search

awsdocs / aws-single-sign-on-user-guide

The open source version of the AWS Single Sign-On docs. You can submit feedback & requests for changes by submitting issues in this repo or by making proposed changes & submitting a pull request.
Other
44 stars 36 forks source link

Troubleshooting Tips #2

Closed nicholaspierson closed 1 year ago

nicholaspierson commented 6 years ago

As you know, troubleshooting AWS Single Sign-On can be a challenge. What issues have you run into getting AWS Single Sign-On to work? Can you share your solutions with your colleagues? Please share only problems for which you've found a solution. If you're still struggling with a problem please contact AWS Support or post your issue on the Forums.

Share the following information with me as a response to this issue, and I'll consider adding it to the troubleshooting section of the AWS Single Sign-On documentation.

  1. What were the symptoms of the problem?
  2. Were the exception/error messages helpful or less than helpful? Did they help lead you to the solution, confuse you, or were they just white noise that didn't help or hurt? What specific message(s) did you get and how did they help or not help?
  3. What did you do to troubleshoot? What did you try that didn't help? What finally did lead you to the correct root cause?
  4. What did you finally do to correct the problem?

I'll use this information to improve the documentation. The more detail you can add, the better I can use it to improve the docs! Thank you very much.

Nick Pierson Senior Technical Writer AWS Single Sign-On https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html

pcolmer commented 4 years ago
  1. After successfully authenticating at the IdP, AWS SSO web page gave me this message:
An unexpected error has occurred
Please try signing in again. If the error persists, please contact your administrator
RequestId: 4bbfa7d5-1bde-48e9-80f4-e50a09d713fe
Time: Fri, 27 Dec 2019 11:40:13 GMT
  1. The message was less than helpful. It gave me no hint as to what was wrong or where to look for troubleshooting information.
  2. I used SAML-tracer (a Chrome plugin) to look at the attributes that the IdP was returning to AWS SSO. I guessed at the root cause.
  3. The root cause was a bad assumption on my part. I assumed that if the IdP returned the user's email address, AWS SSO would map against that when looking up the user. It doesn't. The identity returned by the IdP must match the actual configured username in AWS SSO. Changing that from "firstname.lastname" to the full email address solved the problem.

Of course, it might be better if AWS SSO actually gave a helpful error message like "Invalid identity" or "Unrecognised identity". I'm not sure how documentation can help with "Unexpected error". There is too little context to work with.

stgarf-sx commented 2 years ago
  1. After successfully authenticating at the IdP, AWS SSO web page gave me this message:
An unexpected error has occurred
Please try signing in again. If the error persists, please contact your administrator
RequestId: 4bbfa7d5-1bde-48e9-80f4-e50a09d713fe
Time: Fri, 27 Dec 2019 11:40:13 GMT
  1. The message was less than helpful. It gave me no hint as to what was wrong or where to look for troubleshooting information.
  2. I used SAML-tracer (a Chrome plugin) to look at the attributes that the IdP was returning to AWS SSO. I guessed at the root cause.
  3. The root cause was a bad assumption on my part. I assumed that if the IdP returned the user's email address, AWS SSO would map against that when looking up the user. It doesn't. The identity returned by the IdP must match the actual configured username in AWS SSO. Changing that from "firstname.lastname" to the full email address solved the problem.

Of course, it might be better if AWS SSO actually gave a helpful error message like "Invalid identity" or "Unrecognised identity". I'm not sure how documentation can help with "Unexpected error". There is too little context to work with.

Thank you for your extremely thoughtful reply @pcolmer.

Wow, I cant believe in 2022 that I've ran into the exact problem and solution and IT STILL HASN'T BEEN PROPERLY documented. Oh wait... 🤦

eightnoteight commented 1 year ago

Of course, it might be better if AWS SSO actually gave a helpful error message like "Invalid identity" or "Unrecognised identity". I'm not sure how documentation can help with "Unexpected error". There is too little context to work with.

I ran into the same issue, stuck for a long time on "Something went wrong", I wish some helpful message like above can be given, like saying that username doesn't match the IDP email address

joshbean commented 1 year ago

Closing this issue or pull request in advance of archiving this repo. For more information about the decision to archive this repo (and others in the 'awsdocs' org), see the announcement on the AWS News Blog.