Configure the Amazon Web Services Account Federation app in Okta

The Amazon Web Services (AWS) app integration doesn't support provisioning. This setup under the Provisioning tab is required to provide API access to Okta to download a list of AWS roles to assign during user assignment. The AWS app integration enables you to assign multiple roles to users and pass those roles in the SAML assertion.

  1. In the Admin Console, go to ApplicationsApplications.

  2. Enter AWS in the Search field.
  3. Click AWS Account Federation, and then select the Sign On tab.
  4. Click Edit in the Settings section.
  5. In the Advanced Sign-On Settings section, complete these fields:
    • AWS Environment (Required for SAML SSO): Select your environment Type. If your type isn't listed, you can set your desired ACS URL in the ACS URL field. The ACS URL field is optional. If your environment type is listed, you don't need to enter your ACS URL.

    • ACS URL (optional & only relevant to SAML SSO): If your environment type wasn't listed in the AWS environment list, enter the ACS URL.

    • Identity Provider ARN (Required only for SAML SSO): Paste the identity provider ARN that you copied.

    • Session Duration (required only for SAML SSO): Accept the default value, or enter a value.

    • Join all roles: Select this checkbox to make AWS SAML use all roles. If a user is directly assigned Role1 and Role2 (user-to-app assignment), and the user belongs to group GroupAWS with RoleA and RoleB assigned (group-to-app assignment), then select Join all roles OFF: Role1 and Role2 are available upon sign-in to AWS Join all roles ON: Role1, Role2, RoleA, and RoleB are available upon sign-in to AWS.

    • Use Group Mapping: Select this checkbox to connect Okta to multiple AWS instances using user groups functionality.

  1. Click Save.
  2. Select the Provisioning tab, and then click Enable API Integration.
  3. Select the Enable API Integration checkbox, and then complete these fields:
    • API URL (optional): Optional. Enter the API URL. If your environment type was listed, you don't need to fill out this field. If your environment type wasn't listed in the dropdown, enter your API URL here. You may have to contact AWS to find out the API URL for your environment.

    • Access Key: Paste the access key that you copied.

    • Secret Key: Paste the access key that you copied.

    • Connected Accounts IDs: Optional. Provide a comma-separated list of your connected account IDs. You can find this in the top-left corner for each AWS account on the My Accounts page.

      If you have an AWS instance that was configured to use the Amazon AWS IAM role as the Sign On mode and remove an optional child account from that instance, the role provisioning is removed. An event is generated in the System Log.

  1. Optional. Click Test API Credentials to verify that the API credentials are working.
  2. Click Save.
  3. In the Provisioning to App section, click Edit and check Enable for Create Users and Update User Attributes.
  4. Click Save.
  5. Select the Assignments tab, then click AssignAssign to People.
  6. Select a user and click Assign,
  7. Accept the default username, or enter a username.
  8. Select roles, and then click Save and Go Back.

If you see the attribute IdP and Role Pairs (internal attribute), ignore it. It's an internal attribute and it doesn't affect user assignment.

  1. Optional. Repeat step 14 to add more users.
  2. Click Done.
  3. Sign in to your Okta org as the test user, then click the AWS app.
  4. Select a role and click Sign In.
  5. Make sure that there are no errors and sign in is successful.