IAM Identity Center Google Workspace SSO: A Seamless Integration with SCIM

IAM Identity Center Google Workspace SSO: A Seamless Integration with SCIM

For years, organizations using Google Workspace struggled with integrating AWS IAM Identity Center for Single Sign-On (SSO). Previously, this required a custom Lambda function to synchronize users and groups from Google Workspace into AWS, adding unnecessary complexity. However, in a major shift, AWS now fully supports SCIM 2.0 for user provisioning, making integration much simpler and more secure.

This update is a huge leap forward for organizations using Google Workspace as their identity provider for AWS IAM Identity Center. It eliminates the custom sync overhead, improves security, and ensures that user data is always up to date. But while user provisioning is now automated, group provisioning remains unsupported, requiring manual configuration. Let’s dive into how this integration works, what’s improved, and what challenges remain.

Why IAM Identity Center Google Workspace SSO Matters

Organizations using AWS alongside Google Workspace need secure, centralized identity management. AWS IAM Identity Center (formerly AWS SSO) allows users to sign in with their Google Workspace credentials, reducing password fatigue and ensuring consistent access control across AWS environments.

The Problem Before: Manual Syncing with Lambda

Before SCIM support, integrating Google Workspace SSO with AWS IAM Identity Center was a pain:

  • AWS lacked native user provisioning support for Google Workspace.
  • A custom Lambda function was needed to sync users and groups into AWS.
  • Changes in Google Workspace user attributes didn’t automatically sync to AWS IAM Identity Center.
  • Managing access across multiple AWS accounts was time-consuming.

This was frustrating for DevOps teams, requiring constant manual intervention to maintain access control consistency between Google Workspace and AWS IAM Identity Center.

The Fix: SCIM 2.0 for Automatic User Provisioning

The big improvement is that AWS IAM Identity Center now supports SCIM for Google Workspace. This means:

  • Automatic user synchronization between Google Workspace and AWS.
  • No need for custom Lambda functions—AWS handles it natively.
  • User attributes update dynamically whenever they change in Google Workspace.
  • Organizations can enforce least privilege access with real-time updates.

With this SCIM-based integration, AWS has removed a major barrier to Google Workspace SSO adoption, making it significantly easier for organizations to manage AWS access.

Step-by-Step Guide: Integrating IAM Identity Center with Google Workspace SSO

The integration process involves configuring Google Workspace as an SAML Identity Provider, enabling SCIM provisioning, and assigning AWS access.

Step 1: Set Up Google Workspace as an SAML Identity Provider

  1. In Google Admin Console, go to Apps > Web and Mobile Apps.
  2. Click Add App and search for Amazon Web Services (AWS).
  3. Download the Google IdP metadata file (or copy the SSO URL and certificate).

Step 2: Configure IAM Identity Center with Google SSO

  1. Sign in to the AWS IAM Identity Center Console.
  2. Go to Settings > Actions > Change Identity Source.
  3. Select External Identity Provider (IdP).
  4. Upload the Google SAML metadata (or manually enter the SSO URL and certificate).

Step 3: Enable SCIM Auto-Provisioning in AWS IAM Identity Center

  1. In IAM Identity Center, go to Settings > Automatic Provisioning.
  2. Click Enable to generate the SCIM endpoint URL and access token.
  3. Copy these values—this is the only time you can retrieve the access token.

Step 4: Configure SCIM Provisioning in Google Workspace

  1. Go back to Google Admin Console and open the AWS IAM Identity Center app.
  2. Under Auto-Provisioning, click Configure Auto-Provisioning.
  3. Paste the SCIM endpoint URL and access token from AWS.
  4. Verify user attributes and mappings, then activate auto-provisioning.

Step 5: Assign AWS Account Access to Google Workspace Users

  1. In IAM Identity Center, go to AWS Accounts > Assign Users and Groups.
  2. Select users and assign them a Permission Set (e.g., AdministratorAccess).
  3. Users can now sign into AWS with Google Workspace SSO via the AWS Access Portal.

The Missing Piece: No Automatic Group Provisioning

While this integration is a major step forward, there’s still a critical limitation—AWS IAM Identity Center does not support group provisioning via SCIM for Google Workspace.

This means:

  • Groups must be created manually in AWS using CLI or API.
  • Google Workspace group memberships are not automatically reflected in AWS IAM Identity Center.
  • Access control based on Google Workspace groups requires additional manual configuration.

For teams managing large Google Workspace directories, this is a pain point that still requires workarounds. Some organizations use third-party tools like ssosync to sync groups, but native support would be a huge improvement.

Why This Change Matters for AWS and Google Workspace Users

This integration is a game-changer for AWS customers using Google Workspace. It simplifies SSO and user provisioning, enhances security, and reduces administrative overhead. Key benefits include:

  • Eliminates the need for custom Lambda sync scripts.
  • Improves security with real-time user updates.
  • Reduces administrative workload by automating user provisioning.
  • Streamlines AWS account access with Google credentials.

For organizations managing multi-account AWS environments, this SCIM-based integration provides a seamless, scalable solution for SSO and identity management.

Final Thoughts: The Future of IAM Identity Center Google Workspace SSO

The new SCIM integration between AWS IAM Identity Center and Google Workspace is a huge leap forward. It eliminates the biggest pain point—manual user sync—and brings AWS in line with modern identity federation standards.

However, group provisioning remains a gap that AWS needs to address. Until then, organizations must rely on manual group creation or third-party tools.

That said, this update marks a significant improvement in AWS and Google’s collaboration, making IAM Identity Center Google Workspace SSO easier, more secure, and more efficient than ever before.

If your organization relies on Google Workspace for identity management, this SCIM-powered integration is the upgrade you've been waiting for.

Step by step instructions in this blog without using ssosync!

AWS Identity Center now almost has a good integration with Google Workspace!

Overwhelmed by AWS?

Struggling with infrastructure? We streamline your setup, strengthen security & optimize cloud costs so you can build great products.

Related AWS best practices blogs

Looking for more interesting AWS blog posts?

AWS whoAMI Attack: When One Misconfiguration Hands Over Your Cloud

A single missing owner filter in your AWS EC2 AMI selection can let attackers hijack your infrastructure. Here’s how the whoAMI attack works and how to secure your cloud.

Read more

Cloudflare WAF vs. AWS WAF: Why Cloudflare is the Better Choice

Compare Cloudflare WAF and AWS WAF to discover why Cloudflare stands out as the superior choice for web application security. Explore key differences in security, ease of use, pricing, and built-in fe ...

Read more

Do I need a NAT gateway? Maybe. Here’s how to decide if it’s right for your company.

Here's all you need to know if your company needs a NAT gateway. And if it does, the alternatives you can use to reduce cost.

Read more

How secure is AWS KMS?

AWS Key Management Service (KMS) is crucial for ensuring safe and secure data encryption in the cloud. One common dilemma many organizations face is whether to use default AWS-managed KMS keys or to c ...

Read more

Implementing Zero-Trust in AWS

Zero Trust Architecture (ZTA) is a security model that operates on the principle of "never trust, always verify." This approach is crucial in cloud environments like AWS, where resources are distribut ...

Read more

Get a cheap VPN into your AWS VPC and worldwide performance improvement through Cloudflare tunnels

In this article you can read about cheap VPN for your AWS VPC and better performance through Cloudflare tunnels.

Read more

How to Opt Out of AWS AI Training and Protect Your Data

AWS provides strong data privacy protections, but opting out of AWS AI training requires navigating a complex and obscure process that should be far simpler.

Read more

IAM policy pitfalls

AWS has a lot of poor practices on their website. For instance if you look at the default Lambda execution role:

Read more