The Okta integration with Amazon Web Services (AWS) enables end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. to authenticate to one or more AWS accounts and gain access to specific roles using single sign-on (SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.) with SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated.. An Okta adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. can download roles from one or more AWS accounts into Okta, and assign those accounts to users. In addition, an Okta admin can also set the duration of the authenticated session of users using Okta.
When logging in to AWS, end users choose a desired role from a list of AWS roles assigned to them in one or more AWS accounts. This role defines their permissions for the authenticated session.
The Okta AWS–SAML integration supports IdP-initiated SSOAn IdP Initiated SSO flow is a SSO operation that was started from the IdP Security Domain. The IdP federation server creates a federation SSO response and redirects the user to the SP with the response message and an optional operational state..
This method of getting your AWS integration up and running positions you for a multi-instance integration, if you should require this solution later.
Connect Okta to multiple AWS instances
This is the preferred method. It has no upper limit for the number of accounts that can be supported. If you have more than 60 instances and want to drive appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. assignment from AD or LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. groups, this is the preferred method.
Access to specific AWS accounts is managed using group assignment either in Okta or from another system of record like AD or LDAP. Each time you add an AWS account, you need to create new groups in your system of record that represent the roles you're users will be assigned and allowed to access from Okta. In AD or LDAP, you can use nested groups to simplify this process.
This method enables you to import AWS groups from your AWS instance into Okta. There are two functional limitations you should consider before choosing this option:
- There is a fixed upper limit of 60 AWS accounts that can be supported. If you have more than 60 accounts or will in the future, we recommend the multiple-AWS instances using groups method. If you do not expect to exceed 60 AWS accounts and want a simplified user assignment process all contained within Okta, then connect with Okta using the AWS API.
- When you create a new account in AWS you will need to manually re-authenticate with AWS from Okta in order to import the new accounts. Access to specific accounts is then configured in Okta when assigning the AWS app to an Okta user.
- Connect Okta to a single AWS instance
- Connect Okta to multiple AWS instances using groups
- Connect Okta to multiple AWS instances using an API