SCIM Provisioning Error with AWS SSO

ken5scal 1 Reputation point
2019-12-12T00:05:17.76+00:00

I was following the document below to setup SAML SSO and user/group provisioning from Azure AD.

https://aws.amazon.com/jp/blogs/aws/the-next-evolution-in-aws-single-sign-on/

I managed to set up SAML and group provisioning, but user provisioning returns me an error I cannot manage. It seems the problem is in AWS, but to debug more precisely, I want to take a look at "Please see the HTTP response returned by the 'Response' property of this exception for details. ", which I do not know the location. Anyone?

SystemForCrossDomainIdentityManagementBadRequest
The SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client. Please refer to the Azure Active Directory SCIM provisioning documentation and adapt the SCIM endpoint to be able to process provisioning requests from Azure Active Directory. StatusCode: BadRequest Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: . This operation was retried 0 times. It will be retried again after this date: 2019-12-11T19:15:39.0460400Z UTC

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,380 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Caio César 6 Reputation points
    2019-12-16T19:07:44.893+00:00

    Hello everyone.

    I had the same error in my lab. Got CloudTrail logs and they had the error below:

    "errorCode": "ValidationException",
    "errorMessage": "name: The attribute name is required ",

    Checked the user object in AAD, it did not have first and lastname. Added it and the user was exported after the next provisioning.

    Thanks
    Caio Ribeiro Cesar

    1 person found this answer helpful.
  2. AmanpreetSingh-MSFT 56,301 Reputation points
    2019-12-12T09:51:52.277+00:00

    @ken5scal I tried the same steps in my test environment and encountered exactly the same error. As per our documentation, users and groups cannot be provisioned from AAD to AWS.

    Note

    Provisioning service will only import roles from AWS to Azure AD. This service will not provision users and groups from Azure AD back to AWS.

    As you are successfully able to provision groups to AWS, I have reached out to our product team to confirm if there are any recent changes to the service. I will update you once I have the confirmation.

  3. MrAzureAD 81 Reputation points
    2019-12-15T10:25:56.29+00:00

    AWS SSO and SCIM is quite new. The Microsoft Learn are not updated yet.

    But the SCIM configuration on the AWS side is not documented in the required detail. User schema for AWS is missing; the only thing I found is that mail attribute is always required and multi-value attributes are not supported.
    That helped to bring errors down on my side.

    But I am with you: AAD should give a better error message and the full HTTP dump.

    0 comments