SSO with Managed AD as idp - 403 forbidden

Question

Hi,

I've connected the SSO idp to the Managed Active Directory with AD Connector as proxy between SSO and Active Directory.

User and groups are sync correctly
I can loggin to the SSO
I can attach permission set to account

After logging to the SSO when I click on the account to assume the role  I got a 403 error
{"message":"No access","__type":"com.amazonaws.switchboard.portal#ForbiddenException"}

I don't know where to search to solve this issue.

Can you please help me ?

Regards

Accepted Answer

HI,

Solved, the issue was a mapping problem between AWS Managed AD and SSO. The SSO user primary-email field was empty.

We change the mapping, everything works well

Regards

Answer

I recommend you review the metadata issued and supported by AWS SSO. Then check the attribute mapping making sure the format is set to "transient"

SSO with Managed AD as idp - 403 forbidden

相关内容