Closed smoy closed 1 year ago
There are some relevant report regarding similar behavior with identity store with AD integration: https://repost.aws/questions/QUTzWLsQVDSwuPkPJmTa9I7Q/identitystore-listusers-and-listgroups-api-results-in-unknownoperationexception
even when you supply a Filter to give you all the results, it might throw an error like [ERROR] ValidationException: An error occurred (ValidationException) when calling the ListUsers operation: The AD Sync username does not match the expected format of UserName@Domain Here we are using the format firstname.lastname@domain
some example of working filters
for list_users
Filters=[
{
'AttributePath': 'UserName',
'AttributeValue': '*'
}
]
for list_groups:
{
'AttributePath': 'DisplayName',
'AttributeValue': 'random-group@domain.local'
}
@smoy just to clearify. Below Filter gives the error Filters=[ { 'AttributePath': 'UserName', 'AttributeValue': '*' } ]
And below filter works. Filters=[ { 'AttributePath': 'UserName', 'AttributeValue': 'username@domain' } ]
I guess the API checks for exact Values and returns data only if it finds an exact match. I am not aware of any values that can help list all users. If i give a incorrect username (but matches the format username@domain), It'll return an empty list.
If I submit '*' as value, then it raise ValidationError as it does not match the format username@domain
Similar way for list_groups, if the value matches the format (groupname@domain), it returns status 200. Else, it raises error.
Hey @smoy ,
I build a script using python to list users and groups from the identity center.
Please try using this to fetch details and also revert change #558 back to user name
`
import requests, json, boto3
from botocore.auth import SigV4Auth
import requests
from botocore.awsrequest import AWSRequest
from botocore.credentials import Credentials
import botocore.session
region = "ap-south-1"
directory_id = "d-1234567890"
url = f"https://up-sso.{region}.amazonaws.com/identitystore/"
payload = {"IdentityStoreId":directory_id, "MaxResults" : 100}
data = json.dumps(payload)
def list_users(url, payload, data, region):
session = botocore.session.Session()
sigv4 = SigV4Auth(session.get_credentials(), 'identitystore', region)
headers = {'Content-Type': 'application/x-amz-json-1.1', 'X-Amz-Target': 'AWSIdentityStoreService.SearchUsers'}
request = AWSRequest(method='POST', url=url, data=data, headers=headers)
request.context["payload_signing_enabled"] = True
sigv4.add_auth(request)
prepped = request.prepare()
response = requests.post(prepped.url, headers=prepped.headers, data=data)
id_resp = json.loads(response.text)
total_users = []
total_users.extend(id_resp['Users'])
while 'NextToken' in id_resp:
payload['NextToken'] = id_resp['NextToken']
data = json.dumps(payload)
request = AWSRequest(method='POST', url=url, data=data, headers=headers)
request.context["payload_signing_enabled"] = True
sigv4.add_auth(request)
prepped = request.prepare()
response = requests.post(prepped.url, headers=prepped.headers, data=data)
id_resp = json.loads(response.text)
total_users.extend(id_resp['Users'])
return total_users
def list_groups(url, payload, data, region):
session = botocore.session.Session()
sigv4 = SigV4Auth(session.get_credentials(), 'identitystore', region)
headers = {'Content-Type': 'application/x-amz-json-1.1', 'X-Amz-Target': 'AWSIdentityStoreService.SearchGroups'}
request = AWSRequest(method='POST', url=url, data=data, headers=headers)
request.context["payload_signing_enabled"] = True
sigv4.add_auth(request)
prepped = request.prepare()
response = requests.post(prepped.url, headers=prepped.headers, data=data)
id_resp = json.loads(response.text)
total_groups = []
total_groups.extend(id_resp['Groups'])
while 'NextToken' in id_resp:
payload['NextToken'] = id_resp['NextToken']
data = json.dumps(payload)
request = AWSRequest(method='POST', url=url, data=data, headers=headers)
request.context["payload_signing_enabled"] = True
sigv4.add_auth(request)
prepped = request.prepare()
response = requests.post(prepped.url, headers=prepped.headers, data=data)
id_resp = json.loads(response.text)
total_groups.extend(id_resp['Groups'])
return total_groups
users = list_users(url, payload, data, region)
