By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Identity Center (SSO) and Google Workspace - SCIM (auto provisioning) - Only Google Admins successfully provision

0

I followed the Google Amazon Web Services cloud application docs and Configure Amazon Web Services (AWS) auto-provisioning which finally got working. Almost...

Not sure why the AWS Docs for Configure SAML and SCIM with Google Workspace and IAM Identity Center have you add 2 SAML apps but that is besides the point... (see Step 5 where it has you add the "Amazon Web Services" SAML app and Step 6.5.c where it has you add a custom SAML "AWS access portal" app.)

It appears that only Google Admin users are successfully auto-provisioning with SCIM. Either way I get this on the Google side:

Autoprovisioning for following users failing,,
Email ID, Error code, Error Details
username@domain.com, 45003, StatusCode: 400 : Bad Request : { schema :[ urn:ietf:params:scim:api:messages:2.0:Error ]  schemas :[ urn:ietf:params:scim:api:messages:2.0:Error ]  detail : Request is unparsable  syntactically incorrect  or violates schema.   status : 400   exceptionRequestId : [redactted]   timeStamp : 2024-01-19 23:08:12.661 }

According to the View auto-provisioning errors Google doc the error code "45003" states:

The resource update, create, or delete request was not accepted by your SCIM-based application. Look at the details of the error in the downloaded error file.

Possible reasons:

License Limit Exceeded—You have licenses to create only 5 users on your SCIM-based application and you turned on auto-provisioning for 6 users.

Value Too Long—Your value e.g. email ID is too long and is not acceptable for your SCIM-based application.

Must have at least one entitlement, one of which must be profile ID.

The username already exists. It must be unique across the entire organization.

Resource (User) not found on the service provider (SP) side.

Invalid SCIM user ID value.

What License is it referring to? Google's or AWS? I doubt the email is too long nor does the user already exist.

It definitely seems like an issue on the AWS side but not sure how to troubleshoot further on that side.

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS IAM Identity Center
Language
English
clouduser123
asked 3 months ago452 views
2 Answers
0

Hi,

This message comes from Google: https://support.google.com/a/answer/6294829?hl=en

Look for 45003 on the page to get more details

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 3 months ago
0

Hi!
In my case it helped to actually remove all the extensive mapping for optional attributes - I've left for SCIM application only required attributes part.
I would highly recommend to try this, and then ensure that each one of the optional attributes you're mapping works for your case. Ensure not to forget about Before you begin section: https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html As of current state

Each Google Workspace user has only a single value per data attribute, such as email address or phone number. Any user's that have multiple values will fail to synchronize. If there are users that have multiple values in their attributes, remove the duplicate attributes before attempting to provision the user in IAM Identity Center. For example, only one phone number attribute can be synchronized, since the default phone number attribute is "work phone", use the "work phone" attribute to store the user's phone number, even if the phone number for the user is a home phone or a mobile phone..

Best wishes,
Vladyslav

Vladyslav Ponoiko
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content