Azure AD provisioning to AWS Identity Center with custom user/group attributes

Vincent Chu Wai Chow 45 Reputation points
2023-07-04T06:15:59.57+00:00

On Azure Active Directory, I have some on-premises custom attributes which i have successfully synced on Azure AD. I have to connect Azure AD with AWS Identity Center (which was successful in provisioning); it is just I am unable to sync the custom attributes (ABAC purpose) on Azure AD to AWS Identity Center.

The list of custom attributes: project, access_role, team to be passed to AWS identity center

I followed the steps in this link: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes [but in the mappings for the target attribute: the custom attribute that i need does not appear in the dropdown]

https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedidpattributes

#AzureActiveDirectory #AwsIdentityCenter #SCIM #CustomAttributes

#AzureActiveDirectory #AwsIdentityCenter #SCIM #CustomAttributes

I cant find the errors related; it just skips the automatic provisioning to AWS Identity Center

#AzureActiveDirectory #AwsIdentityCenter #SCIM #CustomAttributes

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-07-13T09:41:42.7466667+00:00

    Hi @Anonymous ,

    With Azure AD, you have two different ways to configure ABAC for use with IAM Identity Center.The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true

    After login to the above portal, go to Provision -> Mapping.

    At the bottom of the page, go to Show Advance Options which enables attribute list for editing. User's image

    You can go to "Edit attribute list for AWSSingleSignon" to edit the target attribute.

    For SCIM applications, the attribute name must follow the pattern urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:CustomAttribute

    User's image

    which will add the attribute in target to target map in mappings.

    User's image

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#provisioning-a-custom-extension-attribute-to-a-scim-compliant-application

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.