print(len(users))
groups = list_groups(url, payload, data, region)
print(len(groups))`
And here is sample response for list_users
{ "NextToken": "nextTokenValue", "TotalUserCount": 388, "Users": [ { "Active": true, "Meta": { "CreatedAt": 1631871184.587, "CreatedBy": "Identity_Sync", "UpdatedAt": 1692299060.935, "UpdatedBy": "Identity_Sync" }, "UserAttributes": { "emails": { "ComplexListValue": [ { "type": { "StringValue": "work" }, "value": { "StringValue": "username@domain" }, "primary": { "BooleanValue": true } } ] }, "displayName": { "StringValue": "firstName lastName" }, "name": { "ComplexValue": { "givenName": { "StringValue": "firstName" }, "familyName": { "StringValue": "lastName" } } }, "externalIds": { "ComplexListValue": [ { "id": { "StringValue": "00bc7e05-1111-1111-1111-ebcdc7f86bd0" }, "issuer": { "StringValue": "arn:aws:ds:ap-south-1:123456789012:directory/d-1111111111" } } ] }, "externalId": { "StringValue": "00bc7e05-1111-1111-1111-ebcdc7f86bd0" }, "activeDirectory": { "ComplexValue": { "windowsUpn": { "StringValue": "username@domain" }, "domain": { "StringValue": "domain" }, "guid": { "StringValue": "00bc7e05-1111-1111-1111-ebcdc7f86bd0" }, "sid": { "StringValue": "S-1-5-21-123456789-1234567890-1234567890-1111" } } } }, "UserId": "9f673e3bdb-11111111-1111-1111-1111-ebcdc7f86bd0", "UserName": "username@domain" }, { "Active": true, "Meta": { "CreatedAt": 1688546051.099, "CreatedBy": "AD_SYNC", "UpdatedAt": 1692299056.688, "UpdatedBy": "Identity_Sync" }, "UserAttributes": { "emails": { "ComplexListValue": [ { "verificationStatus": { "StringValue": "NOT_VERIFIED" }, "type": { "StringValue": "work" }, "value": { "StringValue": "username@domain" }, "primary": { "BooleanValue": true } } ] }, "displayName": { "StringValue": "firstName lastName" }, "name": { "ComplexValue": { "givenName": { "StringValue": "firstName" }, "familyName": { "StringValue": "lastName" } } }, "externalIds": { "ComplexListValue": [ { "id": { "StringValue": "009bc8a3-1111-1111-1111-3ff81a068d53" }, "issuer": { "StringValue": "arn:aws:ds:ap-south-1:123456789012:directory/d-1111111111" } } ] }, "externalId": { "StringValue": "009bc8a3-1111-1111-1111-3ff81a068d53" }, "activeDirectory": { "ComplexValue": { "windowsUpn": { "StringValue": "username@domain" }, "domain": { "StringValue": "domain" }, "guid": { "StringValue": "009bc8a3-1111-1111-1111-3ff81a068d53" }, "sid": { "StringValue": "S-1-5-21-123456789-1234567890-1234567890-1111" } } } }, "UserId": "9f673e3bdb-11111111-1111-1111-1111-3ff81a068d53", "UserName": "username@domain" }, { "Active": true, "Meta": { "CreatedAt": 1664277233.823, "CreatedBy": "Identity_Sync", "UpdatedAt": 1692299068.591, "UpdatedBy": "Identity_Sync" }, "UserAttributes": { "emails": { "ComplexListValue": [ { "verificationStatus": { "StringValue": "NOT_VERIFIED" }, "type": { "StringValue": "work" }, "value": { "StringValue": "username@domain" }, "primary": { "BooleanValue": true } } ] }, "displayName": { "StringValue": "firstName lastName" }, "name": { "ComplexValue": { "givenName": { "StringValue": "firstName" }, "familyName": { "StringValue": "lastName" } } }, "externalIds": { "ComplexListValue": [ { "id": { "StringValue": "014b1c65-1111-1111-1111-e745d36db3c5" }, "issuer": { "StringValue": "arn:aws:ds:ap-south-1:123456789012:directory/d-1111111111" } } ] }, "externalId": { "StringValue": "014b1c65-1111-1111-1111-e745d36db3c5" }, "activeDirectory": { "ComplexValue": { "windowsUpn": { "StringValue": "username@domain" }, "domain": { "StringValue": "domain" }, "guid": { "StringValue": "014b1c65-1111-1111-1111-e745d36db3c5" }, "sid": { "StringValue": "S-1-5-21-123456789-1234567890-1234567890-1111" } } } }, "UserId": "9f673e3bdb-014b1c65-1111-1111-1111-e745d36db3c5", "UserName": "username@domain" } ] }
And sample of list_groups
