Configure SAML and SCIM with Microsoft Entra ID and IAM Identity Center
AWS IAM Identity Center supports integration with Security Assertion Markup Language (SAML) 2.0 as well as automatic provisioning (synchronization) of user and group information from Microsoft Entra ID (formerly known as Azure Active Directory or Azure AD) into IAM Identity Center using the System for Cross-domain Identity Management (SCIM) 2.0 protocol.
Objective
In this tutorial, you will set up a test lab and configure a SAML connection and SCIM provisioning between Microsoft Entra ID and IAM Identity Center. During the initial preparation steps, you'll create a test user (Nikki Wolf) in both Microsoft Entra ID and IAM Identity Center which you'll use to test the SAML connection in both directions. Later, as part of the SCIM steps, you'll create a different test user (Richard Roe) to verify that new attributes in Microsoft Entra ID are synchronizing to IAM Identity Center as expected.
Before you can get started with this tutorial, you'll first need to set up the following:
-
A Microsoft Entra ID tenant. For more information, see Quickstart: Set up a tenant
on Microsoft's website. -
An AWS IAM Identity Center-enabled account. For more information, see Enable IAM Identity Center in the AWS IAM Identity Center User Guide.
In this step, you will walk through how to install and configure your AWS IAM Identity Center enterprise application and assign access to a newly created Microsoft Entra ID test user.
In this step, you'll walk through how to use IAM Identity Center to configure access permissions (via permission set), manually create a corresponding Nikki Wolf user, and assign her the necessary permissions to administer resources in AWS.
In this step, you configure your SAML connection using the AWS IAM Identity Center enterprise application in Microsoft Entra ID together with the external IdP settings in IAM Identity Center.
In this step, you will set up automatic provisioning (synchronization) of user information from Microsoft Entra ID into IAM Identity Center using the SCIM v2.0 protocol. You configure this connection in Microsoft Entra ID using your SCIM endpoint for IAM Identity Center and a bearer token that is created automatically by IAM Identity Center.
When you configure SCIM synchronization, you create a mapping of your user attributes in Microsoft Entra ID to the named attributes in IAM Identity Center. This causes the expected attributes to match between IAM Identity Center and Microsoft Entra ID.
The following steps walk you through how to enable automatic provisioning of users that primarily reside in Microsoft Entra ID to IAM Identity Center using the IAM Identity Center app in Microsoft Entra ID.
The following are important considerations about Microsoft Entra ID that can affect how you plan to implement automatic provisioning with IAM Identity Center in your production environment using the SCIM v2 protocol.
Note
Before you begin deploying SCIM, we recommend that you first review Considerations for using automatic provisioning.
Attributes for access control
Attributes for access control is used in permission policies that determine who in your identity source can access your AWS resources. If an attribute is removed from a user in Microsoft Entra ID, that attribute will not be removed from the corresponding user in IAM Identity Center. This is a known limitation in Microsoft Entra ID. If an attribute is changed to a different (non-empty) value on a user, that change will be synchronized to IAM Identity Center.
Nested Groups
The Microsoft Entra ID user provisioning service can't read or provision users in nested groups.
Only users that are immediate members of an explicitly assigned group can be read and
provisioned. Microsoft Entra ID doesn't recursively unpack the group memberships of indirectly
assigned users or groups (users or groups that are members of a group that is directly
assigned). For more information, see Assignment-based scoping
Dynamic Groups
The Microsoft Entra ID user provisioning service can read and provision users in dynamic groups
For example, if Microsoft Entra ID structure for dynamic groups is as follows:
-
Group A with members ua1, ua2
-
Group B with members ub1
-
Group C with members uc1
-
Group K with a rule to include members of Group A, B, C
-
Group L with a rule to include members Group B and C
After the user and group information is provisioned from Microsoft Entra ID into IAM Identity Center through SCIM, the structure will be as follows:
-
Group A with members ua1, ua2
-
Group B with members ub1
-
Group C with members uc1
-
Group K with members ua1, ua2, ub1, uc1
-
Group L with members ub1, uc1
When you configure automatic provisioning using dynamic groups, keep the following considerations in mind.
-
A dynamic group can include a nested group. However, Microsoft Entra ID provisioning service doesn’t flatten the nested group. For example, if you have the following Microsoft Entra ID structure for dynamic groups:
-
Group A is a parent of group B.
-
Group A has ua1 as a member.
-
Group B has ub1 as a member.
-
The dynamic group that includes Group A will only include the direct members of group A (that is, ua1). It won’t recursively include members of group B.
-
Dynamic groups can’t contain other dynamic groups. For more information, see Preview limitations
in the Microsoft Entra ID documentation.
If you are experiencing issues with Microsoft Entra ID users not synchronizing to IAM Identity Center, it
might be due to a syntax issue that IAM Identity Center has flagged when a new user is being added to
IAM Identity Center. You can confirm this by checking the Microsoft Entra ID audit logs for failed events, such as
an 'Export'
. The Status Reason for this event will
state:
{"schema":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Request is unparsable, syntactically incorrect, or violates schema.","status":"400"}
You can also check AWS CloudTrail for the failed event. This can be done by searching in the Event History console of CloudTrail using the following filter:
"eventName":"CreateUser"
The error in the CloudTrail event will state the following:
"errorCode": "ValidationException", "errorMessage": "Currently list attributes only allow single item“
Ultimately, this exception means that one of the values passed from Microsoft Entra ID contained more values than anticipated. The solution here is to review the attributes of the user in Microsoft Entra ID, ensuring that none contain duplicate values. One common example of duplicate values is having multiple values present for contact numbers such as mobile, work, and fax. Although separate values, they are all passed to IAM Identity Center under the single parent attribute phoneNumbers.
For general SCIM troubleshooting tips, see Troubleshooting IAM Identity Center issues.
Now that you have successfully configured SAML and SCIM, you can optionally choose to configure attribute-based access control (ABAC). ABAC is an authorization strategy that defines permissions based on attributes.
With Microsoft Entra ID, you can use either of the following two methods to configure ABAC for use with IAM Identity Center.