How exactly to bulk import groupings and customers from CSV into AWS SSO
Once you connect an external identification provider (IdP) to AWS Single Sign-Upon (SSO) using Security Assertion Markup Vocabulary (SAML) 2.0 standard, you need to create all customers and groups into AWS SSO before you create any assignments to AWS accounts or applications. If your IdP supports consumer and group provisioning through the System for Cross-Domain Identity Management (SCIM), we strongly suggest using SCIM to simplify continuous lifecycle management for the groups and users within AWS SSO.
If your IdP doesn’t yet support automatic provisioning, you will have to create your users and groups in AWS SSO manually. Although manual development of groups and customers may be the least complicated substitute for get started, it could be prone and tedious to mistakes.
In this article, we display you how to work with a comma-divided values (CSV) document to mass create users and groups in AWS SSO.
How it functions
AWS SSO supports automated provisioning of consumer and group details from an exterior IdP into AWS SSO utilizing the SCIM protocol. Because of this solution, a PowerShell can be used by you script to simulate a SCIM server, to provision groupings and users from the CSV document into AWS SSO. You create and populate the CSV document with your consumer and group information that’s then utilized by the PowerShell script. Next, on your own Home windows, Linux, or macOS program with PowerShell Primary installed, the PowerShell is run by you script. The PowerShell script reads customers and organizations from the CSV document and programmatically creates the customers and groupings in AWS SSO making use of your SCIM construction for AWS SSO.
In this blog write-up, we assume the next:
- You curently have an AWS SSO-enabled accounts (free). To learn more, see Enable AWS SSO.
- You possess the permissions had a need to add groups and customers in AWS SSO.
- You configured a SAML IdP with AWS SSO, as described in How to Configure SAML 2.0 for AWS Single Sign-On.
- You’re utilizing a Windows, MacOS, or even Linux system with PowerShell Core installed.
- If you’re not utilizing a program with PowerShell Primary installed, you’re utilizing a Home windows 7 or system later on, with PowerShell 4.0 or installed later on.
Note: This article had been authored and the program code tested on the Microsoft Windows Server 2019 program with PowerShell installed.
Enable automatic provisioning
In this task, you allow automatic provisioning in AWS SSO. You utilize the automatic provisioning endpoints for AWS SSO for connecting and create organizations and users in AWS SSO.
To enable automated provisioning in AWS SSO
- On the AWS SSO Console, visit the Single Sign-On page and go to Configurations.
- Alter the provisioning from Guide to SCIM by choosing Enable automated provisioning.
- Duplicate the SCIM endpoint and the Accessibility token (you could have up to two gain access to token IDs). You afterwards use these values.
Bulk create groupings and customers into AWS SSO
In this section, you create your organizations and users from the CSV file into AWS SSO. To get this done, you develop a CSV file together with your customers’ profile information (for instance: first name, last title, display name, along with other values.). Additionally you develop a PowerShell script for connecting to AWS SSO and create the customers and groupings from the CSV document in AWS SSO.
To mass create your customers from the CSV file
- Create the file called csv-example-users.csv with the next column headings: firstName, lastName, userName, displayName, emailAddress, and memberOf.
Note: The memberOf column includes all the organizations you wish to add an individual to within AWS SSO. If the team you plan to include a consumer to isn’t in AWS SSO, the script creates the group for you personally automatically. In order to put in a user to several groups, you can include the group names divided by semicolons in the memberOf column.
- Populate the CSV document csv-example-users.csv with the customers you would like to create within AWS SSO.
Note: Before you populate the CSV document, take note of the prevailing users, groups, and team membership within AWS SSO. Be sure that none of the groupings or users within the CSV file currently exists within AWS SSO.
Note: Because of this to function, every user within the csv-example-customers.csv must have the firstName, lastName, userName, displayName, and emailAddress value specified. If these ideals are missing, that consumer isn’t created. The emailAddress and userName values should never contain any spaces.
- Next, develop a create_customers.ps1 document and copy the next PowerShell program code to it. Work with a textual content editor like TextEdit or Notepad to edit the create_users.ps1 file.
- Replace with the SCIM endpoint worth you copied previously.
- Replace with the Access token worth you copied previously.
- Replace with the positioning of one’s CSV file (for instance, C:UserstestuserDownloadscsv-example-customers.csv. Relative paths may also be accepted).
- Use Windows PowerShell to perform the script create_users.ps1, since shown in the next figure.
- Make use of the AWS SSO gaming console to verify that the groupings and users were effectively created. In the AWS SSO system, select Users from the left menus, as shown in number 5.
- Make use of the AWS SSO system to verify that the mixed groups were effectively created. In the AWS SSO gaming console, select Groups from the left menus, as shown in shape 6.
Your users, groupings, and team memberships have already been created in AWS SSO. Now you can manage access for the identities in AWS SSO across your personal applications, third-party apps (SaaS), and Amazon Internet Services (AWS) environments.
How to perform the PowerShell scripts in macOS
While this post targets jogging the PowerShell script on a Windows program. You can also work the PowerShell script on a Linux or macOS system which has PowerShell Core installed. After that you can follow the methods in this article to create the mandatory CSV files for developing a user and team and adding a consumer to an organization. Then, on your own Linux or macOS system, it is possible to run the PowerShell script utilizing the following command.
In this post, you’re showed by us how exactly to programmatically create users and organizations from a CSV document into AWS SSO. This solution isn’t an upgraded for automatic provisioning. Nevertheless, it can benefit you to rapidly get up and working with AWS SSO by decreasing the management burden of manually generating customers in AWS SSO.
For those who have feedback concerning this post, submit remarks in the Comments section below.
Want a lot more AWS Security how-to articles, news, and show announcements? Stick to us on Twitter.