How do I resolve authentication error messages in Amazon Quick?

7 minute read

When I try to sign in to Amazon Quick or set up single sign-on (SSO) for Amazon Quick, I receive an authentication error message.

Resolution

Make sure that you created a SAML 2.0 identity provider in IAM (console)

If you sign in to Amazon Quick and you incorrectly configured your identity provider (IdP) application, then you might receive the following error message:

"Your request included an invalid SAML response. To logout, click here."

To resolve this error, see the Creating a SAML provider in AWS section in Federate Amazon QuickSight access with Okta. Then, update the trust policy of the Amazon Identity and Access Management (IAM) role to reference the new identity provider Amazon Resource Name (ARN).

Make sure that you include a correct SAML:aud condition in the IAM role trust policy

If you sign in through your IdP and the SAML:aud condition in your IAM role's trust policy doesn't match the audience value that your IdP sends in the SAML response, then you might get the following error message:

"Not authorized to perform sts:AssumeRoleWithSAML
(Service: AWSSecurityTokenV20111201; Status Code: 403;
Error Code: AccessDenied; Request ID: example-id; Proxy: null)."

To resolve this error, select the IAM role that you use for SAML authentication to Amazon Quick, and then update the role trust policy. Make sure that the SAML:aud condition value matches the audience URI that your IdP application uses.

To authenticate to Amazon Quick, set the SAML:aud value to https://signin.aws.amazon.com/saml. If you configure your IdP for an AWS regional endpoint, then set the SAML:aud value to https://aa-example-1.signin.aws.amazon.com/saml.

Example trust policy:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Principal": {
 "Federated": "arn:aws:iam::111122223333:saml-provider/idp-name"
 },
 "Action": [
 "sts:AssumeRoleWithSAML",
 "sts:TagSession"
 ],
 "Condition": {
 "StringEquals": {
 "SAML:aud": "https://aa-example-1.signin.aws.amazon.com/saml"
 }
 }
 }
 ]
}

Note: Replace 111122223333 with your AWS account ID, idp-name with your internet provider, and aa-example-1 with your Region.

Make sure that you include the required SAML attribute mappings in your IdP attribute

If you sign in through your IdP and you receive an "invalid SAML response" error message, then your IdP application doesn't send the SAML attributes that AWS requires to assume the federation role.

To resolve this error, see Federate Amazon QuickSight access with open-source identity provider Keycloak to add attributes to your IdP application.

If you use Amazon Quick Enterprise for federated users, then add the PrincipalTag:Email attribute to turn on email syncing.

Important: The RoleSessionName value must match the regular expression [a-zA-Z_0-9+=,.@-]{2,64}. If your IdP sends the userPrincipalName attribute as the RoleSessionName and the value contains the # character, then change the IdP attribute mapping to use a different attribute.

For more information about IdP-specific configuration, see the following AWS resources:

Resolve a session error message

If you frequently switch AWS accounts in the same browser session, then you might receive the following error message:

"There seems to be a problem with your session. Please try again in a few minutes or login again. If the problem persists try clearing your browser cookies."

To resolve the error, take the following actions:

Clear your browser's cache and cookies for the aws.amazon.com domain, and then close and reopen the browser.
Sign in to Amazon Quick from a private browsing window.
Use a different web browser.
In the AWS Management Console, temporarily switch to a different Region, and then switch back to your local Region.
Confirm that you deactivated browser extensions, ad blockers, or privacy tools that block third-party cookies for the aws.amazon.com and quicksight.aws.amazon.com domains.

Make sure that you correctly signed in on the Amazon Quick sign-in page

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

If you experience errors when you sign in to Amazon Quick, then check that you used the correct account name. Your account name and the username are different, and both values are case sensitive.

To find the account name, contact your Amazon Quick account administrator. If you have access to the AWS CLI with IAM credentials for the AWS account that has Amazon Quick, then run the following describe-account-subscription AWS CLI command to find the account name:

aws quicksight describe-account-subscription \
 --aws-account-id 111122223333 \
 --query 'AccountInfo.AccountName' \
 --output text

Note: The IAM principal that you use to run the command must have the quicksight:DescribeAccountSubscription permission. Replace 111122223333 with your 12-digit account ID.

To sign into your account, see Signing in to Amazon Quick.

