AWS SSO ERROR 403 with AD connector

0

I have enabled AWS SSO and set directory source to be my AD connector. Users authenticate without issue, however login into accounts show below error https://ibb.co/XC2LvgP

Below cloudtrail event { "eventVersion": "1.08", "userIdentity": { "type": "Unknown", "principalId": "local.test//S-1-5-21-2194430433-125441924-3567485280-1114", "accountId": "", "userName": "admin3000@local.test" }, "eventTime": "2022-06-18T17:34:02Z", "eventSource": "sso.amazonaws.com", "eventName": "Federate", "awsRegion": "eu-central-1", "sourceIPAddress": "", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36", "errorCode": "403", "errorMessage": "Forbidden", "requestParameters": null, "responseElements": null, "requestID": "8090dc61-de3a-4bde-9275-f6efa75db024", "eventID": "1c10d90b-b47b-4a48-93e3-bc6f870dd7b9", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": , "serviceEventDetails": { "role_name": "AdministratorAccess", "account_id": "" }, "eventCategory": "Management" }

Also in terminal below error happens while using same user to log with aws sso cli An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access

I have checked all roles of SSO and seems nothing is missed. Also issue happens when the identity store is AD, however no issue while identity store is the internal SSO identity store. Can you please advise.

Regards Ali

asked 2 years ago653 views
4 Answers
0

Hi There, I don't think the issue from the integration between AD and SSO due to below points

  • Authentication is working without any problem. Only issue with authorization
  • I have already used guided process

Users are presented in SSO, issue again when user try to use any accounts will get 403, it happens after the authentication.

answered 2 years ago
  • Hi,

    Any update on this issue ?

    I've the 403 error too.

    Regards

0

Hello there

According to the information given, There are few reasons why you can experience this error during sign-in.Make sure to use the exact name of your role, because role names are case sensitive.Correct the name of the role in the SAML service provider configuration.The sso_role_name does not match the permission set associated with the user.Furthermore check with the sso_account_id value. You would need to make sure that the account number is correct. Also make sure that account number is not within quotes. You need to accomplish this by using AWS CLI to check the list of permission sets associated with the user.Hence,you need to login to AWS Management Console and follow this documentation.

Resource:

https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSets.html https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html#troubleshoot_saml_missing-role

answered 2 years ago
0

Hello There, I think you have missed my point, I am not using ADFS with SAML. I am using AWS SSO and source is AD connector. So all of these settings has been created by AWS SSO. Even I can't modify any of these created SSO roles. Below steps I have used 1- Created a service account in AD to be used by AD connector. 2- Changed AWS SSO identity source to this AD connector 3- Set permission sets to access the AWS accounts. 4- Authentication part is working but problem with role authorization.

So please suggest what can be done.

answered 2 years ago
0

When your Identity source is AD Connector, you need to consider the provisioning method that your AWS SSO is using, There two provisioning methods when connecting to AD either using AD Connector of AWS Managed AD which are Configurable AD Sync and AD Sync. You can view the method SSO using from the SSO settings page.

If Configurable AD Sync is in use, then you have to follow the steps here to properly setup and provision the users.

Reference:

https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-users-from-ad-configurable-ADsync.html

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions