<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y000081nHGTSA2Okta Classic EngineSingle Sign-OnAnswered2024-04-16T12:20:45.000Z2020-03-11T08:57:21.000Z2020-08-26T23:03:07.000Z

dziev (dziev) asked a question.

Edited March 11, 2020 at 8:57 AM
Cannot use groups push with AWS SSO

Hello,

 

I'm trying to set up a proof of concept for a client that is using Okta as IdP (with AD backend) but manual IAM auth in AWS. I want to integrate their Okta with AWS SSO.

( https://controltower.aws-management.tools/infrastructure/sso/okta_sso/ )

 

My SCIM provisioning configuration is working fine for users sync, but for groups push I got an error in the Okta console.

 

"Unable to update Group Push mapping target App group dev-admin: Error while creating user group dev-admin: Bad Request. Errors reported by remote server: Request is unparsable, syntactically incorrect, or violates schema."

 

In the documentation I found:

 

"

Limitation

Using the same Okta group for assignments and for group push is not currently supported. To maintain consistent group membership between Okta and the downstream app, you need to create a separate group that is configured to push groups to the target app.

"

 

So I did unsubscribe my Okta users from their groups, push them again, and the sync worked.

But now I cannot assign users to groups in AWS SSO because AWS says that

 

"Your identity source is currently configured as 'External identity provider'. To add new groups or edit their memberships, you must do this using your external identity provider. "

 

I'm stuck in this situation. Does that mean that SCIM provisioning with AWS SSO is not currently supported by Okta ?

 

Best Regards,

 

Nathan

  • 3 answers
  • 4.92K views
AlexandruB.51517 likes this.

  • AlexandruB.51517 (Customer)

    I have the same situation and the same scenario I tested. Still blocked when I am trying to add users to Okta groups, the sync gets broke and I can't push group membership in AWS SSO.

  • 3me3d (3me3d)

    I also ran into this issue.

     

    After trying a number of things on my end, I ended up reaching out to both AWS Support and Okta support. I didn’t really get anywhere with Okta, but was informed by AWS that this is a known issue (see the bottom of this message for the whole reply).

     

    Fortunately, a resolution is planned. Unfortunately, but not unexpectedly, the estimated resolution time is 3 - 6 months with no more specific date available. After some initial disappointment, I realized SCIM is an open protocol and started experimenting with Postman to see if I could manually add a user to a group.

     

    Long story short, that experiment was successful and lead me to create my own connector to synchronize the groups. You can find it here: https://github.com/myles2007/okta-aws-sso-scim-groups-connector.

     

    I still plan to make some improvements and hopefully publish it to the Serverless Application Repository for easier deployment, but it’s deployable and working in its current form. If you decide to use it and run into any issues, please let me know on GitHub.

     

    AWS Support (full reply)

    -----------------------------------

    Hey Myles,

     

    Thanks for contacting AWS Premium Support. My name is Ciarán and I’m with the Security Profile.

     

    I see that you’re looking to use the Okta IdP as an External IdP within the AWS SSO service, but are hitting the issue of IdP-side changes to group memberships not being reflected over in AWS SSO.

     

    I’m afraid that this is a known matter, as Okta wasn’t thoroughly tested with the External IdP functionality in AWS SSO. Only one IdP was tested to ensure functionality, and that was Azure AD. The issue here is that SCIM from Okta to AWS SSO is not fully functional.

     

    There is light at the end of the tunnel, though, because Okta is one of the next IdPs to be released with the External IdP functionality in AWS SSO. I’m afraid that I’m unable to share the projected release date with you, but it is planned to come out in the next 3 - 6 months. In the meantime, there is this tutorial available [1], but please note that as Okta currently isn’t a supported External IdP with AWS SSO, all support on it is best-effort. Okta is not an IdP I have tested with, so this tutorial may only get you to the same state that you’re currently in with assignments, but it’s worth a review in case assignments are handled differently to what you currently have in place.

     

    Let me know if you have any follow-up queries on this matter, or if you hit any issues. On the issue front, I’ll see what I can do in the way of a trial account and building it out.

     

    [1] https://controltower.aws-management.tools/infrastructure/sso/okta_sso/

    Expand Post
This question is closed.
Loading
Cannot use groups push with AWS SSO