If you still experience errors, then ask your administrator to verify that your user is active in Amazon Quick or to reset your password.

Make sure that you tur off IP address restrictions on your Amazon Quick account

If you turned on IP address restrictions, and the allowlist doesn't include your current IP address or virtual private cloud (VPC) endpoint, then you might get an "Access Denied" error. You might also get a network restriction message and then can't sign in to Amazon Quick.

An administrator with AWS CLI access to the AWS account must temporarily turn off the IP address restriction. To restore access, complete the following steps:

Sign in to the AWS Management Console as an administrator.
Note: The Amazon Quick IP address restriction doesn't affect the console, and you can sign in from any network.
Open the AWS CloudShell console. Or, use a workstation that you installed and configured the AWS CLI.

To turn off the IP address restriction, run the following update-ip-restriction AWS CLI command:

aws quicksight update-ip-restriction \
 --aws-account-id 111122223333 \
 --no-enabled

Note: Replace 111122223333 with your account ID.

Sign in to Amazon Quick.
Choose the user name menu, and then choose Manage account.
Choose Manage IP/VPC restrictions.
Update the IP address restriction allowlist to include your required IP CIDR ranges or VPC endpoint IDs.

To turn on the IP address restriction, run the following update-ip-restriction AWS CLI command:

aws quicksight update-ip-restriction \
 --aws-account-id 111122223333 \
 --enabled

Note: Replace 111122223333 with your account ID.

After you turned on the IP address restriction, verify that the allowlist includes the public IP address ranges that your users sign in from.

Resolve AWS Directory Service AD Connector connectivity or authentication issues

Users may try to sign in through Active Directory using AWS Directory Service AD Connector and experience either connectivity or authentication issues.

To resolve the issue, see Troubleshooting AD Connector.

Make sure that your Amazon Quick users log in to the AWS access portal

If you configured the SSO as an identity provider initiated flow, then when users authenticate through your IdP or IAM Identity Center, users are redirected to the AWS access portal.

To configure direct access to Amazon Quick, complete the following steps:

In your IdP application, set the relay state or default sign-in URL to https://quicksight.aws.amazon.com.
In IAM Identity Center, open the Amazon Quick application configuration.
Make sure that you set the application access URL to the regional Amazon Quick URL.
Provide users with the Amazon Quick URL.
For dashboards, use the dashboard URL that includes the dashboard ID.
Note: If you use AWS Directory Service AD Connector with IAM Identity Center, then direct service-provider-initiated SSO might not be supported. To turn on direct access to Amazon Quick, configure a SAML 2.0 compliant external IdP, such as Okta or Microsoft Entra ID, with IAM Identity Center.

Related information

How do I resolve login issues with Quick Suite?

Topics: Analytics Machine Learning & AI Business Applications
Tags: Amazon Quick Sight
Language: English

👁 Image

AWS OFFICIALUpdated 13 days ago

No comments

Relevant content

QuickSight - "Error when authenticating"
Jackpk
asked 3 years ago
Amazon QuickSight Access Error
User-1439942
asked 2 months ago
Setting up SAML Authentication to Workspaces from JumpCloud - Encountering Authentication Error
Farida
asked a year ago
"Error when Authenticating" and Request ID when signing into Quicksight
Jonathan Moore
asked 2 years ago
How to resolve Error 403 Forbidden in Amazon Q
Brian Engler
asked 2 years ago
How do I troubleshoot SAML 2.0 authentication issues in WorkSpaces?
👁 Image
AWS OFFICIALUpdated 3 months ago
How do I configure SAML 2.0 authentication for WorkSpaces?
👁 Image
AWS OFFICIALUpdated a month ago
How do I resolve the "AccessDeniedException" error when I use the create-group AWS CLI command to create Quick Suite groups?
👁 Image
AWS OFFICIALUpdated 7 months ago
How do I resolve SQL exception errors with custom SQL data sources in Quick Suite?
👁 Image
AWS OFFICIALUpdated 7 months ago
Troubleshooting Guide: "Email not specified" Error in SageMaker Unified Studio SAML Login
👁 AWS
EXPERT
Heechan Lee
published 7 months ago

URL: https://repost.aws/knowledge-center/quicksight-resolve-authentication-error

⇱ Resolve Amazon QuickSight authentication error messages | AWS re:Post