In order to use SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. for AWS, you have to set up Okta as an identity provider in AWS and establish the SAML connection.
- Add the AWS appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. to Okta if it has not been added previously:
- On the OktaAdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Applications.
- Click Add Application.
- In the Search for an application field, enter AWS.
- Select Add for the AWS Account Federation
- In the General Settings page, accept or edit the default values and click Next.
- In the Sign On Methods section of the Sign-On Options pane, select SAML 2.0
- Click Done.
- Download the identity provider metadata file:
- On the OktaAdmin Console, click Applications.
- Enter AWS in the Search field.
- Click the AWS application you added in step 1 and click the Sign On tab.
- Click Edit in the Settings section and select SAML 2.0.
- Right-click the Identity Provider metadata link below the View Setup Instructions button and select Save Link As.
- Browse to a location to save the file, enter a file name, and click Save.
- Sign-in to the AWS Management Console and select Services on the top ribbon.
Go to Security, Identity, & Compliance > IAM.
In the left-navigation menu, click Identity providers.
Click Create Provider in the right pane.
On the Configure Provider page, complete these fields:
- Provider Type: Select SAML from the drop-down menu.
- Provider Name: Enter a provider name. For example: Okta.
Metadata Document: Click download and then select the metadata file you created in step 1.
- Click Next Step.
- Click Create.
In the search field, enter the provider name from step 6 and select it.
Copy the Provider ARN value. You'll need this to complete the configuration.