About Amazon Web Services integration
Integrating your Amazon Web Services (AWS) instance with Okta lets your users authenticate to one or more AWS accounts and gain access to specific roles using single sign-on (SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.) with SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated.. An Okta adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. can download roles from one or more AWS accounts into Okta, and assign those accounts to users. In addition, an Okta admin can set the duration of the authenticated session of users using Okta.
When logging in to AWS, end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. choose a role from a list of AWS roles assigned to them in one or more AWS accounts. This role defines their permissions for the authenticated session.
AWS account refers to an account in AWS and not to a user in the account or in Okta.
The Okta AWS–SAML integration supports IdP-initiated SSOAn IdP Initiated SSO flow is a SSO operation that was started from the IdP Security Domain. The IdP federation server creates a federation SSO response and redirects the user to the SP with the response message and an optional operational state..
The Role attribute is used for the Federated User Login and Amazon IAM Role SSO modes. The Role attribute may also be used as a default value for SAML 2.0 if no SAML user roles are selected.
The SAML user roles attribute is used for SAML 2.0 as SAML supports multiple roles. If no values are selected for SAML user roles, then a value from the Role drop-down is used as a default role.
If you create another Identity and Access Management (IAM) role after setting up the API integration in Okta, the role is not automatically available in Okta. To get this role into Okta, from the Application tab, click More and then Refresh Application Data.
The latest roles download along with profiles and groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. from apps configured for user provisioning. Okta uses this data when creating new users in those apps.Top