bug: "status": "409 Conflict", not creating state file, both users and groups appeared to be synced in AWS SSO console about idp-scim-sync HOT 10 CLOSED

@jchiang-genesis after the first sync with less than 50 user you will not have a problem of more users.

from idp-scim-sync.

Thank you @christiangda for your help , just want to update everyone, once I cut down the group members to 48 for the initial sync, it worked as expected. But I did have to delete all my AWS SSO existing users and groups. then I was able to add back all the users.

from idp-scim-sync.

@jchiang-genesis to try to understand the problem you have, please could you remove manually the state file from you S3 bucket and resync?

Remove the state file is a totally save action and it is the only way to force the reconciliation between the identity provider and scim side.

After that, please share the results without share information about your users and credentials

from idp-scim-sync.

@christiangda , thanks for the reply, actually that was the weird part, it never created the state file, I created the lambda function from the repository, it went through the cloud formation process just fine, it created the S3 bucket, and runs the sync every 15 mins as expected, but it never created the state file. All the users and groups were synced based on the group filter rule name:aws* . But the groups are empty with no user in them. All the synced users aren’t part of any group. e.g. [email protected] is part of the [email protected] group on google directory, I can see both jay and aws-group on AWS sso console. But jay isn’t part of the aws-group.

from idp-scim-sync.

Hi @jchiang-genesis thank you for the information

idp-scim-sync only sync `groups and their members, so I recommend to you read this document https://github.com/slashdevops/idp-scim-sync/blob/main/docs/Using-SSO.md

apart from that, from your explanation, I can detect a corner case bug and I will validate this, let me see if I can.

what version of the lambda have you deployed?

from idp-scim-sync.

@jchiang-genesis I'm simulated your scenario without any success, I mean without any error, so maybe is the version of the app you have deployed.

could you deploy the latest version?

from idp-scim-sync.

Hi @christiangda , I actually just deployed it yesterday, I'm not sure where I can check the version, when i checked the deployment, below is the template version, I can try re-deploying the lambda app later again and update you here.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: |
This is used to keep your AWS Single Sign-On (SSO) groups and users in sync with your
Google Workspace directory using and AWS Lambda function.

Project URL: https://github.com/slashdevops/idp-scim-sync

As for the group membership not getting synced issue, I've attached the screenshots from both google directory and aws sso, so Jay is in AWS_Admins group on google, but not in AWS SSO. Cause I went through your demo documentation, it looks like the group membership should get synced too.

from idp-scim-sync.

hi, @jchiang-genesis now I understand what is happening, is because you have more than 50 users (SCIM side) during the first sync and the AWS SSO SCIM API have a limit of 50 ListUsers SCIM DOCS, so to avoid this I need to handle better this error.

But even, if I implement this mechanism at the end the state file will be inconsistent because there are many users on your AWS SCIM side the state well not containing.

My recommendation is to reduce the number of users to less than 50 for the first time, and then create these using the lambda, so in that way, all the users and groups will be handled by idp-scim-sync.

I created this issue in the AWS portal: https://repost.aws/questions/QUqqnVkIo_SYyF_SlX5LcUjg/aws-sso-scim-api-pagination-for-methods

from idp-scim-sync.

I will try to use this new AWS SSO Identity Store API through the go SDK to find a way to mitigate better this issue.

so @jchiang-genesis this is not a bug , it is a limitation in the AWS SSO SCIM API, sorry

from idp-scim-sync.

@christiangda not a problem, that's why when the reconciling users, it was showing idp has 69 and scim has 50. I did look up the issues from the old ssosync, so If i can limit to only 50 users for the first sync, it creates the state file, I can then add on more users afterwards as long as the new users won't be more than 50 users incremental?

from idp-scim-sync.