You’ve configured SCIM provisioning between your identity provider (Azure AD, Okta, OneLogin) and AWS IAM Identity Center. You’ve assigned users to the app in your IdP. But when you check the IAM Identity Center console, the users and groups aren’t there. Or they appear and then disappear. In this post, I’ll show you how to diagnose and fix SCIM provisioning issues.
The Problem
Users and groups from your identity provider are not appearing in IAM Identity Center, or existing users are being deprovisioned unexpectedly. Sometimes the provisioning status shows “warning” or “error” in your IdP’s provisioning logs.
Common error patterns in provisioning logs:
| Error Message | Interpretation |
|---|---|
| “Invalid SCIM endpoint” | Endpoint URL is malformed or inaccessible |
| “Unauthorized - 401” | Bearer token is missing or expired |
| “Missing required attribute: userName” | User object in IdP doesn’t have a userName attribute |
| “Email address already exists” | Duplicate user or incorrect deduplication logic |
| “Group not found” | Group membership sync attempted but group doesn’t exist in IAM Identity Center |
Why Does This Happen?
-
Incorrect SCIM endpoint or token: The SCIM endpoint URL or bearer token in your IdP is incorrect, expired, or was regenerated in IAM Identity Center without updating the IdP.
-
Missing required attributes: IAM Identity Center requires
userNameandemails[primary].valuefor every user. If your IdP user doesn’t have these attributes populated, provisioning fails silently. -
User not assigned to the app in IdP: In Azure AD, Okta, and most IdPs, users must be explicitly assigned to the IAM Identity Center enterprise application. Unassigned users are not synced.
-
SCIM token was regenerated: Each token is valid once. If you regenerate the token in IAM Identity Center, the old token in your IdP no longer works, and provisioning will fail with 401 errors.
-
Group nesting not supported: IAM Identity Center only supports direct group membership. Nested groups (groups within groups) are not provisioned correctly.
The Fix
First, verify your SCIM configuration in IAM Identity Center:
aws sso-admin get-identity-center-configuration \
--instance-arn arn:aws:sso:::instance/ssoins-7223a5d90eexample \
--region us-east-1
In the IAM Identity Center console, navigate to Settings > Identity source. If using SCIM, you’ll see the provisioning status and a regenerate token option.
Step 1: Verify SCIM Endpoint and Token
If provisioning shows errors, regenerate the SCIM bearer token:
- Go to IAM Identity Center > Settings > Identity source > SCIM configuration
- Click Regenerate token
- Copy the new token (it appears only once)
- Go to your IdP settings and update the bearer token
- For Azure AD: Enterprise applications > AWS IAM Identity Center > Provisioning > Test connection
- For Okta: Applications > AWS IAM Identity Center > Provisioning > Test connection
Step 2: Check User Attributes in IdP
For Azure AD, go to Enterprise applications > AWS IAM Identity Center > Provisioning > Mappings > Provision Azure Active Directory Users.
Verify these mappings exist:
mailNickname→userNameuserPrincipalName→emails[primary].valueORmail→emails[primary].value
For Okta, verify attribute mappings in the application > Provisioning > To App tab.
Step 3: Verify User Assignment
Azure AD: Enterprise applications > AWS IAM Identity Center > Users and groups. Ensure users are listed as “Assigned”.
Okta: Applications > AWS IAM Identity Center > Assignments tab. Ensure users and groups are assigned to the app.
Step 4: Force Sync
In Azure AD: Provisioning > Restart provisioning. This immediately re-evaluates all assigned users.
In Okta: Provisioning > To App > Deprovisioning Rules > Unmap users. Then reassign.
How to Run This
- Regenerate SCIM token in IAM Identity Center
- Update the token in your IdP
- Run Test Connection in the IdP’s provisioning settings
- If test fails, check the provisioning logs (Azure AD: Provisioning > Logs; Okta: System Log with filter
event.type:system.scim) - Verify user attributes have the required fields
- Ensure users are assigned to the application
- Force a provisioning cycle in your IdP
- Wait 5-10 minutes and check IAM Identity Center > Users for new users
Is This Safe?
Yes. SCIM provisioning is designed to sync identity data. Regenerating the token invalidates the old token and doesn’t affect existing users already provisioned to IAM Identity Center.
Key Takeaway
SCIM provisioning failures usually come down to three things: incorrect token, missing user attributes, or users not assigned to the application. Always check your IdP’s provisioning logs first—they contain the actual error messages that tell you exactly what’s wrong.
Have questions or ran into a different SSO issue? Connect with me on LinkedIn or X.