2

I have configured GSuite as the identity provider for our AWS SSO service following the directions in this blog post. When I visit my SSO user portal URL (ie https://d-1234567890.awsapps.com/start) I am correctly redirected to accounts.google.com where I authenticate and get redirected back to AWS SSO. At this point I receive an error from aws (url https://us-west-2.signin.aws.amazon.com/platform/saml/acs/SOME-UUID).

The error is:

Invalid MFA credentials
Your MFA credentials were incorrect. Please check your device and try again.

As far as I know you can't configure MFA with external identity providers in AWS SSO.

FWIW, I have tested setting up AWS SSO with AWS SSO as the identity provider and setting MFA and it worked.

cfbarbero
  • 1,607
  • 2
  • 14
  • 26

2 Answers2

1

I have successfully integrated AWS SSO with GSuite. I encountered the identical error to you, but fixed it by disabling auto provisioning in AWS. This is because Google doesn't support SCIM for Custom SAML apps at this point in time, which is a shame. Instead, I manually created user accounts that matched the email address of the GSuite user.

rtshilston
  • 19
  • 2
1

This error, only comes when the username and primary email address doesn't match. Your user details in AWS SSO and in Gsuite must be the same and set as the username.

For illustration, let assume your gsuite_email: XYZ@gsuite_domain.com, where XYZ is the username.

When you create a new user in AWS SSO, you must put the same username and primary email as you have Gsuite.

  1. Username: XYZ@gsuite_domain.com
  2. Primary email: XYZ@gsuite_domain.com

Note: You must have to put the user details and use your user’s primary email address (username@gsuite_domain.com) as the username. In addition, if you already have existed users inside the AWS SSO, you can't modify the username, only option is to delete the user and create it again.

Mohit Sharma
  • 29
  • 5