Configure AWS accounts and roles for SAML SSO

To exchange authentication and authorization data between Amazon Web Services (AWS) and Okta, you must configure each AWS account for SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. access.

  1. Configure Okta as the identity provider for the AWS account. See Configure Okta as the AWS account identity provider.
  2. Add Okta as a trusted source for AWS roles. See Add Okta as a trusted source for AWS roles.

  3. Optional. Repeat steps 1 and 2 to add additional AWS accounts and roles that you want users to access.

    Make sure all of your accounts use the same SAML metadata and have the same name. Accounts with different SAML provider names or metadata documents are not accessible.

Next steps