Create Groups with AWS Identity Centre and External IdP (Google workspace)
Hi,
We have AWS Identityr Centre configured with an external Idp (Google workspace). However, as documented the Groups are not automatically provisioned and needs to be manually created. However, when we try to create the group manually we get the following info and clicking "Create Group" button does nothing.
How can we have groups with external IdP configured? Do we have to manually create the groups before connecting an external IdP?
Your identity source is currently configured as 'External identity provider'. To add new groups or edit their memberships, you must do this using your external identity provider.
Thank you
- 최신
- 최다 투표
- 가장 많은 댓글
Previously the documentation used to say group provisions with Google isn’t supported. That was true when I last did this over a year ago.
However, there has been development and now Google can provision groups using SCIM. Please review latest documentation https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html
Syncing of groups using SCIM between Google and Identity Center is still not supported till today. If you want such automation, looks into ssosync (https://github.com/awslabs/ssosync). I would suggest that, if you use ssosync, then don't turn autoprovisioning (SCIM) on to avoid conflicts of updating Identity Center.
If you do want to use SCIM, and you don't have that many groups or group changes, you can manage groups separately from SCIM. You can't do that on Console as the 'buttons' will be disabled when auto provisioning is turned on, but you can do that via CLI or API.
관련 콘텐츠
AWS 공식업데이트됨 2년 전- AWS 공식업데이트됨 2년 전
- AWS 공식업데이트됨 2년 전
Under Step 8, looks like you can't create groups using the AWS Console once Identity Centre is connected to an external IdP. Creation of the groups can only be done via CLI or API.
Gary can you share more info on the latest development of group provisioning? The user doc you referred to still says: SCIM automatic synchronization from Google Workspace only supports provisioning users; groups aren't automatically provisioned.
In the documentation mentioned above the bottom of the first section says: 'Note that this tutorial is based on a small Google Workspace directory test environment. Directory structures such as groups and organization units aren't included'. Does anyone know if there is a guide anywhere for importing your Google Groups to AWS Identity Center?
If you look at the very bottom of the documentation it talks about 'Next steps' and talks about creating AWS Identity Center groups through the AWS CLI. However, if I do this, there is no way for me for to add our Google users to these created groups
@cvnkc You use create-group CLI or corresponding API to create the group, then use create-group-membership CLI or corresponding API to add users into that group.