Configure the Amazon Web Services app in Okta
The Amazon Web Services (AWS) appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. integration does not support provisioning. This setup under the ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. tab is required to provide API access to Okta in order to download a list of AWS roles to assign during user assignment. The AWS app integration enables you to assign multiple roles to users and pass those roles in the SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. assertion.
On the OktaAdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Applications.
- Enter AWS in the Search field.
- Click AWS Account Federation and click the Sign On tab.
- Click Edit in the Settings section.
- In the Advanced Sign-On Settings area, complete these fields:
- AWS Environment (Required for SAML SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.): Select your environment type.
ACS URLACS Endpoint – Assertion Consumer Service URL – often referred to simply as the SP login URL. This is the endpoint provided by the SP where SAML responses are posted. The SP needs to provide this information to the IdP. (optional & only relevant to SAML SSO): If your environment type was not listed in the AWS Environment list, enter the ACS URL.
Identity Provider ARN (Required only for SAML SSO): Paste the identity provider ARN you copied.
Session Duration (Required only for SAML SSO): Accept the default value, or enter a value.
Join all roles: Select this check box to make AWS SAML use all roles. If a user is directly assigned Role1 and Role2 (user-to-app assignment), and the user belongs to group GroupAWS with RoleA and RoleB assigned (group-to-app assignment), then Join all roles OFF: Role1 and Role2 are available upon login to AWS Join all roles ON: Role1, Role2, RoleA, and RoleB are available upon login to AWS.
- Use Group Mapping: Select this check box to connect Okta to multiple AWS instances using user groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. functionality.
- Click Save.
- Click the Provisioning tab and then click Enable API Integration.
- Select the Enable API Integration check box and complete these fields:
- API URL (optional): Optional. Enter the API URL.
Access Key: Paste the access key you copied.
Secret KeyAn Okta-generated string of characters that allows end users to set up (enroll) their mobile device in to Okta Verify. End users enter the Secret Key in the Okta Verify app during the set up process as an alternative to scanning a QR code.: Paste the access key you copied.
Connected Accounts IDs (optional): Optional. Enter the connected account IDs.
- Optional. Click Test API Credentials to verify API credentials are working.
- Click Save.
- In the Provisioning to App section, click Edit and select the Enable check box for Create Users.
- Click Save.
- Click the Assignments tab, click Assign > Assign to People.
- Select a user, click Assign, accept the default user name, or enter a user name, select roles, and then click Save and Go Back.
If you see the attribute IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. and Role Pairs (internal attribute), ignore it. It is an internal attribute and it doesn't affect user assignment.
- Optional. Repeat step 15 to add additional users.
- Click Done.
- Log in to your Okta orgThe Okta container that represents a real-world organization. as the test user and then click the AWS app.
- Select a role and click Sign In.
- Make sure there are no errors and sign in is successful.