OneLogin - AWS SCIM Provisioning Fails with "Authorization Failure" or UnauthorizedException (4383246)

In OneLogin, you may see an error such as:

User failed creating in app. Authorization failure. The authorization header is invalid or missing.

OneLogin backend logs may show an AWS authorization error similar to:

x-amzn-errortype: UnauthorizedException
Request URL: POST https://scim.<region>.amazonaws.com/<tenant>/scim/v2/Users
Request Headers: {"CONTENT-TYPE"=>"application/json", "AUTHORIZATION"=>"[FILTERED]"}

This issue may affect a single user even if provisioning appears to work for others.

This issue typically occurs when the SCIM bearer token configured in the OneLogin AWS application is no longer valid.

Common scenarios include:

• The token has expired
• The token has been rotated or regenerated in AWS
• The token in OneLogin does not match the active SCIM token in AWS IAM Identity Center.

To resolve the issue, refresh the SCIM bearer token in OneLogin:

Step 1: Update Token in OneLogin

1. In OneLogin, open the affected AWS application.
2. Navigate to Configuration.
3. Toggle API Status to Disabled.

Step 2: Generate a New Token in AWS

1. Open the AWS IAM Identity Center (formerly AWS SSO) admin console.
2. Generate a new SCIM bearer token.

Step 3: Apply the Token in OneLogin

1. Copy the newly generated token from AWS.
2. Paste it into the SCIM Bearer Token field in the OneLogin application.
3. Re-enable API Status.

Step 4: Retry Provisioning

1. Go to the Users tab in the AWS application within OneLogin.
2. Select the affected user.
3. From the top-right menu, choose:
   • Apply to all → Reset
4. Save the user assignment.
5. Retry provisioning.