SCIM profile and SAML 2.0 implementation - AWS Single Sign-On

SCIM profile and SAML 2.0 implementation

Both SCIM and SAML are important considerations for configuring AWS SSO.

SAML 2.0 implementation

AWS SSO supports identity federation with SAML (Security Assertion Markup Language) 2.0. This allows AWS SSO to authenticate identities from external identity providers (IdPs). SAML 2.0 is an industry standard used for securely exchanging SAML assertions. SAML 2.0 passes information about a user between a SAML authority (called an identity provider or IdP), and a SAML consumer (called a service provider or SP). The AWS SSO service uses this information to provide federated single sign-on (SSO), allowing users to access AWS accounts and configured applications based on their existing identity provider credentials (such as a user name and password).

AWS SSO adds SAML IdP capabilities to your AWS SSO store, AWS Managed Microsoft AD, or to an external identity provider. Users can then SSO into services that support SAML, including the AWS Management Console and third-party applications such as Microsoft 365, Concur, and Salesforce.

The SAML protocol however does not provide a way to query the IdP to learn about users and groups. Therefore, you must make AWS SSO aware of those users and groups by provisioning them into AWS SSO.

SCIM profile

AWS SSO provides support for the System for Cross-domain Identity Management (SCIM) v2.0 standard. SCIM keeps your AWS SSO identities in sync with identities from your IdP. This includes any provisioning, updates, and deprovisioning of users between your IdP and AWS SSO.

For more information about how to implement SCIM, see Automatic provisioning. For additional details about AWS SSO’s SCIM implementation, see the AWS SSO SCIM Implementation Developer Guide.