AWS Control Tower SCIM

I’m looking to set up AWS Control Tower SCIM. I’ve followed the outline from AWS, everything is working except for the push groups. So the group shows up in AWS after pushing and states it was created via SCIM, but still shows an error and won’t provision users.

Any thoughts?

Changes to the Group push mapping for the group awsssoPowerUsers could not take effect due to error: Error while creating user group awsssoPowerUsers: Exception in deserializing the Group Json String. Error message=Resource ‘Group’ is malformed: ‘urn:scim:schemas:core:1.0’ must be declared in the schemas attribute., json string={“id”:“14b854c8-00d1-706e-055b-728557f8828a”,“meta”:{“resourceType”:“Group”,“created”:“2024-05-10T18:24:17Z”,“lastModified”:“2024-05-10T18:24:17Z”},“schemas”:[“urn:ietf:params:scim:schemas:core:2.0:Group”],“displayName”:“awsssoPowerUsers”,“members”:}, uri=null


This question seems to have schemas mixed between SCIM V1.1 and SCIM V2.0.

Based on the doc I see here from AWS, they could be expecting V2.0. Make sure to pick the same SCIM versions in Okta and AWS and let us know if that solves your issue.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.