SCIM Token Expiry
Originally posted on blog.denne.com.au.
I have been getting this alert for the past couple of weeks that my SCIM Access Token is approaching expiration. SCIM = protocol for System for Cross-domain Identity Management. It is used to automatically provision users and groups from my Identity Provider (iDP), in this case Azure AD, to IAM Identity Centre formerly AWS SSO.
So let’s take a look at the token.
Note that “An IAM Identity Center directory supports up to two access tokens at a time”.
Note, also, that there is no API to automate the SCIM token generation, you need to use the console.
Note down the token ID that you want to rotate.
Generate your new access token.
Then you need to go update your iDPs SCIM settings. In my case Azure AD. Go into the Azure Portal, under Enterprise Applications select AWS Single-Sign-on and then under Manage select Provisioning and then click Update Credentials.
Expand the Admin Credentials drop-down and under Secret Token paste the new access token you received from Identity Center and then click the Test Connection button to check everything is working.
Once your test is successful click Save.
Then you can go back into AWS IAM Identity Center and delete the old expiring access token.
And that’s it.