Azure AD provisioning to AWS Identity Center with custom user/group attributes

Question

Azure AD provisioning to AWS Identity Center with custom user/group attributes

Vincent Chu Wai Chow 45

On Azure Active Directory, I have some on-premises custom attributes which i have successfully synced on Azure AD. I have to connect Azure AD with AWS Identity Center (which was successful in provisioning); it is just I am unable to sync the custom attributes (ABAC purpose) on Azure AD to AWS Identity Center.

The list of custom attributes: project, access_role, team to be passed to AWS identity center

I followed the steps in this link: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes [but in the mappings for the target attribute: the custom attribute that i need does not appear in the dropdown]

https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedidpattributes

#AzureActiveDirectory #AwsIdentityCenter #SCIM #CustomAttributes

I cant find the errors related; it just skips the automatic provisioning to AWS Identity Center

#AzureActiveDirectory #AwsIdentityCenter #SCIM #CustomAttributes

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-07-06T12:33:51.4766667+00:00

Hi @Anonymous ,

Thanks for reaching out.

I am working on this and will revert you soon.

Thanks,

Shweta

Accepted answer

0 additional answers

Your answer

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-07-06T12:33:51.4766667+00:00

Hi @Anonymous ,

Thanks for reaching out.

I am working on this and will revert you soon.

Thanks,

Shweta

Answer 1

Shweta Mathur 30,296 Microsoft Employee Moderator

Hi @Anonymous ,

With Azure AD, you have two different ways to configure ABAC for use with IAM Identity Center.The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true

After login to the above portal, go to Provision -> Mapping.

At the bottom of the page, go to Show Advance Options which enables attribute list for editing. User's image

You can go to "Edit attribute list for AWSSingleSignon" to edit the target attribute.

For SCIM applications, the attribute name must follow the pattern urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:CustomAttribute

User's image

which will add the attribute in target to target map in mappings.

User's image

Reference: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#provisioning-a-custom-extension-attribute-to-a-scim-compliant-application

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Vincent Chu Wai Chow 45 Reputation points

2023-07-13T09:59:31.04+00:00

i went around and got some logs

one of them was:

"StatusCode: BadRequest Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: {""schema"":[""urn:ietf:params:scim:api:messages:2.0:Error""],""schemas"":[""urn:ietf:params:scim:api:messages:2.0:Error""],""detail"":""Request is unparsable, syntactically incorrect, or violates schema."",""status"":""400"",""exceptionRequestId"":""d84c5253-0416-4f59-ad34-9c30ceaf79ae"",""timeStamp"":""2023-07-10 15:30:02.485""}. This operation was retried 2 times. It will be retried again after this date: 2023-07-11T03:30:02.5282319Z UTC"

i have a dumb question not sure if it is good to ask. What if the on-premises attribute "extension_8a8699e8deb24c83810d92c8c051e060_msDS_cloudExtensionAttribute1" is of type "unicode string" and on azure ad the target attribute is of type "string" is this an issue?

I posted on aws forum also

https://repost.aws/questions/QU82_mjERSQQSooCouCBxoZw/identity-center-provisioning-by-azure-active-directory-with-custom-attributes-for-abac
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2023-07-13T17:40:06.7666667+00:00

Shweta's answer is correct as far as how to add new target attributes goes. As far as the typing between on-prem, Azure AD/Entra ID, and the SCIM server, as long as all of them are some form of "string" it should be fine. The error being returned from Amazon Web Services indicates that they don't like the payload that is being provided - based on past experience, the attribute you're trying to send to them is likely not supported or is named/defined incorrectly in the AAD Provisioning config when compared to what AWS is expecting.
Vincent Chu Wai Chow 45 Reputation points

2023-07-14T03:48:46.27+00:00

e.g in my case will be like this i guess to add in the advanced attribute list?

urn:ietf:params:scim:schemas:extension:[extension_8a8699e8deb24c83810d92c8c051e060_msDS_cloudExtensionAttribute1 - on-prem attributes]:2.0:User:[project - target attribute on aws identity center] **[tried this in advanced list]

@Anonymous @Shweta Mathur correct me if im wrong. Thanks

Update:

i tried the above, still has same error "Request is unparsable, syntactically incorrect, or violates schema."
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-07-14T10:39:25.3333333+00:00

Vincent Chu,

I am checking on this error and will revert you.

Could you please confirm did you added those custom attributes in AWS as well?
Vincent Chu Wai Chow 45 Reputation points

2023-07-14T10:42:33.1266667+00:00
This is on the abac side of identity center

Can you give me a working example if the name should be like this ?? as follows:

urn:ietf:params:scim:schemas:extension:extension_8a8699e8deb24c83810d92c8c051e060_msDS_cloudExtensionAttribute:2.0:User:project

in the advanced list attribute

I tried this also

urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:CustomAttribute

It did not work; maybe im doing something wrong.
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2023-07-17T13:47:52.3866667+00:00

The attribute URN path is something defined by the SCIM app, not Azure AD/Entra ID. We can't tell you what will work here, the documentation/support from the app in question will need to. It is also possible that the attributes in question are not exposed via SCIM.

I would expect that if these attributes are exposed via SCIM it would be via something closer to urn:ietf:params:scim:schemas:extension:AWS:2.0:User:project - it's unlikely that my example is correct, but whatever the path is would be defined by Amazon(or whoever owns the SCIM server) and not by Microsoft.
Vincent Chu Wai Chow 45 Reputation points

2023-07-21T08:31:52.8133333+00:00

ok :) thanks, i will enquire on the aws' side. Thanks for the help
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-07-21T10:25:33.0966667+00:00

Hi Vincent Chu •,

As the issue is not from our end, could you "Accept the answer" to your initial query which help others in the community looking for similar ask to add attributes.

Thanks,

Shweta
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2023-07-24T21:58:06.4633333+00:00

Quick update/extra info from a contact on AWS' SCIM engineering team - while AWS supports extending their schema, AWS' SCIM implementation does not support that yet.
Vincent Chu Wai Chow 45 Reputation points

2023-07-25T03:31:47.6133333+00:00

https://docs.aws.amazon.com/singlesignon/latest/developerguide/limitations.html

I found this i think this is their acceptable schema.

Share via

Azure AD provisioning to AWS Identity Center with custom user/group attributes

0 additional answers

Your answer