Comments (10)
@jchiang-genesis after the first sync with less than 50 user you will not have a problem of more users.
from idp-scim-sync.
Thank you @christiangda for your help , just want to update everyone, once I cut down the group members to 48 for the initial sync, it worked as expected. But I did have to delete all my AWS SSO existing users and groups. then I was able to add back all the users.
from idp-scim-sync.
@jchiang-genesis to try to understand the problem you have, please could you remove manually the state file from you S3 bucket and resync?
Remove the state file is a totally save action and it is the only way to force the reconciliation between the identity provider and scim side.
After that, please share the results without share information about your users and credentials
from idp-scim-sync.
@christiangda , thanks for the reply, actually that was the weird part, it never created the state file, I created the lambda function from the repository, it went through the cloud formation process just fine, it created the S3 bucket, and runs the sync every 15 mins as expected, but it never created the state file. All the users and groups were synced based on the group filter rule name:aws* . But the groups are empty with no user in them. All the synced users aren’t part of any group. e.g. [email protected] is part of the [email protected] group on google directory, I can see both jay and aws-group on AWS sso console. But jay isn’t part of the aws-group.
from idp-scim-sync.
Hi @jchiang-genesis thank you for the information
idp-scim-sync
only sync
`groups and their members, so I recommend to you read this document https://github.com/slashdevops/idp-scim-sync/blob/main/docs/Using-SSO.md
apart from that, from your explanation, I can detect a corner case bug and I will validate this, let me see if I can.
what version of the lambda have you deployed?
from idp-scim-sync.
@jchiang-genesis I'm simulated your scenario without any success, I mean without any error, so maybe is the version of the app you have deployed.
could you deploy the latest version?
from idp-scim-sync.
Hi @christiangda , I actually just deployed it yesterday, I'm not sure where I can check the version, when i checked the deployment, below is the template version, I can try re-deploying the lambda app later again and update you here.
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: |
This is used to keep your AWS Single Sign-On (SSO) groups and users in sync with your
Google Workspace directory using and AWS Lambda function.
Project URL: https://github.com/slashdevops/idp-scim-sync
As for the group membership not getting synced issue, I've attached the screenshots from both google directory and aws sso, so Jay is in AWS_Admins group on google, but not in AWS SSO. Cause I went through your demo documentation, it looks like the group membership should get synced too.
from idp-scim-sync.
hi, @jchiang-genesis now I understand what is happening, is because you have more than 50 users (SCIM side)
during the first sync and the AWS SSO SCIM API
have a limit of 50
ListUsers SCIM DOCS, so to avoid this I need to handle better this error.
But even, if I implement this mechanism at the end the state file will be inconsistent because there are many users on your AWS SCIM side the state well not containing.
My recommendation is to reduce the number of users to less than 50 for the first time, and then create these using the lambda, so in that way, all the users and groups will be handled by idp-scim-sync
.
I created this issue in the AWS portal: https://repost.aws/questions/QUqqnVkIo_SYyF_SlX5LcUjg/aws-sso-scim-api-pagination-for-methods
from idp-scim-sync.
I will try to use this new AWS SSO Identity Store API through the go SDK to find a way to mitigate better this issue.
so @jchiang-genesis this is not a bug , it is a limitation in the AWS SSO SCIM API, sorry
from idp-scim-sync.
@christiangda not a problem, that's why when the reconciling users, it was showing idp has 69 and scim has 50. I did look up the issues from the old ssosync, so If i can limit to only 50 users for the first sync, it creates the state file, I can then add on more users afterwards as long as the new users won't be more than 50 users incremental?
from idp-scim-sync.
Related Issues (20)
- que: Deploy lambda using an existing bucket HOT 1
- bug: User Deletion Error HOT 1
- que: Issue in the ListUsers and ListGroups callback functions ? HOT 3
- feat: using workload identity federation HOT 1
- feat: Update Lambda runtime HOT 5
- how to sync another attribute from GG Workspace to AWS SSO HOT 3
- que: Providing multiple values to the GWSGroupsFilter in CloudFormation template HOT 2
- que: How to use Workload Identity Federation when installing idp-scim-sync from SAR
- que: 404 Domain not found HOT 2
- que: Environment variable format for IDPSCIM_GWS_GROUPS_FILTER HOT 3
- que: Hey, I want to ask what is "tenant_id"? As same as aws account id? Thank you! HOT 2
- feat: Option to never delete group (upsert only) HOT 15
- bug: 400 error when list groups members HOT 13
- bug: users are not updated when you have more than 50 users HOT 1
- feat: run getSecrets not only as lambda HOT 1
- que: Implementing the new indentitystore APIs? HOT 3
- bug: Cannot sync groups and their members HOT 4
- only 200 of 263 google group members are loaded HOT 5
- Getting "error decoding response body: EOF" error when log-level=trace
- bug: Request is unparsable, syntactically incorrect, or violates schema HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from idp-scim-sync.