Hello,
I've been able to configure AWS SSO with Google Workspace as it's identity provider using this guide - https://aws.amazon.com/fr/blogs/security/how-to-use-g-suite-as-external-identity-provider-aws-sso/ and then I was also able to configure the auto-provisioning using this guide : https://support.google.com/a/answer/13047358?hl=en&sjid=771444752923218931-EU
Some users were added to a new group in Google Workspace and we see the "Create User" events in cloudtrail. These users are properly created on the AWS Identity Center side except for 2 of them. I don't understand what's happening because everything was created as described in the guides.
The error returned for these 2 users is : StatusCode: 400 : Bad Request : { schema :[ urn:ietf:params:scim:api:messages:2.0:Error ] schemas :[ urn:ietf:params:scim:api:messages:2.0:Error ] detail : Request is unparsable syntactically incorrect or violates schema. status : 400 exceptionRequestId : e2bda560-b936-41c8-b4c7-b5844c7cc752 timeStamp : 2023-10-04 07:42:28.399 }
So we checked the attributes of all users and they are similar. There are two attributes per user:
Google directory attribute - Amazon Web Services attribute
Basic Information > Primary Email -> https://aws.amazon.com/SAML/Attributes/RoleSessionName
Amazon > Role* -> https://aws.amazon.com/SAML/Attributes/Role
And the custom Amazon one is defined like in the guide :
Name: Role
Info type: Text
Visibility: Visible to user and admin
No. of values: Multi-value
Does anyone have an idea?
Thanks in advance!
AWS OFFICIALAktualisiert vor 2 Jahren