWS SSO) Integration Guide for GitLab

HTH.

Narongrit

answered 2 years ago

HTH.

Attribute APP	Attributte SSO	Format
Subject	${user:email}	emailAddress
name	${user:name}	basic
last_name	${user:familyName}	basic
first_name	${user:givenName}	basic
email	${user:email}	basic

Forbbiden 403 access denied with AWS SSO SAML application from Gitlab integration

Relevant content