本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 使用记录 IAM 身份中心 SCIM API 调用 Amazon CloudTrail
<a name="scim-logging-using-cloudtrail"></a>

[IAM Identity Center SCIM](other-idps.md) 与 Amazon CloudTrail一项服务集成，该服务提供用户、角色或角色所采取的操作的 Amazon Web Services 服务记录。 CloudTrail 将 SCIM 的 API 调用捕获为事件。使用收集的信息 CloudTrail，您可以确定有关所请求操作的信息、操作的日期和时间、请求参数等。要了解更多信息 CloudTrail，请参阅[Amazon CloudTrail 用户指南](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)。

**注意**  
CloudTrail 在您创建账户 Amazon Web Services 账户 时已在您的账户上启用。但是，如果您的访问令牌是在 2024 年 9 月之前创建的，则可能需要轮换访问令牌才能看到来自 SCIM 的事件。  
有关更多信息，请参阅 [轮换访问令牌](rotate-token.md)。

SCIM 支持将以下操作记录为事件： CloudTrail
+ [CreateGroup](https://docs.amazonaws.cn/singlesignon/latest/developerguide/creategroup.html)
+ [CreateUser](https://docs.amazonaws.cn/singlesignon/latest/developerguide/createuser.html)
+ [DeleteGroup](https://docs.amazonaws.cn/singlesignon/latest/developerguide/deletegroup.html)
+ [DeleteUser](https://docs.amazonaws.cn/singlesignon/latest/developerguide/deleteuser.html)
+ [GetGroup](https://docs.amazonaws.cn/singlesignon/latest/developerguide/getgroup.html)
+ [GetSchema](https://docs.amazonaws.cn/singlesignon/latest/developerguide/getschema.html)
+ [GetUser](https://docs.amazonaws.cn/singlesignon/latest/developerguide/getuser.html)
+ [ListGroups](https://docs.amazonaws.cn/singlesignon/latest/developerguide/listgroups.html)
+ [ListResourceTypes](https://docs.amazonaws.cn/singlesignon/latest/developerguide/listresourcetypes.html)
+ [ListSchemas](https://docs.amazonaws.cn/singlesignon/latest/developerguide/listschemas.html)
+ [ListUsers](https://docs.amazonaws.cn/singlesignon/latest/developerguide/listusers.html)
+ [PatchGroup](https://docs.amazonaws.cn/singlesignon/latest/developerguide/patchgroup.html)
+ [PatchUser](https://docs.amazonaws.cn/singlesignon/latest/developerguide/patchuser.html)
+ [PutUser](https://docs.amazonaws.cn/singlesignon/latest/developerguide/putuser.html)
+ [ServiceProviderConfig](https://docs.amazonaws.cn/singlesignon/latest/developerguide/serviceproviderconfig.html)

## 示例 CloudTrail 事件
<a name="scim-logging-using-cloudtrail-examples"></a>

以下示例演示了使用 IAM Identity Center 进行 SCIM 操作期间生成的典型 CloudTrail 事件日志。这些示例显示了成功操作和常见错误场景的事件的结构和内容，可帮助您了解在排除 SCIM 配置问题时如何解释 CloudTrail 日志。

### 成功的 `CreateUser` 操作
<a name="scim-successful-createuser-example"></a>

此 CloudTrail 事件显示通过 SCIM API 成功执行的`CreateUser`操作。该事件捕获了请求参数（敏感信息已脱敏）和响应元素，包括新创建用户的 ID。此类事件在身份提供者通过 SCIM 协议成功向 IAM Identity Center 配置新用户时生成。

```
{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "WebIdentityUser",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "schemas" : [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "name": {
        "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
      },
      "active": true,
      "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": {
    "meta" : {
      "created" : "Oct 10, 2024, 1:23:45 PM",
      "lastModified" : "Oct 10, 2024, 1:23:45 PM",
      "resourceType" : "User"
    },
    "displayName" : "HIDDEN_DUE_TO_SECURITY_REASONS",
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "name": {
      "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "active": true,  
    "id" : "c4488478-a0e1-700e-3d75-96c6bb641596",
    "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
  },
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}
```

### 失败的 `PatchGroup` 操作：缺少必需的路径属性
<a name="scim-failed-patchgroup-example"></a>

此 CloudTrail 事件显示了导致错误消息`ValidationException`的失败`PatchGroup`操作`"Missing path in PATCH request"`。发生此错误是因为 `PATCH` 操作需要一个路径属性来指定要修改哪个组属性，但该属性在请求中缺失。

```
{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "Missing path in PATCH request",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REMOVE",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}
```

### 失败的 `CreateGroup` 操作：组名已存在
<a name="scim-failed-creategroup-example"></a>

此 CloudTrail 事件显示了导致错误消息`ConflictException`的失败`CreateGroup`操作`"Duplicate GroupDisplayName"`。当尝试创建显示名在 IAM Identity Center 中已存在的组时，会发生此错误。身份提供者必须使用唯一的组名，或者更新现有组而不是创建新组。

```
{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ConflictException",
  "errorMessage": "Duplicate GroupDisplayName",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}
```

### 失败的 `PatchUser` 操作：不支持多个电子邮件地址
<a name="scim-failed-patchuser-example"></a>

此 CloudTrail 事件显示了导致错误消息`ValidationException`的失败`PatchUser`操作`"List attribute emails exceeds allowed limit of 1"`。当尝试为用户分配多个电子邮件地址时会发生此错误，因为 IAM Identity Center 每个用户仅支持一个电子邮件地址。身份提供者必须配置 SCIM 映射，以便为每个用户仅发送一个电子邮件地址。

```
{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "List attribute emails exceeds allowed limit of 1",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REPLACE",
          "path": "emails",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}
```

## IAM Identity Center 中常见的 SCIM API 验证错误
<a name="scim-cloudtrail-common-errors"></a>

在 IAM Identity Center 中使用 SCIM API 时，通常会在 CloudTrail 事件中出现以下验证错误消息。这些验证错误通常发生在用户和组配置操作期间。

有关解决这些错误和正确配置 SCIM 配置的详细指南，请参阅此 [Amazon Web Services re:Post 文章](https://repost.aws//knowledge-center/iam-identity-center-provision)。
+ List attribute email exceeds allowed limit of 1
+ List attribute addresses allowed limit of 1
+ 1 validation errors detected: Value at '\$1name.familyName\$1' failed to satisfy constraint: Member must satisfy regular expression pattern: [\$1\$1p\$1L\$1\$1\$1p\$1M\$1\$1\$1p\$1S\$1\$1\$1p\$1N\$1\$1\$1p\$1P\$1\$1\$1t\$1\$1n\$1\$1r ]\$1
+ 2 validation errors detected: Value at 'name.familyName' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'name.familyName' failed to satisfy constraint: Member must satisfy regular expression pattern: [\$1\$1p\$1L\$1\$1\$1p\$1M\$1\$1\$1p\$1S\$1\$1\$1p\$1N\$1\$1\$1p\$1P\$1\$1\$1t\$1\$1n\$1\$1r ]\$1
+ 2 validation errors detected: Value at 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' failed to satisfy constraint: Member must satisfy regular expression pattern: [\$1\$1p\$1L\$1\$1\$1p\$1M\$1\$1\$1p\$1S\$1\$1\$1p\$1N\$1\$1\$1p\$1P\$1\$1\$1t\$1\$1n\$1\$1r ]\$1",
+ 来自的 JSON RequestBody
+ Invalid Filter format