Azure AD - AWS IAM Identity Center (successor to AWS Single Sign-On)

Azure AD

IAM Identity Center supports automatic provisioning (synchronization) of user and group information from Azure AD into IAM Identity Center using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. You configure this connection in Azure AD using your SCIM endpoint for IAM Identity Center and a bearer token that is created automatically by IAM Identity Center. When you configure SCIM synchronization, you create a mapping of your user attributes in Azure AD to the named attributes in IAM Identity Center. This causes the expected attributes to match between IAM Identity Center and your IdP.

The following steps walk you through how to enable automatic provisioning of users and groups from Azure AD to IAM Identity Center using the IAM Identity Center app in the Azure AD Application Gallery and the SCIM protocol.

Note

Before you begin deploying SCIM, we recommend that you first review Considerations for using automatic provisioning, and then continue reviewing Prerequisites and Additional considerations in the next sections.

Prerequisites

You will need the following before you can get started:

Additional considerations

Attributes for access control are used in permission policies that determine who in your identity source can access your AWS resources. If an attribute is removed from a user in Azure AD, that attribute will not be removed from the corresponding user in IAM Identity Center. This is a known limitation in Azure AD. If an attribute is changed to a different (non-empty) value on a user, that change will be synchronized to IAM Identity Center.

Step 1: Set up IAM Identity Center and configure automatic provisioning

To get started, you'll need to first follow the instructions in Tutorial: Configure AWS Single Sign-On for automatic user provisioning. These instructions walk you through the following:

  • Enable IAM Identity Center.

  • Install the IAM Identity Center app from the Azure AD Application Gallery.

  • Configure automatic provisioning (SCIM) within the Azure portal.

Step 2: (Optional) Configure attribute-based access control

Now that you have configured Azure AD to work with IAM Identity Center, you can optionally choose to configure attribute-based access control (ABAC). ABAC is an authorization strategy that defines permissions based on attributes.

With Azure AD, you have two different ways to configure ABAC for use with IAM Identity Center. Choose either of the following methods.

Method 1: Configure ABAC using Azure AD

This method can be used when you need to define which attributes in Azure AD can be used by IAM Identity Center to manage access to your AWS resources. Once defined, Azure AD sends these attributes to IAM Identity Center through SAML assertions. You will then need to Create a permission set in IAM Identity Center to manage access based on the attributes you passed from Azure AD.

Before you begin this procedure, you first need to enable the Attributes for access control feature. For more information about how to do this, see Enable and configure attributes for access control.

To configure user attributes in Azure AD for access control in IAM Identity Center

  1. While signed into the Azure portal, navigate to Azure Active Directory, Enterprise applications. Search for the name of the application that you created previously to form your SAML connection. Then choose the application.

  2. Choose Single sign-on.

  3. In the User Attributes & Claims section, choose Edit.

  4. On the User Attributes & Claims page, do the following:

    1. Choose Add new claim

    2. For Name, enter AccessControl:AttributeName. Replace AttributeName with the name of the attribute you are expecting in IAM Identity Center. For example, AccessControl:Department.

    3. For Namespace, enter https://aws.amazon.com/SAML/Attributes.

    4. For Source, choose Attribute.

    5. For Source attribute, use the drop-down list to choose the Azure AD user attributes. For example, user.department.

  5. Repeat the previous step for each attribute you need to send to IAM Identity Center in the SAML assertion.

  6. Choose Save.

Method 2: Configure ABAC using IAM Identity Center

With this method, you use the Attributes for access control feature in IAM Identity Center to pass an Attribute element with the Name attribute set to https://aws.amazon.com/SAML/Attributes/AccessControl:{TagKey}. You can use this element to pass attributes as session tags in the SAML assertion. For more information about session tags, see Passing session tags in AWS STS in the IAM User Guide.

To pass attributes as session tags, include the AttributeValue element that specifies the value of the tag. For example, to pass the tag key-value pair CostCenter = blue, use the following attribute:

<saml:AttributeStatement> <saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/AccessControl:CostCenter"> <saml:AttributeValue>blue </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>

If you need to add multiple attributes, include a separate Attribute element for each tag.

Troubleshooting

The following can help you troubleshoot some common issues you might encounter while setting up automatic provisioning with Azure AD.

Azure AD users are not synchronizing to IAM Identity Center

This might be due to a syntax issue that IAM Identity Center has flagged when a new user is being added to IAM Identity Center. You can confirm this by checking the Azure audit logs for failed events, such as an 'Export'. The Status Reason for this event will state:

{"schema":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Request is unparsable, syntactically incorrect, or violates schema.","status":"400"}

You can also check AWS CloudTrail for the failed event. This can be done by searching in the Event History console of CloudTrail using the following filter:

"eventName":"CreateUser"

The error in the CloudTrail event will state the following:

"errorCode": "ValidationException", "errorMessage": "Currently list attributes only allow single item“

Ultimately, this exception means that one of the values passed from Azure contained more values than anticipated. The solution here is to review the attributes of the user in Azure AD, ensuring that none contain duplicate values. One common example of duplicate values is having multiple values present for contact numbers such as mobile, work, and fax. Although separate values, they are all passed to IAM Identity Center under the single parent attribute phoneNumbers.