Forbbiden 403 access denied with AWS SSO SAML application from Gitlab integration
HI,
I have a setup with AWS SSO and its identity source is AWS SSO (not AD or external)
I have a problem with this integration, the gitlab configuration has the correct configuration (with IDP Okta has worked correctly with the same configuration by Gitlab).
The idea is to use AWS SSO as IdP and Gitlab as SP.
Gitlab settings:
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_auto_link_user'] = ['saml']
gitlab_rails['omniauth_external_providers'] = ['saml']
gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_providers'] = [
{
name: "saml",
label: "Saml Provider",
args: {
assertion_consumer_service_url: "http://gitlab.domain/users/auth/saml/callback",
idp_sso_target_url: "https://portal.sso.eu-west-1.amazonaws.com/saml/assertion/{assertion_id}",
issuer: "https://portal.sso.eu-west-1.amazonaws.com/saml/assertion/{assertion_id}",
name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
idp_cert_fingerprint: "{fingerprint_cert}"
}
}
]
Into AWS SSO the config is:
The assigned users is a Administrator Group to which I belong
But I recivied this error:
I only see the SAML Request but I can't find the SAML Response, also when I go back to the gitlab url with the Cookie, I get the following message in it: Could not authenticate you from SAML because "Saml response missing".
The assertions required by gitlab is:
Field Supported keys
Email (required) email, mail
Full Name name
First Name first_name, firstname, firstName
Last Name last_name, lastname, lastName
Regards!
Hi again,
FInally, the configuration that has worked correctly for me into AWS SSO is:
| Attribute APP | Attributte SSO | Format |
|---|---|---|
| Subject | ${user:email} | emailAddress |
| name | ${user:name} | basic |
| last_name | ${user:familyName} | basic |
| first_name | ${user:givenName} | basic |
| ${user:email} | basic |
Regards!
I think the problem is related to setting up the trust between Gitlab - the service provider's application and AWS SSO, make sure to check the instruction manual AWS Single Sign-On (AWS SSO) Integration Guide for GitLab
HTH.
Relevant questions
send AWS SSO username as a attribute in SAML assertion
asked 2 years agoProblem with SSO
asked 2 months agoAWS SSO - Manage Users
Accepted Answerasked a month agoAWS SSO ERROR 403 with AD connector
asked 15 days agoAWS SSO with Microsoft AD as IdP
asked 5 months agoExternal Identity Source is not an option when setting up AWS SSO
asked a month agoissues with AWS SSO linking to Google Workspaces
Accepted Answerasked 5 months agoAppStream with SSO and Active Directory problem
asked a year agoForbbiden 403 access denied with AWS SSO SAML application from Gitlab integration
Accepted Answerasked 3 months agoWill AWS SSO conflict with IAM ID provider?
Accepted Answerasked 2 years ago
I have followed that guide and the most I get is a 403 in the AWS SSO, I can not see more logs except the ones I see in the Cloudtrial where the 403 is indicated in Federate.
The configuration with the Okta provider has worked correctly but with AWS SSO I can't get it to work.