{ "Groups": [ { "DisplayName": "groupName@domain", "GroupAttributes": { "externalIds": { "ComplexListValue": [ { "id": { "StringValue": "19c0c068-1111-1111-1111-bff5f170683a" }, "issuer": { "StringValue": "arn:aws:ds:ap-south-1:123456789012:directory/d-1111111111" } } ] }, "description": { "StringValue": "group description" }, "externalId": { "StringValue": "19c0c068-1111-1111-1111-bff5f170683a" }, "activeDirectory": { "ComplexValue": { "domain": { "StringValue": "domain" }, "sid": { "StringValue": "S-1-5-21-123456789-1234567890-1234567890-1111" } } } }, "GroupId": "9f673e3bdb-19c0c068-1111-1111-1111-bff5f170683a", "Meta": { "CreatedAt": 1686557190.166, "CreatedBy": "Identity_Sync", "UpdatedAt": 1692299191.001, "UpdatedBy": "Identity_Sync" } }, { "DisplayName": "groupname@domain", "GroupAttributes": { "externalIds": { "ComplexListValue": [ { "id": { "StringValue": "03aaf141-1111-1111-1111-5aa43f4b9b81" }, "issuer": { "StringValue": "arn:aws:ds:ap-south-1:123456789012:directory/d-1111111111" } } ] }, "description": { "StringValue": "group description" }, "externalId": { "StringValue": "03aaf141-1111-1111-1111-5aa43f4b9b81" }, "activeDirectory": { "ComplexValue": { "domain": { "StringValue": "domain" }, "sid": { "StringValue": "S-1-5-21-123456789-1234567890-1234567890-1111" } } } }, "GroupId": "9f673e3bdb-03aaf141-1111-1111-1111-5aa43f4b9b81", "Meta": { "CreatedAt": 1684141140.688, "CreatedBy": "Identity_Sync", "UpdatedAt": 1692299195.135, "UpdatedBy": "Identity_Sync" } }, { "DisplayName": "groupname@domain", "GroupAttributes": { "externalIds": { "ComplexListValue": [ { "id": { "StringValue": "0fddf922-1111-1111-1111-80f46f83191b" }, "issuer": { "StringValue": "arn:aws:ds:ap-south-1:123456789012:directory/d-1111111111" } } ] }, "description": { "StringValue": "group description" }, "externalId": { "StringValue": "0fddf922-1111-1111-1111-80f46f83191b" }, "activeDirectory": { "ComplexValue": { "domain": { "StringValue": "domain" }, "sid": { "StringValue": "S-1-5-21-123456789-1234567890-1234567890-1111" } } } }, "GroupId": "9f673e3bdb-0fddf922-1111-1111-1111-80f46f83191b", "Meta": { "CreatedAt": 1644258484.525, "CreatedBy": "Identity_Sync", "UpdatedAt": 1692299163.992, "UpdatedBy": "Identity_Sync" } } ], "NextToken": "next-token", "TotalGroupCount": 43 }
Notes when switching directory source in IdentityCenter:
You are changing your identity source to directory REDACTED (AWS Directory Service). The AWS access portal URL will change to enable your directory as your identity source. The current URL won't work. IAM Identity Center will permanently remove all current user and group assignments. Users and groups currently in Identity Center won't be available for use. If you switch back to IAM Identity Center as an identity source, these users and groups will be restored without assignments. All current permission sets and SAML 2.0 application configurations will be retained. You must manage all users and groups in your new directory in Active Directory. IAM Identity Center will start synchronizing users and groups with assignments from Active Directory (AD) through Active Directory sync. You can configure multi-factor authentication (MFA) in AWS Directory Service, or through the IAM Identity Center console. If you use other AWS applications with AWS Directory Service, we recommend that you configure MFA in AWS Directory Service. Users must sign in to the AWS access portal before you can view, manage, or assign them to Identity Center enabled applications. IAM Identity Center will keep your current configuration of attributes for access control. We recommend that you review your configuration and update it after you complete the identity source change.
We have a pull request being evaluate at the moment: https://github.com/noqdev/iambic/pull/591
I am closing this issue since we have merge multiple enhancement for Active Directory.
For future readers, please open new issue and mention to this one if it's relevant.
Describe the bug AWS IdentityCenter with AD Azure Connector does not work out of the box for iambic
domains that is in .local (not fully qualified domain), for example: corp.local
To Reproduce Steps to reproduce the behavior:
Expected behavior A clear and concise description of what you expected to happen.
Screenshots If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context Add any other context about the problem here.
Community Engagement Your vote counts! Please support this bug report by adding a 👍 reaction to the original issue, which will aid the community and maintainers in addressing this problem.
Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.