AZURE AD --> SCIM on GCP GKE is not working

Hey everyone,
we use the AWS terraform deployment and run into the same error. I'm not sure when it first appears, but at the same week the error fist appears the auto-scaling-group started a new instance.
We tried to generate new credentials (bearer token & sessionfile), updated the aws secret and redeploy the infrastructure - nothing solved the error. Do you have made any progress on this issue ?
Cedric

Hey @graham_1P,

I already have contact with your support-Team, but I also like to make the process public - I hate open issues without a solution.

It's difficult to access the AWS-Instance, but with a modified instance role and the session-manager I was able to view the logs on the Instance and run the curl cmd. As you said I get a Unauthorized and I found this at the logfile:

May 26 13:05:51 op-scim-op-scim-company op-scim[25404]: [LOG] [1.3.1] 2020/05/26 13:05:51 (INFO) Handling GET: /scim/Users

May 26 13:05:51 op-scim-op-scim-company op-scim[25404]: [LOG] [1.3.1] 2020/05/26 13:05:51 (ERROR) AuthWrap failed to FindCredentials: failed to detect localAuth version: failed to Unmarshal credentials file data into map: invalid character 'C' looking for beginning of value

May 26 13:05:51 op-scim-op-scim-company op-scim[25404]: [LOG] [1.3.1] 2020/05/26 13:05:51 (WARN) 401 (Unauthorized)

Could you take a look at it ? Maybe there is a issue with the aws secret. I'am not very familar with aws secrets but followed your documentation.

Cedric

Hey @graham_1P,

I didn't want to criticise your way of support, unfortunately you answer a lot faster than your support-team :)
If we get to the point you need more sensitive data, we can surely change to email.

Yes i followed this introduction page, but only updated an existing secret. We need to update the credentials of our provision manager for security purposes. The update command looks like:

aws.cmd secretsmanager update-secret --secret-id <secret/id> --secret-binary <Windows Path to session file> --region <region>

I used the session file I get from the provision manager setup process without modifying anything.
The result of:

 aws.cmd secretsmanager describe-secret --secret-id <secret/id> --region <region>

looks like:

{
    "ARN": "<arn>",
    "Name": "<secret/id>",
    "Description": "SCIM bridge session file for 1Password provisioning",
    "LastChangedDate": 1590559529.005,
    "LastAccessedDate": 1590537600.0,
    "VersionIdsToStages": {
        "5406f9a8-5383-4512-be10-f004e4a68968": [
            "AWSCURRENT"
        ],
        "b4c26313-03b4-4fcb-a887-55d39554a68a": [
            "AWSPREVIOUS"
        ]
    }
}

We use the default encryption key.

I hope I haven't mention any sensitive data ;)

Have a nice day !

Cedric

Hey again - it's me !
I also solved the SystemForCrossDomainIdentityManagementCredentialValidationUnavailable our AzureAD Application wasn't setup correctly - I doesn't know exactly why. We only reconfigure it followed these steps. Now everything works fine.
I only have one open issue. My personal 1Password account is part of the Provision Manager Group and now I have access to every vault of a provisioned user - can i remove my account out of this group without losing any access or control?

Cedric

Hey @graham_1P,
I'm not sure what you mean by "AzureAD instance". We only set up a "enterprise application" on the Azure side. This application was not set up correctly. I took over the project from a former colleague, so I can't tell you exactly what was going on. I suspect something is wrong with a URL because the AWS instance is not receiving traffic from Azure. I deleted the old "enterprise application" and created a new one with your documentation.
Now everything works fine. Thanks for your help!!!
Cedric