Migrate From Custom SCIM-Based AWS Provisioning to AWS IAM Identity Center in Okta
Last Updated:
Overview
Amazon Web Services (AWS) is deprecating the System for Cross-domain Identity Management (SCIM) PatchGroup API operations used by custom SCIM-based AWS integrations. To prevent service disruption, administrators must migrate to the Okta-verified AWS IAM Identity Center application from the Okta Integration Network (OIN), which uses AWS's new cursor-based pagination.
After August 31, 2026, AWS permanently blocks all Remove All and Replace operations, causing provisioning failures, deprovisioning drift, and broken group membership synchronization for custom SCIM-based applications.
NOTE: This article applies only to environments using a custom SCIM-based application to provision users and groups to AWS IAM Identity Center. If the environment already uses the AWS IAM Identity Center application from the OIN, or if the environment only uses Okta for AWS Single Sign-On (SSO) without provisioning, administrators do not need to take action.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- AWS IAM Identity Center
- System for Cross-domain Identity Management (SCIM)
- Custom SCIM-based Applications
Cause
AWS announced a phased deprecation of the SCIM PatchGroup API. After August 31, 2026, AWS permanently blocks all Remove All and Replace operations, causing provisioning failures, deprovisioning drift, and broken group membership synchronization for custom SCIM-based applications. Custom SCIM-based AWS integrations rely on these calls for group-membership synchronization.
Solution
What are the prerequisites for migrating to AWS IAM Identity Center?
Ensure the environment meets the following prerequisites before beginning the migration process.
- An active custom SCIM-based application in Okta provisioning users and groups to AWS IAM Identity Center.
- An App Administrator or Super Administrator role in Okta.
- Administrator access to AWS IAM Identity Center in the AWS account.
How is the migration to AWS IAM Identity Center performed?
This migration requires actions in both the AWS environment and the Okta Admin Console. Okta recommends completing the steps in a maintenance window and keeping the legacy application active until verifying the new integration to avoid any provisioning gap.
Step 1: Generate New SCIM Credentials in AWS IAM Identity Center
- Sign in to the AWS IAM Identity Center console as an administrator.
- Go to Settings in the left navigation.
- Under the Identity source tab, choose Enable next to Automatic provisioning, or Manage if it is already enabled.
- Copy the SCIM endpoint URL and generate a new Access token. Store the access token securely, as it can only be viewed once.
Step 2: Add the AWS IAM Identity Center Application From the OIN
- In the Okta Admin Console, go to Applications > Applications > Browse App Catalog.
- Search for AWS IAM Identity Center and select the application.
- Select Add Integration and complete the General Settings (label, sign-on URL) for the environment.
- Optionally, configure SAML/sign-on to match the existing SSO setup to preserve end-user access.
Step 3: Configure Provisioning on the New Application
- On the newly added AWS IAM Identity Center application, select the Provisioning tab and select Configure API Integration.
- Select Enable API integration, then paste the SCIM endpoint URL and Access token copied from Step 1.
- Select Test API Credentials and confirm a successful response, then select Save.
- Under To App, enable Create Users, Update User Attributes, and Deactivate Users.
Step 4: Push Groups to the New Application
- On the new application, select the Assignments tab and assign the same users and groups currently assigned on the legacy SCIM application.
- On the Push Groups tab, push the same Okta groups to AWS IAM Identity Center that were being pushed by the legacy application, mapping each to the equivalent AWS group.
- Verify in the AWS IAM Identity Center console that users and group memberships synced as expected.
Step 5: Decommission the Legacy SCIM-based AWS Application
- Once verified that the new integration provisions correctly, return to the legacy SCIM application in Okta.
- On the Provisioning tab, select Edit under To App and disable Create Users, Update User Attributes, and Deactivate Users.
- Unassign all users and groups from the legacy application.
- Once no further provisioning activity is confirmed, deactivate the legacy application.
If issues occur during migration, contact Okta Support and reference this article. For larger or more complex deployments, the Customer Success Manager (CSM) or Technical Account Manager can engage Okta Professional Services to assist with the migration.
