IAM Identity Center Google Workspace SSO: A Seamless Integration with SCIM
For years, organizations using Google Workspace struggled with integrating AWS IAM Identity Center for Single Sign-On (SSO). Previously, this required a custom Lambda function to synchronize users and groups from Google Workspace into AWS, adding unnecessary complexity. However, in a major shift, AWS now fully supports SCIM 2.0 for user provisioning, making integration much simpler and more secure.
This update is a huge leap forward for organizations using Google Workspace as their identity provider for AWS IAM Identity Center. It eliminates the custom sync overhead, improves security, and ensures that user data is always up to date. But while user provisioning is now automated, group provisioning remains unsupported, requiring manual configuration. Let’s dive into how this integration works, what’s improved, and what challenges remain.
Why IAM Identity Center Google Workspace SSO Matters
Organizations using AWS alongside Google Workspace need secure, centralized identity management. AWS IAM Identity Center (formerly AWS SSO) allows users to sign in with their Google Workspace credentials, reducing password fatigue and ensuring consistent access control across AWS environments.
The Problem Before: Manual Syncing with Lambda
Before SCIM support, integrating Google Workspace SSO with AWS IAM Identity Center was a pain:
- AWS lacked native user provisioning support for Google Workspace.
- A custom Lambda function was needed to sync users and groups into AWS.
- Changes in Google Workspace user attributes didn’t automatically sync to AWS IAM Identity Center.
- Managing access across multiple AWS accounts was time-consuming.
This was frustrating for DevOps teams, requiring constant manual intervention to maintain access control consistency between Google Workspace and AWS IAM Identity Center.
The Fix: SCIM 2.0 for Automatic User Provisioning
The big improvement is that AWS IAM Identity Center now supports SCIM for Google Workspace. This means:
- Automatic user synchronization between Google Workspace and AWS.
- No need for custom Lambda functions—AWS handles it natively.
- User attributes update dynamically whenever they change in Google Workspace.
- Organizations can enforce least privilege access with real-time updates.
With this SCIM-based integration, AWS has removed a major barrier to Google Workspace SSO adoption, making it significantly easier for organizations to manage AWS access.
Step-by-Step Guide: Integrating IAM Identity Center with Google Workspace SSO
The integration process involves configuring Google Workspace as an SAML Identity Provider, enabling SCIM provisioning, and assigning AWS access.
Step 1: Set Up Google Workspace as an SAML Identity Provider
- In Google Admin Console, go to Apps > Web and Mobile Apps.
- Click Add App and search for Amazon Web Services (AWS).
- Download the Google IdP metadata file (or copy the SSO URL and certificate).
Step 2: Configure IAM Identity Center with Google SSO
- Sign in to the AWS IAM Identity Center Console.
- Go to Settings > Actions > Change Identity Source.
- Select External Identity Provider (IdP).
- Upload the Google SAML metadata (or manually enter the SSO URL and certificate).
Step 3: Enable SCIM Auto-Provisioning in AWS IAM Identity Center
- In IAM Identity Center, go to Settings > Automatic Provisioning.
- Click Enable to generate the SCIM endpoint URL and access token.
- Copy these values—this is the only time you can retrieve the access token.
Step 4: Configure SCIM Provisioning in Google Workspace
- Go back to Google Admin Console and open the AWS IAM Identity Center app.
- Under Auto-Provisioning, click Configure Auto-Provisioning.
- Paste the SCIM endpoint URL and access token from AWS.
- Verify user attributes and mappings, then activate auto-provisioning.
Step 5: Assign AWS Account Access to Google Workspace Users
- In IAM Identity Center, go to AWS Accounts > Assign Users and Groups.
- Select users and assign them a Permission Set (e.g., AdministratorAccess).
- Users can now sign into AWS with Google Workspace SSO via the AWS Access Portal.
The Missing Piece: No Automatic Group Provisioning
While this integration is a major step forward, there’s still a critical limitation—AWS IAM Identity Center does not support group provisioning via SCIM for Google Workspace.
This means:
- Groups must be created manually in AWS using CLI or API.
- Google Workspace group memberships are not automatically reflected in AWS IAM Identity Center.
- Access control based on Google Workspace groups requires additional manual configuration.
For teams managing large Google Workspace directories, this is a pain point that still requires workarounds. Some organizations use third-party tools like ssosync to sync groups, but native support would be a huge improvement.
Why This Change Matters for AWS and Google Workspace Users
This integration is a game-changer for AWS customers using Google Workspace. It simplifies SSO and user provisioning, enhances security, and reduces administrative overhead. Key benefits include:
- Eliminates the need for custom Lambda sync scripts.
- Improves security with real-time user updates.
- Reduces administrative workload by automating user provisioning.
- Streamlines AWS account access with Google credentials.
For organizations managing multi-account AWS environments, this SCIM-based integration provides a seamless, scalable solution for SSO and identity management.
Final Thoughts: The Future of IAM Identity Center Google Workspace SSO
The new SCIM integration between AWS IAM Identity Center and Google Workspace is a huge leap forward. It eliminates the biggest pain point—manual user sync—and brings AWS in line with modern identity federation standards.
However, group provisioning remains a gap that AWS needs to address. Until then, organizations must rely on manual group creation or third-party tools.
That said, this update marks a significant improvement in AWS and Google’s collaboration, making IAM Identity Center Google Workspace SSO easier, more secure, and more efficient than ever before.
If your organization relies on Google Workspace for identity management, this SCIM-powered integration is the upgrade you've been waiting for.
AWS Identity Center now almost has a good integration with Google Workspace!
