AWS SSO ERROR 403 with AD connector

0

I have enabled AWS SSO and set directory source to be my AD connector. Users authenticate without issue, however login into accounts show below error https://ibb.co/XC2LvgP

Below cloudtrail event { "eventVersion": "1.08", "userIdentity": { "type": "Unknown", "principalId": "local.test//S-1-5-21-2194430433-125441924-3567485280-1114", "accountId": "", "userName": "admin3000@local.test" }, "eventTime": "2022-06-18T17:34:02Z", "eventSource": "sso.amazonaws.com", "eventName": "Federate", "awsRegion": "eu-central-1", "sourceIPAddress": "", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36", "errorCode": "403", "errorMessage": "Forbidden", "requestParameters": null, "responseElements": null, "requestID": "8090dc61-de3a-4bde-9275-f6efa75db024", "eventID": "1c10d90b-b47b-4a48-93e3-bc6f870dd7b9", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": , "serviceEventDetails": { "role_name": "AdministratorAccess", "account_id": "" }, "eventCategory": "Management" }

Also in terminal below error happens while using same user to log with aws sso cli An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access

I have checked all roles of SSO and seems nothing is missed. Also issue happens when the identity store is AD, however no issue while identity store is the internal SSO identity store. Can you please advise.

Regards Ali

asked 2 years ago854 views
2 Answers
0

Hi There, I don't think the issue from the integration between AD and SSO due to below points

  • Authentication is working without any problem. Only issue with authorization
  • I have already used guided process

Users are presented in SSO, issue again when user try to use any accounts will get 403, it happens after the authentication.

answered 2 years ago
  • Hi,

    Any update on this issue ?

    I've the 403 error too.

    Regards

0

Hello There, I think you have missed my point, I am not using ADFS with SAML. I am using AWS SSO and source is AD connector. So all of these settings has been created by AWS SSO. Even I can't modify any of these created SSO roles. Below steps I have used 1- Created a service account in AD to be used by AD connector. 2- Changed AWS SSO identity source to this AD connector 3- Set permission sets to access the AWS accounts. 4- Authentication part is working but problem with role authorization.

So please suggest what can be done.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions