Troubleshooting Amazon Q Business and identity provider integration - Amazon Q Business
Attribute mappings not set to unspecifiedEmail attribute mismatchUser might not have been assigned to the applicationUser's email address is not defined or not mapped correctlyInadequate IAM role permissions

Troubleshooting Amazon Q Business and identity provider integration

Important

Starting April 30, 2024, all new applications will need to use IAM Identity Center directly to manage user access. No new applications can be created using the legacy identity management flow. All existing Amazon Q Business applications using legacy identity management will need to migrate to using IAM Identity Center for user management by July 29, 2024. We recommend you integrate any new application you're creating directly with IAM Identity Center.

This topic helps you troubleshoot issues with opening an Amazon Q Business application after you have integrated Amazon Q Business with an identity provider.

If you encounter an HTTP status code 403 (Forbidden) error when you open your Amazon Q Business application, it means that the user is unable to access the application. The following are common causes.

Note

If you're trying to configure end user access to an Amazon Q Business application through your IdP's application portal instead of a deployed Amazon Q Business web experience URL, specify the deployed web experience URL as the application start URL in your IdP application settings.

Attribute mappings not set to unspecified

Check the attribute mappings in your identity provider's console. Make sure that the subject attributes and email attributes are set to the unspecified format.

For reference, go back to the instructions you followed for integrating Amazon Q Business with your identity provider:

Email attribute mismatch

You may also get errors because of email attribute name mismatches. Check that the name you entered in the Amazon Q Business console for Email attribute matches the name that you specified in your identity provider attribute mappings page.

For reference, go back to the instructions you followed for integrating Amazon Q Business with your identity provider:

User might not have been assigned to the application

Verify that the user you used to sign in with has access to the web experience. Check the Assignments section on your identity provider application page, and confirm that the user is listed and assigned to the web experience.

For reference, go back to the instructions you followed for integrating Amazon Q Business with your identity provider:

User's email address is not defined or not mapped correctly

Verify that the user you used to sign in with has a value defined for their email address. Verify that this value is correctly mapped to the email attribute mapping that you configured.

For reference, go back to the instructions you followed for integrating Amazon Q Business with your identity provider:

Inadequate IAM role permissions

The IAM role used for deploying the Amazon Q Business web experience might not have the right permissions and trust boundary specified in the policy.

Verify that the IAM role that you've used for granting permissions to the user to access the application has the right service principal listed in the policy.

For reference, see step 8 in the Steps for deploying your Amazon Q Business web experience. If you have created your own IAM role, make sure that the policy provides Amazon Q Business with permissions to write access relevant Amazon Q Business API operations. You must also provide a trust policy that allows Amazon Q Business to assume the role. See IAM role for an Amazon Q Business web experience for more information on the policies that you must provide.