Configure the Amazon Web Services Account Federation app in Okta
The Amazon Web Services (AWS) app integration does not support provisioning. This setup under the Provisioning tab is required to provide API access to Okta in order to download a list of AWS roles to assign during user assignment. The AWS app integration enables you to assign multiple roles to users and pass those roles in the SAML assertion.
In the Admin Console, go to Applications > Applications.
- Enter AWS in the Search field.
- Click AWS Account Federation and click the Sign On tab.
- Click Edit in the Settings section.
- In the Advanced Sign-On Settings area, complete these fields:
- AWS Environment (Required for SAML SSO): Select your environment type. If your environment type is not listed, you can set your desired ACS URL in the ACS URL field. The ACS URL field is optional; if your environment type is listed, you do not need to enter your ACS URL.
ACS URL (optional & only relevant to SAML SSO): If your environment type was not listed in the AWS Environment list, enter the ACS URL.
Identity Provider ARN (Required only for SAML SSO): Paste the identity provider ARN you copied.
Session Duration (Required only for SAML SSO): Accept the default value, or enter a value.
Join all roles: Select this check box to make AWS SAML use all roles. If a user is directly assigned Role1 and Role2 (user-to-app assignment), and the user belongs to group GroupAWS with RoleA and RoleB assigned (group-to-app assignment), then Join all roles OFF: Role1 and Role2 are available upon login to AWS Join all roles ON: Role1, Role2, RoleA, and RoleB are available upon login to AWS.
- Use Group Mapping: Select this check box to connect Okta to multiple AWS instances using user groups functionality.
- Click the Provisioning tab and then click Enable API Integration.
- Select the Enable API Integration check box and complete these fields:
- API URL (optional): Optional. Enter the API URL. If your Environment Type was listed, you do not need to fill out this field. If your Environment Type was not listed in the dropdown, enter your API URL here. You may have to contact AWS to find out the API URL for your environment.
Access Key: Paste the access key you copied.
Secret Key: Paste the access key you copied.
Connected Accounts IDs (optional): Optional. Provide a comma-separated list of all of the IDs of your connected accounts. You can find this in each AWS account from the My Accounts page in the top-left hand corner of the AWS Console.
Note: If you have an AWS instance that was configured to use the Amazon AWS IAM role as the Sign On mode, and remove an optional child account from that instance, their role provisioning will be removed and an event will be generated in the System Log.
- Optional. Click Test API Credentials to verify API credentials are working.
- In the Provisioning to App section, click Edit and select the Enable check box for Create Users and Update User Attributes.
- Click the Assignments tab, click Assign > Assign to People.
- Select a user, click Assign, accept the default user name, or enter a user name, select roles, and then click Save and Go Back.
If you see the attribute IdP and Role Pairs (internal attribute), ignore it. It is an internal attribute and it doesn't affect user assignment.
- Optional. Repeat step 14 to add additional users.
- Click Done.
- Log in to your Okta org as the test user and then click the AWS app.
- Select a role and click Sign In.
- Make sure there are no errors and sign in is successful.