AWS IAM Identity Center (successor to AWS Single Sign-On) SCIM Access Token Approaching Expiration

60 days before your SCIM access token expires, you or your AWS administrator will receive the following e-mail:

We're contacting you because you automatically provision users and groups from your corporate identity provider (IdP) to IAM Identity Center, a process which uses the SCIM protocol (System for Cross-domain Identity Management). The SCIM access token used to automatically provision users and groups from your IdP to IAM Identity Center expires in 89 days on xxx xx:xx:xx UTC yyyy.

Action is required before the expiration date to ensure that SCIM automatic provisioning isn’t interrupted. Disruption to this service results in your users and groups no longer being automatically provisioned. This may impose increased security risks and impact access to your services.

What is SCIM?

SCIM stands for System for Cross-domain Identity Management. It is an open standard protocol designed to automate the process of managing user identities and their associated access rights across multiple systems in a heterogeneous IT environment. SCIM is specifically focused on simplifying user provisioning and de-provisioning in cloud-based applications and services. For example, you can provision users and groups from a SCIM provider like Microsoft Azure to Amazon's AWS. On a regular interval, Microsoft Azure will use an API access token to deploy new users and groups to your AWS account.


This access token from AWS has validity of 1 year. 60 days before expiration, you receive the mail above.

How to renew the SCIM access token in AWS

In your AWS account, navigate to IAM Identity Center > Settings > Automatic provisioning. Click on the button Access tokens > Generate token and copy the content of the new token (${NEW_ACCESS_TOKEN}).


How to replace the SCIM access token in Azure

In Microsoft Azure, navigate to Enterprise Applications > ${YOUR AWS REGISTRATION} > Provisioning and click Edit provisioning.


Paste the ${NEW_ACCESS_TOKEN} in the Admin Credentials > Secret Token field and click Test Connection. After successfully testing the connection, click Save.


Remove old AWS token in AWS

In AWS, select the expiring token and click on Delete.