示例 CloudTrail 事件 IAM 身份中心中常见的 SCIM API 验证错误

使用 AWS CloudTrail记录 IAM Identity Center SCIM API 调用

IAM Identity Center SCIM 与 AWS CloudTrail一项服务集成，该服务提供用户、角色或角色所采取的操作的 AWS 服务记录。 CloudTrail 将 SCIM 的 API 调用捕获为事件。使用收集的信息 CloudTrail，您可以确定有关所请求操作的信息、操作的日期和时间、请求参数等。要了解更多信息 CloudTrail，请参阅《AWS CloudTrail 用户指南》。

注意

CloudTrail 在您创建账户 AWS 账户时已在您的账户上启用。但是，如果您的令牌是在 2024 年 9 月之前创建的，则可能需要轮换访问令牌才能查看 SCIM 中的事件。

有关更多信息，请参阅轮换访问令牌。

SCIM 支持将以下操作记录为事件： CloudTrail

示例 CloudTrail 事件

以下示例演示了使用 IAM Identity Center 进行 SCIM 操作期间生成的典型 CloudTrail 事件日志。这些示例显示了成功操作和常见错误场景的事件的结构和内容，可帮助您了解在排除 SCIM 配置问题时如何解释 CloudTrail 日志。

成功`CreateUser`操作

此 CloudTrail 事件显示通过 SCIM API 成功执行的CreateUser操作。该事件会捕获请求参数（屏蔽敏感信息）和响应元素，包括新创建的用户的 ID。当身份提供商使用 SCIM 协议成功将新用户配置到 IAM Identity Center 时，就会生成此类事件。


{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "WebIdentityUser",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "schemas" : [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "name": {
        "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
      },
      "active": true,
      "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": {
    "meta" : {
      "created" : "Oct 10, 2024, 1:23:45 PM",
      "lastModified" : "Oct 10, 2024, 1:23:45 PM",
      "resourceType" : "User"
    },
    "displayName" : "HIDDEN_DUE_TO_SECURITY_REASONS",
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "name": {
      "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "active": true,  
    "id" : "c4488478-a0e1-700e-3d75-96c6bb641596",
    "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
  },
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

`PatchGroup`操作失败：缺少必需的路径属性

此 CloudTrail 事件显示了导致错误消息ValidationException的失败PatchGroup操作"Missing path in PATCH request"。之所以出现错误，是因为该PATCH操作需要路径属性来指定要修改的组属性，但是请求中缺少此属性。


{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "Missing path in PATCH request",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REMOVE",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

`CreateGroup`操作失败：组名已存在

此 CloudTrail 事件显示了导致错误消息ConflictException的失败CreateGroup操作"Duplicate GroupDisplayName"。尝试使用已存在于 IAM Identity Center 中的显示名称创建群组时会发生此错误。身份提供者必须使用唯一的群组名称或更新现有群组，而不是创建新群组。


{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ConflictException",
  "errorMessage": "Duplicate GroupDisplayName",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

`PatchUser`操作失败：不支持多个电子邮件地址

此 CloudTrail 事件显示了导致错误消息ValidationException的失败PatchUser操作"List attribute emails exceeds allowed limit of 1"。尝试为用户分配多个电子邮件地址时会发生此错误，因为 IAM Identity Center 仅支持每个用户一个电子邮件地址。身份提供商必须将 SCIM 映射配置为仅为每个用户发送一个电子邮件地址。


{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "List attribute emails exceeds allowed limit of 1",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REPLACE",
          "path": "emails",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

IAM 身份中心中常见的 SCIM API 验证错误

在 IAM Identity Center 中使用 SCIM API 时，通常会在 CloudTrail 事件中出现以下验证错误消息。这些验证错误通常发生在用户和组置备操作期间。

有关解决这些错误和正确配置 SCIM 配置的详细指南，请参阅本AWS re:Post 文。

List attribute email exceeds allowed limit of 1
List attribute addresses allowed limit of 1
1 validation errors detected: Value at '*name.familyName*' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+
2 validation errors detected: Value at 'name.familyName' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'name.familyName' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+
2 validation errors detected: Value at 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+",
来自的 JSON RequestBody
Invalid Filter format

Javascript 在您的浏览器中被禁用或不可用。

要使用 Amazon Web Services 文档，必须启用 Javascript。请参阅浏览器的帮助页面以了解相关说明。

文档惯例

IAM 身份中心登录事件示例

Amazon EventBridge

使用 AWS CloudTrail记录 IAM Identity Center SCIM API 调用

注意

示例 CloudTrail 事件

成功CreateUser操作

PatchGroup操作失败：缺少必需的路径属性

CreateGroup操作失败：组名已存在

PatchUser操作失败：不支持多个电子邮件地址

IAM 身份中心中常见的 SCIM API 验证错误

成功`CreateUser`操作

`PatchGroup`操作失败：缺少必需的路径属性

`CreateGroup`操作失败：组名已存在

`PatchUser`操作失败：不支持多个电子邮件地址