- Newest
- Most votes
- Most comments
Hi There, I don't think the issue from the integration between AD and SSO due to below points
- Authentication is working without any problem. Only issue with authorization
- I have already used guided process
Users are presented in SSO, issue again when user try to use any accounts will get 403, it happens after the authentication.
Hello there
According to the information given, There are few reasons why you can experience this error during sign-in.Make sure to use the exact name of your role, because role names are case sensitive.Correct the name of the role in the SAML service provider configuration.The sso_role_name does not match the permission set associated with the user.Furthermore check with the sso_account_id value. You would need to make sure that the account number is correct. Also make sure that account number is not within quotes. You need to accomplish this by using AWS CLI to check the list of permission sets associated with the user.Hence,you need to login to AWS Management Console and follow this documentation.
Resource:
https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSets.html https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html#troubleshoot_saml_missing-role
Hello There, I think you have missed my point, I am not using ADFS with SAML. I am using AWS SSO and source is AD connector. So all of these settings has been created by AWS SSO. Even I can't modify any of these created SSO roles. Below steps I have used 1- Created a service account in AD to be used by AD connector. 2- Changed AWS SSO identity source to this AD connector 3- Set permission sets to access the AWS accounts. 4- Authentication part is working but problem with role authorization.
So please suggest what can be done.
When your Identity source is AD Connector, you need to consider the provisioning method that your AWS SSO is using, There two provisioning methods when connecting to AD either using AD Connector of AWS Managed AD which are Configurable AD Sync and AD Sync. You can view the method SSO using from the SSO settings page.
If Configurable AD Sync is in use, then you have to follow the steps here to properly setup and provision the users.
Reference:
Relevant content
- asked 9 months ago
- asked 3 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 3 years ago
Hi,
Any update on this issue ?
I've the 403 error too.
Regards