Following the instructions in the AWS blog post entitled "The Next Evolution in AWS Single Sign-On", I have created an Enterprise Application in Azure Active Directory and changed the identity source in AWS SSO to be Azure AD. As an initial test, I configured AWS SSO provisioning to "manual" and created a user in AWS SSO with a "Username" that matches my Azure AD "Unique User Identifier". I was able to log into the AWS console successfully. When I tested sign on using "Test this application" in Azure AD it worked as expected and I was successfully logged into AWS with the option to choose an account and role to assume.
The problem is that I cannot get automatic user provisioning to work.
I enabled automatic provisioning in AWS SSO.
I enabled automatic provisioning in Azure AD.
I have one group assigned to the Azure AD Enterprise Application, containing three users.
As the blog post recommends, I created a mapping between the
objectIdAzure Active Directory attribute and the
I've waited at least 40 minutes.
There are no entries in the Azure AD provisioning logs showing interaction between Azure AD and AWS.
The Azure AD audit log shows a success entry stating "Provisioning to enterprise application access was configured and started".
I tried "Clear current state and restart synchronization", but user provisioning still did not start. The audit logs records this action as "Provisioning to access was restarted. We will revisit all users in your directory".
Azure AD always says "Initial cycle not run". The Azure SSO Users and Groups pages are both empty, but I am expecting to see three users and one group.
What could be wrong?