FabioT.22923 (Customer) asked a question.
We are integrating AWS with Okta SAML/SCIM and trying to use some attributes at the group level:
We assigned a value to the attributes available under Applications->AWS->Assignments->Groups->Edit (on XYZ group) but this value is not propagated through SCIM and is not documented if and how should be used with SAML assertions.
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
Hi @FabioT.22923 (Customer) , Thank you for reaching out to the Okta Community!
The catalog app for AWS does not support Provisioning, as stated in the template guide:
As for the SAML part of the configuration, that is hardcoded as well and does not offer the option to add additional attribute statements.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Community members help others by clicking Like or Select as Best on responses. Try it today.
Actually, we are using the "AWS IAM Identity Center" that should be fully SAML/SCIM compliant
Understood.
I've looked into that one now and the Provisioning part seems to be "partner-built" so I'm no sure if there's much we can do from the Okta side to troubleshoot.
Feel free to open a case and discuss the matter with one of our Support Engineers, but I also recommend reaching out to the service provider support.
Hi! Yes "AWS IAM Identity Center" is simply the updated name for "Single Sign-On", but it is the same AWS service so this is the correct tile.
Please see this link from AWS on how to do what you ask! Thanks!
https://docs.aws.amazon.com/singlesignon/latest/userguide/okta-idp.html
https://aws.amazon.com/blogs/security/build-an-end-to-end-attribute-based-access-control-strategy-with-aws-sso-and-okta/
I think you missed my point, we have the integration up and working with SAML and SCIM, the issue is related to group attributes not propagated correctly
Yes, please see below for how that would be configured:
Then in the group assignment of the AWS SSO app, insert that same value for the attribute like so:
Finally, I recommend you download and install the SAML Tracer plugin to help identify what is being sent over. Thanks!