awslabs / ssosync

Populate AWS SSO directly with your G Suite users and groups using either a CLI or AWS Lambda
Apache License 2.0
525 stars 181 forks source link

Why is SCIM still required on AWS side if user management is done through the Identity Center API? #120

Closed sidekick-eimantas closed 1 year ago

ChrisPates commented 1 year ago

So SCIM is still the primary api for user & group creation on the IAM Identity Center side of ssosync.

In versions v2.0.x, groups are currently created using the IdentityStore api, this will be addressed in an upcoming release. The intention of using the IdentityStore api, is to improve performance for comparing the content of the IdentityStore.

We want to retain creations via the SCIM api, so Manual user and groups, are easily identifiable. AWS Control Tower for one creates users and groups via the IdentityStore api and some user of ssosync want to retain these even though they can't authenticate as these users whilst SAML is enabled.