Using SCIM with AWS IAM as IdP

Question

Hi everyone,

during my research, I found a lot of documentation that describes how you can use another IdP, such as Azure Active Directory, to synchronize identities from that IdP to AWS IAM. But what about the other way around? Is it possible to use AWS IAM as my central IdP, and then synchronize users stored in AWS to another service provider? Azure for example provides that functionality, I can create an Enterprise Application for user provisioning and then select any arbitrary target endpoint that receives the SCIM requests to synchronize users between AAD and another application. Does AWS provide something comparable?

Thanks in advance!

samwale-aws · Answer

Have you looked into IAM Identity Center (successor to AWS Single Sign-On)? This service is has more centralized capabilities vs AWS IAM.

Check out [this list](https://docs.aws.amazon.com/singlesignon/latest/userguide/saasapps.html) of applications that already has built integrations with IAM Identity Center. These integration I know does support Federation between AWS and those service providers, but as far as SCIM integration, you would likely need to implement a custom solutions. For example :

* You can use AWS Lambda or another compute service to create a script that periodically exports IAM user data and transforms it into the appropriate format, such as SCIM, for the target service provider. Then, you can set up an API to receive the transformed data in the target service provider.

Keep in mind that this custom solution will require ongoing maintenance and updates to ensure compatibility and security.

See the [official documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-considerations.html) for AWS IAM Identity Center for more details

Using SCIM with AWS IAM as IdP

Relevant content