Troubleshooting Amazon Q Business and identity provider integration
Important
Starting April 30, 2024, all new applications will need to use IAM Identity Center directly to manage user access. No new applications can be created using the legacy identity management flow. All existing Amazon Q Business applications using legacy identity management will need to migrate to using IAM Identity Center for user management by July 29, 2024. We recommend you integrate any new application you're creating directly with IAM Identity Center.
This topic helps you troubleshoot issues with opening an Amazon Q Business application after you have integrated Amazon Q Business with an identity provider.
If you encounter an HTTP status code 403 (Forbidden) error when you open your Amazon Q Business application, it means that the user is unable to access the application. The following are common causes.
Note
If you're trying to configure end user access to an Amazon Q Business application through your IdP's application portal instead of a deployed Amazon Q Business web experience URL, specify the deployed web experience URL as the application start URL in your IdP application settings.
Topics
Attribute mappings not set to unspecified
Check the attribute mappings in your identity provider's console. Make sure that the subject attributes and email attributes are set to the unspecified format.
For reference, go back to the instructions you followed for integrating Amazon Q Business with your identity provider:
-
For IAM Identity Center, see steps 17 and 18 in the Setting up Amazon Q Business with IAM Identity Center as identity provider
-
For Entra ID, see steps 18 and 19 in the Setting up Amazon Q Business with Microsoft Entra ID as identity provider
-
For Okta, see step 9 in the Setting up Amazon Q Business with Okta as identity provider
-
For PingIdentity, see steps 12, 13, and 14 in the Setting up Amazon Q Business with PingIdentity as identity provider
Email attribute mismatch
You may also get errors because of email attribute name mismatches. Check that the name you entered in the Amazon Q Business console for Email attribute matches the name that you specified in your identity provider attribute mappings page.
For reference, go back to the instructions you followed for integrating Amazon Q Business with your identity provider:
-
For IAM Identity Center, see steps 18.b and 22 in the Setting up Amazon Q Business with IAM Identity Center as identity provider
-
For Entra ID, see steps 19 and 26 in the Setting up Amazon Q Business with Microsoft Entra ID as identity provider
-
For Okta, see steps 9.a and 17 in the Setting up Amazon Q Business with Okta as identity provider
-
For PingIdentity, see steps 14.d and 18 in the Setting up Amazon Q Business with PingIdentity as identity provider
User might not have been assigned to the application
Verify that the user you used to sign in with has access to the web experience. Check the Assignments section on your identity provider application page, and confirm that the user is listed and assigned to the web experience.
For reference, go back to the instructions you followed for integrating Amazon Q Business with your identity provider:
-
For IAM Identity Center, see step 14 in the Setting up Amazon Q Business with IAM Identity Center as identity provider
-
For Entra ID, see steps 21, 22, and 23 in the Setting up Amazon Q Business with Microsoft Entra ID as identity provider
-
For Okta, see steps 10 and 11 in the Setting up Amazon Q Business with Okta as identity provider
-
For PingIdentity, see step 16 in the Setting up Amazon Q Business with PingIdentity as identity provider
User's email address is not defined or not mapped correctly
Verify that the user you used to sign in with has a value defined for their email address. Verify that this value is correctly mapped to the email attribute mapping that you configured.
For reference, go back to the instructions you followed for integrating Amazon Q Business with your identity provider:
-
For IAM Identity Center, see step 14 in the Setting up Amazon Q Business with IAM Identity Center as identity provider
-
For Entra ID, see step 23 in the Setting up Amazon Q Business with Microsoft Entra ID as identity provider
-
For Okta, see step 11 in the Setting up Amazon Q Business with Okta as identity provider
-
For PingIdentity, see step 16 in the Setting up Amazon Q Business with PingIdentity as identity provider
Inadequate IAM role permissions
The IAM role used for deploying the Amazon Q Business web experience might not have the right permissions and trust boundary specified in the policy.
Verify that the IAM role that you've used for granting permissions to the user to access the application has the right service principal listed in the policy.
For reference, see step 8 in the Steps for deploying your Amazon Q Business web experience. If you have created your own IAM role, make sure that the policy provides Amazon Q Business with permissions to write access relevant Amazon Q Business API operations. You must also provide a trust policy that allows Amazon Q Business to assume the role. See IAM role for an Amazon Q Business web experience for more information on the policies that you must provide.