Feature request for resource "aws-sso-scim_user"

[wernerwws]

I just tested the provider and it works great for creating groups and assigning group members, however it would be great to also have the ability to create users with it.

Is there something planned in that direction?

[JanKoppe]

Hello @wernerwws,

thanks for testing the provider! Great to hear that it works great.

We currently did not need the functionality of creating users, but I will take a look into enabling those features as well. Totally makes sense.

[JanKoppe]

Hello @wernerwws,

the current feature branch (feature/7-aws-sso-scim_user, #8) contains a minimal implementation to create users, but I would like to spend more time on making it a feature complete (with the remaining attributes) resource. Is there any time requirement from your side? If so I can cut a release with that minimal implementation first.

[htquanq]

I also need this feature, just to create SSO user. Thank you a lot for spending time on it @JanKoppe

[wernerwws]

Hi @JanKoppe ,

it is not urgent on my side. Thank you for your work!

Best Werner

[htquanq]

Hi @JanKoppe, can you cut a release with minimal implementation please?

[JanKoppe]

Hello @quanght55,

I've just released v0.3.1, which includes the current state of the aws-sso-scim_user resource. Hopefully that helps you already for now. v0.3.0 sadly did not include the documentation page for that, because I forgot to generate it. Functionally they are identical otherwise. Sorry about that.

[manospasj]

Hello, I just tried the aws-sso-scim_user, it works great but created users are disabled by default. I'm also using GSuite as the SSO provider, which requires setting the primary email for each user. Can we add support for the active and emails fields please?

[wernerwws]

@manospasj I also use it with Gsuite and providing the email as the user_name worked for me. I think you can also configure a mapping on the GSuite side, but that was not needed in my case.

[manospasj]

Thanks @wernerwws, the email is required in the AWS console and I assumed it was needed for GSuite as well. I will try just with the user_name as you suggested

[JanKoppe]

Hey! Sorry for not responding earlier, actually starting a 2-week vacation right now. I saw your PR already, that's really great to see. Let's try and get that in, I think I can spend a bit of time on that to get you up and running, despite my vacation.

[manospasj]

Thanks for that! I appreciate it! I can now confirm that the emails field is not required. Hopefully adding the active field is a small enough change that can be implemented relatively quickly.

[alanraison]

I've used this provider to sync across my Google Workspace users and groups to AWS SSO, but I'm still having some issues with the SAML IdP flow - can anyone confirm whether the userName and active flag are the only necessary fields to set for this (along with the required name fields)? Perhaps someone has written a blog post? I've tried manually populating some fields but with no success.

Oddly enough, the SP flow seems to work properly.

[JanKoppe]

SP flow will likely work automatically due to JIT provisioning of new users in AWS SSO. Google Workspace apparently does not support SCIM for generic SAML SPs (quick search only, I might be wrong), so you're probably in a bit of a pickle here: you first need to have all users available, before you can use this provider to do the group management via SCIM (which is the exact use case this provider was developed for).

I've never actually tried creating full users with this provider that are correctly mapped to external users. SCIM has an additional property called externalId that this provider cannot currently set, and this value is pre-defined by the IdP. I'm not sure if having this be a different value is an issue, but we could try adding those fields (I really need to get the work along on this, sorry!) and just testing if it works.

Do you maybe have a minimal terraform code example & error message to further look at the issue you have?

[alanraison]

Hi @JanKoppe, thanks for looking into this. Having played around with the SCIM API directly, I found that the issue wasn't with the user data at all, but with the SAML configuration (the start URL needed to be blank). I now have a fully working Google Workspace-to-AWS SSO user and group sync with Terraform, so thanks for your part in that. If I write up a blog about it I shall post it here.

[JanKoppe]

Nice to hear! Yes, if you put this in a blog post a link here would be very nice :) Happy that this works for you.