Azure AD SCIM Provisioning Error with AWS SSO

shlomi halif 26 Reputation points
2022-03-16T10:36:49.51+00:00

Hi,

I've configured an Ent app that make SSO to AWS.
in the provisioning step, I came across an issue with the synchronization of one of the provisioned group members, as following:

Error code:
SystemForCrossDomainIdentityManagementServiceIncompatible

Error message:
StatusCode: BadRequest Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: {"schema":["urn:ietf:params:scim:api:messages:2.0:Error"],"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Request is unparsable, syntactically incorrect, or violates schema.","status":"400","exceptionRequestId":"6cd195be-4840-4741-97ea-bd53732a1002","timeStamp":"2022-03-16 07:37:36.97"}. This operation was retried 3 times. It will be retried again after this date: 2022-03-17T07:37:36.9945089Z UTC

FYI:
the assigned group to the Ent App contains 5 members at all. 4 of them synced proper (just one of them getting that error message).

Can anybody help me?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,846 questions
0 comments No comments
{count} votes

Accepted answer
  1. Danny Zollner 9,531 Reputation points Microsoft Employee
    2022-03-22T20:11:36.43+00:00

    That's an error returned by AWS. From experience, it means that the request being sent to them contains one or more attributes that are not supported on the AWS SSO side.

    The best way to handle this is to add the AWS Single Sign-On application from the Azure AD Enterprise App Gallery. The provisioning configuration included with this has been configured to be compatible with AWS Single Sign-On's SCIM implementation out of the gate. I would wager that you've configured SCIM provisioning to AWS Single Sign-On via our Custom Non-Gallery Application option instead, which is a "one size fits all" approach that sometimes requires tweaking to get working, as you've seen here.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Givary-MSFT 28,576 Reputation points Microsoft Employee
    2022-03-21T06:34:43.287+00:00

    @shlomi halif

    Apologies for the delay in reaching out to you.

    Would like to check if you are still facing the above mentioned issue related to provisioning group for your enterprise application ?


  2. Tim Stock 0 Reputation points
    2023-02-02T11:47:21.1866667+00:00

    do you check the Troubleshooting tips on this side https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/aws-single-sign-on-provisioning-tutorial

    i told you that 4 attributes are needed from AWS side:

    • firstName
    • lastName
    • displayName
    • username

    this cause the same error for me this morning


  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more