I'm currently working on configuring AWS API Gateway with a Lambda authorizer for implementing rate limiting on requests to an Azure SCIM endpoint. My intended flow is illustrated in the diagram linked here: enter image description here
My objective is to configure an AWS API Gateway method with a Lambda authorizer responsible for returning a specific field called the usageIdentifierKey. This key will be used to correlate with an API Gateway usage plan, enabling the API Gateway to apply rate limits based on this identifier.
However, upon creating the AWS API Gateway method and attempting to test the connection with Azure SCIM, I'm encountering an issue. The error code displayed is "SystemForCrossDomainIdentityManagementCredentialValidationUnavailable." The corresponding response content provides the following message: Response Content: {"message":"''[Redacted]'' not a valid key=value pair (missing equal-sign) in Authorization header: 'Bearer '[Redacted]''."} enter image description here
Referring to a process outlined in Automated Agent Provisioning for Amazon Connect. I'm not aiming to provision users into AWS. Instead, I'm focused on implementing rate limiting for requests directed towards an Azure SCIM endpoint. My ultimate goal is to retrieve response data and relay it back to a Rails portal.
I'm currently exploring available methods to establish a connection between AZURE SCIM and my API Gateway. Any recommendations or suggested approaches for achieving this integration would be greatly appreciated.
Part of the credential validation process for Azure AD/Entra's provisioning is to perform a few test actions - all GET calls - in order to confirm the credentials are authorized to interact with the external app/directory via SCIM. If your API gateway isn't already passing through to whatever the application is, that'll be a problem.
I'm not sure what the cause of the error in your screenshot is - but the error returned appears to be coming from the API gateway and is in regards to the token/credential being passed by Entra provisioning, so you'll likely need to start investigating there.