1

Has anybody found a way to automatically be notified when the SCIM access token expiry date is approaching? This is to help with using an external identity provider for the the SSO with Azure AD. AzureAD automatically notifies you 90, 60, 30 and 7 days before the SAML certificate is going to expire, however for the SSO provisioning which is generated with an access token on the AWS side there doesn't seem to be a way that will automatically notify users when that token is about to expire. Any help would be greatly appreciated.

Ansuman Bal
  • 9,705
  • 2
  • 10
  • 27
DevEng user
  • 11
  • 2
  • 1
    Unfortunately this is a common issue with certificates. So far the best option we found is using a team-wide shared calendar to notify us when some/any certificate is about to expire. For tokens, that is different, any token should have defined lifetime and it's a task of the client to renew a token. – gusto2 Oct 21 '21 at 09:03
  • Yeah so in this case its the task of the AWS user to generate a OAuth bearer access token and then apply that token secret to the AzureAD SCIM endpoint. You get a year from when the token is generated, i find it very hard to believe that AWS don't provide a mechanism to warn the AWS user when the token expiry date is approaching. However AzureAD do provide an automated email notification when the SAML 2.0 certificate is about to expire. – DevEng user Oct 21 '21 at 10:34
  • OAuth bearer tokens are usually short-lived (an hour), in a responsiblity of the client to track the expiration and revocation or renewal (maybe except the offline scope). No IdP warns their users (it may be a federated user, system user, ...) about the validity of access tokens. An IdP certificate (used for SAML or JWT signing) is different, there a whole IdP stops being valid – gusto2 Oct 21 '21 at 10:57
  • `AWS user to generate a OAuth bearer access token and then apply that token secret to the AzureAD SCIM endpoint` maybe you edit the question and describe the use case better. I see no reason why the user's access token would be used for the AzureAD SCIM – gusto2 Oct 21 '21 at 11:05
  • by user i mean whoever is configuring the SCIM provisioning configuration on the AWS-SSO-SETTINGS-PROVISIONING config for external IdP. Once generated here it has to be entered into the AzureAD automatic provisioning settings along with the URL of the AWS SCIM endpoint. Its all in the AWS and Azure docs, i was just hoping someone may have a solution like using a Lambda function to trigger AWS SNS or something – DevEng user Oct 21 '21 at 12:08

0 Answers0