fbpx

How exactly to bulk import groupings and customers from CSV into AWS SSO

Once you connect an external identification provider (IdP) to AWS Single Sign-Upon (SSO) using Security Assertion Markup Vocabulary (SAML) 2.0 standard, you need to create all customers and groups into AWS SSO before you create any assignments to AWS accounts or applications. If your IdP supports consumer and group provisioning through the System for Cross-Domain Identity Management (SCIM), we strongly suggest using SCIM to simplify continuous lifecycle management for the groups and users within AWS SSO.

If your IdP doesn’t yet support automatic provisioning, you will have to create your users and groups in AWS SSO manually. Although manual development of groups and customers may be the least complicated substitute for get started, it could be prone and tedious to mistakes.

In this article, we display you how to work with a comma-divided values (CSV) document to mass create users and groups in AWS SSO.

How it functions

AWS SSO supports automated provisioning of consumer and group details from an exterior IdP into AWS SSO utilizing the SCIM protocol. Because of this solution, a PowerShell can be used by you script to simulate a SCIM server, to provision groupings and users from the CSV document into AWS SSO. You create and populate the CSV document with your consumer and group information that’s then utilized by the PowerShell script. Next, on your own Home windows, Linux, or macOS program with PowerShell Primary installed, the PowerShell is run by you script. The PowerShell script reads customers and organizations from the CSV document and programmatically creates the customers and groupings in AWS SSO making use of your SCIM construction for AWS SSO.

Assumptions

In this blog write-up, we assume the next:

Note: This article had been authored and the program code tested on the Microsoft Windows Server 2019 program with PowerShell installed.

Enable automatic provisioning

In this task, you allow automatic provisioning in AWS SSO. You utilize the automatic provisioning endpoints for AWS SSO for connecting and create organizations and users in AWS SSO.

To enable automated provisioning in AWS SSO

    1. On the AWS SSO Console, visit the Single Sign-On page and go to Configurations.
    2. Alter the provisioning from Guide to SCIM by choosing Enable automated provisioning.

Figure 1: Enable automated provisioning

Figure 1: Enable automated provisioning

    1. Duplicate the SCIM endpoint and the Accessibility token (you could have up to two gain access to token IDs). You afterwards use these values.

Figure 2: Duplicate the SCIM endpoint and entry token

Figure 2: Duplicate the SCIM endpoint and entry token

Bulk create groupings and customers into AWS SSO

In this section, you create your organizations and users from the CSV file into AWS SSO. To get this done, you develop a CSV file together with your customers’ profile information (for instance: first name, last title, display name, along with other values.). Additionally you develop a PowerShell script for connecting to AWS SSO and create the customers and groupings from the CSV document in AWS SSO.

To mass create your customers from the CSV file

    1. Create the file called csv-example-users.csv with the next column headings: firstName, lastName, userName, displayName, emailAddress, and memberOf.

Note: The memberOf column includes all the organizations you wish to add an individual to within AWS SSO. If the team you plan to include a consumer to isn’t in AWS SSO, the script creates the group for you personally automatically. In order to put in a user to several groups, you can include the group names divided by semicolons in the memberOf column.

    1. Populate the CSV document csv-example-users.csv with the customers you would like to create within AWS SSO.

Note: Before you populate the CSV document, take note of the prevailing users, groups, and team membership within AWS SSO. Be sure that none of the groupings or users within the CSV file currently exists within AWS SSO.

Note: Because of this to function, every user within the csv-example-customers.csv must have the firstName, lastName, userName, displayName, and emailAddress value specified. If these ideals are missing, that consumer isn’t created. The emailAddress and userName values should never contain any spaces.

Figure 3: Create the CSV document and populate it with the customers to create within AWS SSO

Physique 3: Create the CSV document and populate it with the customers to create within AWS SSO

  1. Next, develop a create_customers.ps1 document and copy the next PowerShell program code to it. Work with a textual content editor like TextEdit or Notepad to edit the create_users.ps1 file.
    • Replace with the SCIM endpoint worth you copied previously.
    • Replace with the Access token worth you copied previously.
    • Replace with the positioning of one’s CSV file (for instance, C:UserstestuserDownloadscsv-example-customers.csv. Relative paths may also be accepted).
    #Input SCIM configuration and CSV document location
    $Url = ""
    $Bearertoken = ""
    $CSVfile = ""
    $Headers = @ Authorization = "Bearer $Bearertoken" 
    
    #Get customers from CSV document and store in variable
    $Users = Import-Csv -Delimiter "," -Route "$CSVfile"
    
     #Read organizations in CSV and groupings in AWS SSO
        
        $Organizations = $Users.memberOf -split ";"
        $Groups = $Groups | Sort-Object -Special | where $_ -ne ""
    
        foreach($Group in $Groupings) ConvertTo-Json
    
        #Create organizations in AWS SSO
    
        try 
        
            $Response = Invoke-RestMethod -ContentType software/json -Uri "$Url/Organizations" -Technique POST -Headers $Headers -Entire body $Groupjson -UseBasicParsing
            Write-Host "Create team: The group $($Team) has been created effectively." -foregroundcolor green
    
        
        catch 
        
        
          $ErrorMessage = $_.Exception.Message
    
           if ($ErrorMessage -eq "The remote server returned one: (409) Conflict.")
           
