AWS SSO Google Workspace IDP SCIM


Hi all!
I've been able to configure AWS SSO to with with Google Workspace as it's identity provider using this guide -
I saw that Google isn't a fully supported external identity provider, meaning that it doesn't support automatic provisioning of users/groups from Google Workspace into AWS SSO.

  1. When will the automatic provisioning feature be available for Google Workspace?
  2. In the meantime, what alternatives are there for this feature? I have came across and checked this project, However, It is no longer available or supported.

Any help will be much appreciated :) ,

  • Hi Dave, I understand your frustration, I pass through the same contributing to the awslabs/ssosync project. So, that is why I build this other one from scratch, maybe this work for your requirements until AWS have a new better solution

asked 2 years ago4467 views
3 Answers

Right now that SSO Sync on Github is the best option if you want to automatically synchronize groups from your Google Workspaces to AWS SSO.

We also have a workshop that demonstrates how the SSO Sync can be used to setup integration between AWS SSO and Google Workspaces.

profile pictureAWS
answered 2 years ago
  • I have tried deploying the SSO Sync Github project however, I't seems that this is a dead project for a few reasons.

    1. The last commit was a year ago.
    2. The README link to "AWS Serverless Application Repository" that supposedly enables the deployment of SSO Sync doesn't work. There's actually an open issue that many people aren't able to access it and the reason seems to be that the related account was deleted.
    3. Following the manual instructions just doesn't work, there are multiple bugs.

    From the workshop link you provided it's also stated in the intro that - "AWS Single Sign-On (SSO) currently does not support Google Workspace as an identity provider for automatic provisioning of users and groups, or the ssosync application, available on the AWS Serverless Application Repository."


I can't offer any help at the moment, but I can report that I have the same issue. User provisioning is working, but I can't get Group mapping to work. Given that there is no manual workaround...

Enter image description here's a minor scandal that this does not appear to be documented.

answered a year ago
  • I have the same issue. It's odd that everything else works except for groups. And if I attempt to create a group in IAM, I cannot because I'm synchronizing from Google Workspace.


Hi guys. Maybe there are some news about Google + AWS SSO integrations.

Google and Amazon announces a new feature - automatic provisioning:

I've tested it and, yes it works. Thanks a lot for this feature!!! But group mapping between Google and AWS still doesn't work. In google SAML attribute mapping there is settings "Group membership (optional)" where I can choose my Google groups, but I can't understand what attributes I need to substitute into field "App attribute" in order for me to have a mapping between groups In Google and AWS. I read a bunch of documents, tried different options with mapping observing all possible attribute parameters in SAML schema of data and SCIM settings, tried create custom attributes on AWS and Google side, but none of the options works. Is it work actually?

Enter image description here

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions