本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 使用 記錄 IAM Identity Center SCIM API 呼叫 AWS CloudTrail
<a name="scim-logging-using-cloudtrail"></a>

[IAM Identity Center SCIM](other-idps.md) 已與 整合 AWS CloudTrail，此服務可提供使用者、角色或 所採取動作的記錄 AWS 服務。CloudTrail 會將 SCIM 的 API 呼叫擷取為事件。使用 CloudTrail 收集的資訊，您可以判斷所請求動作的相關資訊、動作的日期和時間、請求參數等。若要進一步了解 CloudTrail，請參閱 [AWS CloudTrail 使用者指南](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)。

**注意**  
當您建立帳戶 AWS 帳戶 時，您的 上會啟用 CloudTrail。但是，如果您的權杖是在 2024 年 9 月之前建立的，您可能需要輪換存取權杖以查看來自 SCIM 的事件。  
如需詳細資訊，請參閱[輪換存取字符](rotate-token.md)。

SCIM 支援將下列操作記錄為 CloudTrail 中的事件：
+ [CreateGroup](https://docs.aws.amazon.com/singlesignon/latest/developerguide/creategroup.html)
+ [CreateUser](https://docs.aws.amazon.com/singlesignon/latest/developerguide/createuser.html)
+ [DeleteGroup](https://docs.aws.amazon.com/singlesignon/latest/developerguide/deletegroup.html)
+ [DeleteUser](https://docs.aws.amazon.com/singlesignon/latest/developerguide/deleteuser.html)
+ [GetGroup](https://docs.aws.amazon.com/singlesignon/latest/developerguide/getgroup.html)
+ [GetSchema](https://docs.aws.amazon.com/singlesignon/latest/developerguide/getschema.html)
+ [GetUser](https://docs.aws.amazon.com/singlesignon/latest/developerguide/getuser.html)
+ [ListGroups](https://docs.aws.amazon.com/singlesignon/latest/developerguide/listgroups.html)
+ [ListResourceTypes](https://docs.aws.amazon.com/singlesignon/latest/developerguide/listresourcetypes.html)
+ [ListSchemas](https://docs.aws.amazon.com/singlesignon/latest/developerguide/listschemas.html)
+ [ListUsers](https://docs.aws.amazon.com/singlesignon/latest/developerguide/listusers.html)
+ [PatchGroup](https://docs.aws.amazon.com/singlesignon/latest/developerguide/patchgroup.html)
+ [PatchUser](https://docs.aws.amazon.com/singlesignon/latest/developerguide/patchuser.html)
+ [PutUser](https://docs.aws.amazon.com/singlesignon/latest/developerguide/putuser.html)
+ [ServiceProviderConfig](https://docs.aws.amazon.com/singlesignon/latest/developerguide/serviceproviderconfig.html)

## CloudTrail 事件範例
<a name="scim-logging-using-cloudtrail-examples"></a>

下列範例示範使用 IAM Identity Center 在 SCIM 操作期間產生的典型 CloudTrail 事件日誌。這些範例顯示成功操作和常見錯誤案例的事件結構和內容，協助您了解如何在疑難排解 SCIM 佈建問題時解譯 CloudTrail 日誌。

### 成功的`CreateUser`操作
<a name="scim-successful-createuser-example"></a>

此 CloudTrail 事件會顯示透過 SCIM API 成功執行`CreateUser`的操作。事件會同時擷取請求參數 （已遮罩敏感資訊） 和回應元素，包括新建立的使用者 ID。當身分提供者成功使用 SCIM 通訊協定將新使用者佈建至 IAM Identity Center 時，就會產生此類型的事件。

```
{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "WebIdentityUser",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "schemas" : [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "name": {
        "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
      },
      "active": true,
      "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": {
    "meta" : {
      "created" : "Oct 10, 2024, 1:23:45 PM",
      "lastModified" : "Oct 10, 2024, 1:23:45 PM",
      "resourceType" : "User"
    },
    "displayName" : "HIDDEN_DUE_TO_SECURITY_REASONS",
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "name": {
      "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "active": true,  
    "id" : "c4488478-a0e1-700e-3d75-96c6bb641596",
    "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
  },
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}
```

### 失敗`PatchGroup`的操作：缺少必要的路徑屬性
<a name="scim-failed-patchgroup-example"></a>

此 CloudTrail 事件會顯示失敗`PatchGroup`的操作，導致 `ValidationException`出現錯誤訊息 `"Missing path in PATCH request"`。發生錯誤是因為`PATCH`操作需要路徑屬性來指定要修改的群組屬性，但請求中缺少此屬性。

```
{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "Missing path in PATCH request",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REMOVE",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}
```

### 失敗`CreateGroup`的操作：群組名稱已存在
<a name="scim-failed-creategroup-example"></a>

此 CloudTrail 事件會顯示失敗`CreateGroup`的操作，導致 `ConflictException`出現錯誤訊息 `"Duplicate GroupDisplayName"`。嘗試建立顯示名稱已存在於 IAM Identity Center 的群組時，會發生此錯誤。身分提供者必須使用唯一的群組名稱或更新現有的群組，而不是建立新的群組。

```
{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ConflictException",
  "errorMessage": "Duplicate GroupDisplayName",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}
```

### 失敗`PatchUser`的操作：不支援多個電子郵件地址
<a name="scim-failed-patchuser-example"></a>

此 CloudTrail 事件會顯示失敗`PatchUser`的操作，導致 `ValidationException`出現錯誤訊息 `"List attribute emails exceeds allowed limit of 1"`。嘗試將多個電子郵件地址指派給使用者時發生此錯誤，因為 IAM Identity Center 每個使用者僅支援一個電子郵件地址。身分提供者必須將 SCIM 映射設定為只為每個使用者傳送單一電子郵件地址。

```
{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "List attribute emails exceeds allowed limit of 1",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REPLACE",
          "path": "emails",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}
```

## IAM Identity Center 中的常見 SCIM API 驗證錯誤
<a name="scim-cloudtrail-common-errors"></a>

將 SCIM API 與 IAM Identity Center 搭配使用時，以下驗證錯誤訊息通常會出現在 CloudTrail 事件中。這些驗證錯誤通常發生在使用者和群組佈建操作期間。

如需解決這些錯誤並正確設定 SCIM 佈建的詳細指引，請參閱此[AWS re:Post 文章](https://repost.aws//knowledge-center/iam-identity-center-provision)。
+ 清單屬性電子郵件超過允許的 1 限制
+ 列出允許的屬性地址限制為 1
+ 偵測到 1 個驗證錯誤：'\$1name.familyName\$1' 的值無法滿足限制條件：成員必須滿足規則表達式模式：【\$1\$1p\$1L\$1\$1\$1p\$1M\$1\$1\$1p\$1S\$1\$1\$1p\$1N\$1\$1\$1p\$1P\$1\$1\$1t\$1\$1n\$1\$1r 】\$1
+ 偵測到 2 個驗證錯誤：'name.familyName' 的值無法滿足限制條件：成員的長度必須大於或等於 1；'name.familyName' 的值無法滿足限制條件：成員必須滿足規則表達式模式：【\$1\$1p\$1L\$1\$1\$1p\$1M\$1\$1\$1p\$1S\$1\$1\$1p\$1N\$1\$1\$1p\$1P\$1\$1\$1t\$1\$1n\$1\$1r 】\$1
+ 偵測到 2 個驗證錯誤：'urn：ietf：params：scim：schemas：extension：enterprise：2.0：User.manager.value' 的值無法滿足限制條件：成員的長度必須大於或等於 1；'urn：ietf：params：scim：schemas：extension：enterprise：2.0：User.manager.value' 的值無法滿足限制條件：成員必須滿足規則表達式模式：【\$1\$1p\$1L\$1\$1\$1p\$1M\$1\$1\$1p\$1S\$1\$1\$1pN\$1\$1\$1p\$1P\$1\$1\$1t\$1\$1n\$1\$1r】\$1"，
+ RequestBody 中的無效 JSON
+ 無效的篩選條件格式