User16625595906871071938 (Customer) asked a question.
Hey!
So I am trying to setup the AWS IAM Identity Center app and running into an issue. I have configured the aws side with the identity provider and uploaded the metadata.xml file. On the Okta side I inputted the AWS SSO ACS URL and the issuer URL.
Following all of the steps found here - https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-AWS-Identity-Manager-Center.html?baseAdminUrl=https://scienceexchange-admin.okta.com&app=amazon_aws_sso&instanceId=0oa3cvgi4e12MdMWr697
However when using the okta tile to sso into aws, I am giving a "Something went wrong. Looks like this code isn't right Please try again". I am stuck here and can't seem to figure out the problem.
Also looking at the documentation on from aws - found here https://docs.aws.amazon.com/singlesignon/latest/userguide/okta-idp.html In step 2 where it says to go to the provisioning tab, that tab is not available for me. If I go to the push groups tab and click the "Enable Provisioning" button, it just redirects back to the general tab and nothing happens. No error is given and nothing is showing in the logs.
Hi @User16625595906871071938 (Customer),
Thank you for posting on the Okta community page!
I have done some research and it seems that the "Something went wrong. Looks like this code isn't right Please try again" error is usually caused due to a misconfiguration, therefore I would recommend to re-check the configuration on Okta side and AWS side to make sure that everything is configured accordingly to your organisation's needs.
Additionally, I would recommend to also check the user assignment and make sure that the users app attributes on the assignments tab in Okta are the same as on AWS side, because if the email/username is different in AWS than it is in Okta, it might cause the error that you are receiving.
About the provisioning tab not being available, if you do not see the tab on the App profile in Okta, it might be because you need a functionality enabled on your Okta tenant, therefore I would suggest to reach out to your Account Executive in order to make sure you have the feature required to use provisioning. In addition, while clicking on the "Enable Provisioning" on the Push Group tab, you can try to capture a HAR file to investigate if any errors are appearing there because additional info might be present in this trace.
------------------------------------------------------------------------------------------------------------------------------------------------
The Okta Community November newsletter is here. Get product updates and see our top contributing members.
I ran into exact same issue. Here is what I had to do . In Okta "AWS IAM identity center" app, remove the "default relay state". Basically keep it blank. That will fix the issue.
Also here are two very good links on this subject:
https://aws.amazon.com/blogs/aws/single-sign-on-between-okta-universal-directory-and-aws/
https://okta.awsworkshop.io/assign-groups-in-okta-and-provision-to-aws/push-groups.html