issues with AWS SSO linking to Google Workspaces


After following this tutorial step by step I get a 403 error every time

  1. That’s an error. Error: app_not_configured_for_user Service is not configured for this user.

I double checked every field and Identity especially and nothing seems to point where the issue is coming from.

Any tips for debugging?

asked 2 years ago3208 views
4 Answers
Accepted Answer

Sorry for answering this myself. While the other answers are indeed correct my issue was totally unrelated and was most likely to the work google workspaces works. After 24 hours from setting up the connection it started working by itself. Writing this just in case others run into this issue. If you are 100% sure you set everything according to the article and still get the error, have some patience, it will work.

answered 2 years ago

Based on the error prompt & as per my understanding, this points out the need for additional settings on the Google Apps account. Can you verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.

profile pictureAWS
answered 2 years ago
  • Well the entities and other values were transferred via the IdP file as in the tutorial and was values are all lowercase. Is there any way to actually check the SAML Request?


I've set this up recently and have seen that error. From what I understand it means the user you are logged in with\ trying to log in with does not have access to the SAML app you configured in Google Workspaces. From experience this can happen because you are already logged into a different Google account that does not have access or you have not configured your SAML app in Google Workspaces to allow the user have you logged in with access to it.

In the blog post under step 7 it directs you to "select ON for everyone", have you done that? Or otherwise have you configured an Organizational Unit or Group to have access that your user is not part of?

answered 2 years ago

The trick is to make the Google account you want to use with AWS your default Google account. You do that by clicking "Sign out of all accounts" in Google, and then, first login to the account you want to use as the default account, and then login with your secondary accounts.

answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions