I'm building a IdP in my local and I configured the IdP in AWS IAM settings, now I'd like to start an IdP initial SSO from my local and login AWS, however the error always shows in AWS page:
Access denied (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 4a8f6b4a-9896-11e9-8544-e569cf4f1a04). Please try again.
ErrorPage Screenshot
I followed the instruction to create role like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::490595513456:saml-provider/Para"
},
"Action": [
"sts:AssumeRoleWithSAML",
"sts:AssumeRoleWithWebIdentity"
],
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
I tried with okta/onelogin and it can SAML access my AWS successfully, and checked the saml response/aws iam configuration, didn't see many differences from my local IdP, I started my IdP server in internal network 192.168.2.237, is it because there is some AWS restriction on local address or something? Any help would be appreciated.
