question

ken5scal-1156 avatar image
0 Votes"
ken5scal-1156 asked ·

SCIM Provisioning Error with AWS SSO

I was following the document below to setup SAML SSO and user/group provisioning from Azure AD.

https://aws.amazon.com/jp/blogs/aws/the-next-evolution-in-aws-single-sign-on/

I managed to set up SAML and group provisioning, but user provisioning returns me an error I cannot manage. It seems the problem is in AWS, but to debug more precisely, I want to take a look at "Please see the HTTP response returned by the 'Response' property of this exception for details. ", which I do not know the location. Anyone?

SystemForCrossDomainIdentityManagementBadRequest

The SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client. Please refer to the Azure Active Directory SCIM provisioning documentation and adapt the SCIM endpoint to be able to process provisioning requests from Azure Active Directory. StatusCode: BadRequest Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: . This operation was retried 0 times. It will be retried again after this date: 2019-12-11T19:15:39.0460400Z UTC

azure-ad-user-provisioning
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@ken5scal-1156 I tried the same steps in my test environment and encountered exactly the same error. As per our documentation, users and groups cannot be provisioned from AAD to AWS.

Note

Provisioning service will only import roles from AWS to Azure AD. This service will not provision users and groups from Azure AD back to AWS.

As you are successfully able to provision groups to AWS, I have reached out to our product team to confirm if there are any recent changes to the service. I will update you once I have the confirmation.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft Would it be possible to share the config associated with the provisioning service which reads AWS roles and imports them to the Azure AD servicePrincipal representing the AWS SSO app? I see that I can copy the synchronization template to a new servicePrincipal, but I don't see any logic in the template around how roles are queried and filtered when importing them from AWS. Is there a place in the GraphAPI where I can view how the SICM client is configured to query AWS, or am I looking in the wrong place and just missing it in the synchronization template?

Thanks!

0 Votes 0 · ·
MrAzureAD avatar image
0 Votes"
MrAzureAD answered ·

AWS SSO and SCIM is quite new. The Microsoft docs are not updated yet.

But the SCIM configuration on the AWS side is not documented in the required detail. User schema for AWS is missing; the only thing I found is that mail attribute is always required and multi-value attributes are not supported. That helped to bring errors down on my side.

But I am with you: AAD should give a better error message and the full HTTP dump.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

c4iocesar avatar image
0 Votes"
c4iocesar answered ·

Hello everyone.

I had the same error in my lab. Got CloudTrail logs and they had the error below:

"errorCode": "ValidationException", "errorMessage": "name: The attribute name is required ",

Checked the user object in AAD, it did not have first and lastname. Added it and the user was exported after the next provisioning.

Thanks Caio Ribeiro Cesar

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.