- Newest
- Most votes
- Most comments
The behavior you're experiencing is actually expected with the current implementation of the IAM Identity Center SCIM API. The GetGroup and ListGroups operations return an empty member list by design. This limitation is a known aspect of the AWS IAM Identity Center SCIM implementation.
To see group information for a specific member, you need to use the ListGroups operation with a member filter, as you've attempted. However, it's important to note that this will only confirm if a user is a member of a group, not provide a full list of members for a group.
The correct format for your query should be:
GET https://scim.ap-southeast-1.amazonaws.com/XXXXX/scim/v2/Groups?filter=id eq "Group Id" and members eq "user id"
If this query returns results, it confirms that the user is a member of the group. If it doesn't return results, the user is not a member of that group.
Regarding the 404 error you're getting when using "members.value" or "members.id", this is because these are not supported filter attributes in the current implementation.
It's worth noting that AWS has launched fully paginated AWS standard APIs for managing users and groups at scale in AWS IAM Identity Center. These newer APIs might provide more comprehensive functionality for your use case, although they may require a different integration approach than the SCIM API you're currently using.
If you need a full list of group members, you might need to implement a different approach, such as making individual queries for each user to check their group membership. While this is less efficient, it's currently the way to work around the limitation of the SCIM implementation.
Sources
ListGroups - IAM Identity Center SCIM Implementation
GetGroup - IAM Identity Center SCIM Implementation
AWS SSO SCIM API ListGroups members | AWS re:Post
Limitations from SCIM specification - IAM Identity Center SCIM Implementation
Thank You community for your response,
As per documents you that you provided me "https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetGroupMembershipId.html" I am getting membership id from aws cli. But not able to fetch it from postman.
And here it is not mentioned that which Endpoint URL as well as which HTTP method i should use for this. Can anyone in community guide me regarding this.
Thank You in advance.
Can you try the below steps, for accessing GetGroupMembershipId api from Postman ?
-
Create a new POST request
-
Set the endpoint to: https://identitystore.[region].amazonaws.com/
-
Set the request headers: Content-Type: application/x-amz-json-1.1 X-Amz-Target: AWSIdentityStore.GetGroupMembershipId
-
In the request body (raw JSON), add: json { "IdentityStoreId": "d-1234567890", "GroupId": "87c7b704-3d62-4f4d-9908-example", "MemberId": { "UserId": "5a5f4774-8f38-4bc1-example" } }
-
Under the Authorization tab: Type: AWS Signature AccessKey: Your AWS access key SecretKey: Your AWS secret key AWS Region: Your region (e.g., us-east-1) Service Name: identitystore
-
The members section returning as en empty list in response is called out in the limitations section in documentation ["The GetGroup and ListGroups return an empty member list. To see group information for a certain member, call ListGroups with a member filter."] - https://docs.aws.amazon.com/singlesignon/latest/developerguide/limitations.html.
As mentioned in documentation, call the ListGroups with a member filter as shown in example below and documentation reference for ListGroups and filters -
Example:
GET https://scim.us-east-1.amazonaws.com/{tenant_id}/scim/v2/Groups?filter=id eq "90677c608a-a9f17294-7931-41a5-9c00-6e7ace3c2c11" and members eq "90677c608a-787142a0-3f27-4cd3-afb6-8aed7ce87094" User-Agent: Mozilla/5.0 Authorization: Bearer <bearer_token>
Relevant content
- asked 3 years ago
- asked 3 years ago
- asked 3 years ago
While hitting this url i am getting below response { "totalResults": 1, "itemsPerPage": 1, "startIndex": 1, "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "Resources": [ { "id": "69fa359c-20e1-70a0-d4e5-abcdc16131", "meta": { "resourceType": "Group", "created": "2025-04-27T04:30:46Z", "lastModified": "2025-04-27T04:45:50Z" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "displayName": "AWS_TestGroup1", "members": [] } ] } But actually i want to fetch group names and total count of group which of user is associate
Thank Your For your response,
As per your suggestion I am using https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetGroupMembershipId.html this document to fetch group membership Id. But here it is not clear that which endpoint url and which HTTP method i have to use for it. Can you please guide me for it
Thank You.