Problem with adding SSO user/group to Managed Grafana

Question

Hi,

I'm trying to add user or group from SSO to Grafana but it ends with error:
400
Failed to associate identity 996707c13f-1af38066-6ab6-48bd-bbdf-35094dc7a3ef, type: SSO_USER with workspace SSO application"

I created Grafana workspace with "Service managed" option with AWS IAM Identity Center authentication method.
SSO is deployed on different account and AD Connector is used as a source, my user has full privileges and grafana is able top list users and groups but cannot add selected.

The only error I found in CloudTrail is:

```
(...)
    "eventSource": "sso.amazonaws.com",
    "eventName": "AssociateProfile",
    "awsRegion": "eu-central-1",
    "sourceIPAddress": "grafana.amazonaws.com",
    "userAgent": "grafana.amazonaws.com",
    "errorCode": "InvalidInputException",
    "requestParameters": {
        "accessorId": "S-1-5-...",
        "accessorType": "USER",
        "directoryId": "d-xxxxx",
        "directoryType": "ADConnector",
        "instanceId": "ins-6a1...",
        "profileId": "p-bb..."
    },
    "responseElements": null,
    "requestID": "ebd8b359-ce31-4996-812d-41cf8802852e",
    "eventID": "790e94a8-b2e6-418a-a474-e086e84bf558",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "(...)",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
```

Answer

Review your configuration.  Here's the recommended procedure from AWS:
- https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG-SSO.html

I don't think you'd see the ADConnector information if you were configuring your Grafana to use SSO.

Hope this helps.

Problem with adding SSO user/group to Managed Grafana

Relevant content