             Write-Host "Error creating team: An organization with the name $($Team) already exists." -foregroundcolor yellow
           
           
           else 
                  
             Write-Host "Mistake has happened: $($ErrorMessage)" -foregroundcolor Red
           
        
        
    
    #Loop through each user
    foreach ($User in $Customers)
     ConvertTo-Json
    
        #Create customers in AWS SSO
    
        try 
        $Response = Invoke-RestMethod -ContentType program/json -Uri "$Url/Users" -Technique POST -Headers $Headers -Entire body $Userjson -UseBasicParsing
        Write-Host "Create user: An individual $($User.userName) offers been created successfully." -foregroundcolor green
    
        
        catch 
        
        
          $ErrorMessage = $_.Exception.Message
    
           if ($ErrorMessage -eq "The remote server returned one: (409) Conflict.")
           
             Write-Host "Error creating consumer: A user with exactly the same username $($Consumer.userName) already exist" -foregroundcolor yellow
           
           
           else 
                  
             Write-Host "Mistake has happened: $($ErrorMessage)" -foregroundcolor Red
           
           
    
    #Get user information
        $UserName = $User.userName
        $UserId = (Invoke-RestMethod -ContentType app/json -Uri "$Url/Users`?filtration system=userName%20eq%20%22$UserName%22" -Method Obtain -Headers $Headers).Resources.id
        $Groupings = $User.memberOf -split ";"
    
    #Loop through each team and add consumer to group
        foreach($Group in $Organizations)
    
    If (-not [string]::IsNullOrWhiteSpace($Group)) 
    
    #Obtain the GroupName and GroupId
        $GroupName = $Group.trim()
        $GroupId = (Invoke-RestMethod -ContentType software/json -Uri "$Url/Groupings`?filtration system=displayName%20eq%20%22$GroupName%22" -Method Obtain -Headers $Headers).Resources.id
    
    #Store group membership within variable. 
        $AddUserToGroup = @
                Operations = @(@ op = "add"; path = "members"; value = @(@ value = $UserId ))
                
                
        #Convert to json format
        $AddUsertoGroupjson = $AddUserToGroup         
      
    
    
  2. Use Windows PowerShell to perform the script create_users.ps1, since shown in the next figure.

    Determine 4: Operate PowerShell script to generate users from CSV within AWS SSO

    Figure 4: Operate PowerShell script to generate users from CSV within AWS SSO

  3. Make use of the AWS SSO gaming console to verify that the groupings and users were effectively created. In the AWS SSO system, select Users from the left menus, as shown in number 5.

    Shape 5: View the recently created users within AWS SSO gaming console

    Figure 5: View the recently created users within AWS SSO gaming console

  4. Make use of the AWS SSO system to verify that the mixed groups were effectively created. In the AWS SSO gaming console, select Groups from the left menus, as shown in shape 6.

    Figure 6: View the recently created groups within AWS SSO gaming console

    Figure 6: Look at the newly created organizations in AWS SSO gaming console

Your users, groupings, and team memberships have already been created in AWS SSO. Now you can manage access for the identities in AWS SSO across your personal applications, third-party apps (SaaS), and Amazon Internet Services (AWS) environments.

How to perform the PowerShell scripts in macOS

and Linux

While this post targets jogging the PowerShell script on a Windows program. You can also work the PowerShell script on a Linux or macOS system which has PowerShell Core installed. After that you can follow the methods in this article to create the mandatory CSV files for developing a user and team and adding a consumer to an organization. Then, on your own Linux or macOS system, it is possible to run the PowerShell script utilizing the following command.

pwsh -Document 

Conclusion

In this post, you’re showed by us how exactly to programmatically create users and organizations from a CSV document into AWS SSO. This solution isn’t an upgraded for automatic provisioning. Nevertheless, it can benefit you to rapidly get up and working with AWS SSO by decreasing the management burden of manually generating customers in AWS SSO.

For those who have feedback concerning this post, submit remarks in the Comments section below.

Want a lot more AWS Security how-to articles, news, and show announcements? Stick to us on Twitter.

%d bloggers like this: