What is the AWS Single Sign-On SCIM implementation?

This reference guide helps software developers build custom integrations to provision (synchronize) users and groups into AWS Single Sign-On (AWS SSO) using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. This guide will also be useful to IT administrators who need to understand or debug an existing SCIM implementation.

The AWS SSO SCIM implementation is based on SCIM RFCs 7642 (https://tools.ietf.org/html/rfc7642), 7643 (https://tools.ietf.org/html/rfc7643), and 7644 (https://tools.ietf.org/html/rfc7644), and the interoperability requirements laid out in the March 2020 draft of the FastFed Basic SCIM Profile 1.0 (https://openid.net/specs/fastfed-scim-1_0-02.html#rfc.section.4). Any differences between these documents and the current implementation in AWS SSO are described in the Supported API operations section of this guide.

The following sections contain examples of API requests and responses currently supported in the AWS SSO SCIM implementation, along with important notes and constraints to consider in your design.

Before you begin, we recommend that you first review Considerations for Using Automatic Provisioning in the AWS Single Sign-On User Guide. That topic instructs you how to use SCIM to enable automatic provisioning in AWS SSO. You will need to follow those instructions to retrieve your SCIM endpoint and access token.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported API operations