Configure the Amazon Web Services app in Okta

The Amazon Web Services (AWS) app integration does not support provisioning. This setup under the Provisioning tab is required to provide API access to Okta in order to download a list of AWS roles to assign during user assignment. The AWS app integration enables you to assign multiple roles to users and pass those roles in the SAML assertion.

  1. In the Admin Console, go to Applications > Applications.

  2. Enter AWS in the Search field.
  3. Click AWS Account Federation and click the Sign On tab.
  4. Click Edit in the Settings section.
  5. In the Advanced Sign-On Settings area, complete these fields:
    • AWS Environment (Required for SAML SSO): Select your environment type.
    • ACS URL (optional & only relevant to SAML SSO): If your environment type was not listed in the AWS Environment list, enter the ACS URL.

    • Identity Provider ARN (Required only for SAML SSO): Paste the identity provider ARN you copied.

    • Session Duration (Required only for SAML SSO): Accept the default value, or enter a value.

    • Join all roles: Select this check box to make AWS SAML use all roles. If a user is directly assigned Role1 and Role2 (user-to-app assignment), and the user belongs to group GroupAWS with RoleA and RoleB assigned (group-to-app assignment), then Join all roles OFF: Role1 and Role2 are available upon login to AWS Join all roles ON: Role1, Role2, RoleA, and RoleB are available upon login to AWS.

    • Use Group Mapping: Select this check box to connect Okta to multiple AWS instances using user groups functionality.

  1. Click Save.

  2. Click the Provisioning tab and then click Enable API Integration.
  3. Select the Enable API Integration check box and complete these fields:
    • API URL (optional): Optional. Enter the API URL.
    • Access Key: Paste the access key you copied.

    • Secret Key: Paste the access key you copied.

    • Connected Accounts IDs (optional): Optional. Enter the connected account IDs.

  1. Optional. Click Test API Credentials to verify API credentials are working.
  2. Click Save.

  3. In the Provisioning to App section, click Edit and select the Enable check box for Create Users.
  4. Click Save.

  5. Click the Assignments tab, click Assign > Assign to People.
  6. Select a user, click Assign, accept the default user name, or enter a user name, select roles, and then click Save and Go Back.

If you see the attribute IdP and Role Pairs (internal attribute), ignore it. It is an internal attribute and it doesn't affect user assignment.

  1. Optional. Repeat step 15 to add additional users.
  2. Click Done.
  3. Log in to your Okta org as the test user and then click the AWS app.
  4. Select a role and click Sign In.
  5. Make sure there are no errors and sign in is successful.