Enable group-based role mapping in Okta

After importing the Amazon Web Services (AWS) role and management groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. into Okta, you need to configure the Okta AWS appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. to translate AWS role-group membership into entitlements that AWS can understand syntactically.

  1. On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Applications.

  2. Enter AWS in the Search field.

  3. Click AWS Account Federation and click the Sign On tab.
  4. Click Edit in the Settings section.
  5. In the Advanced Sign-on Settings area, select the Use Group Mapping check box if it is not selected already.
  6. Complete these fields:

  7. ^aws\#\S+\#(?{{role}}[\w\-]+)\#(?{{accountid}}\d+)$

    This RegEx expression logically equates to: find groups that start with AWS, then #, then a string of text, then #, then the AWS role, then #, then the AWS account ID.

    You can also use this RegEx expression:

    aws_(?{{accountid}}\d+)_(?{{role}}[a-zA-Z0-9+=,.@\-_]+)

    If you don't use a default RegEx expression, create a RegEx expression that properly filters your AWS role groups, and captures the AWS role name and account ID within two distinct RegEx groups named {{role}} and {{accountid}}.

    Field syntax:

    arn:aws:iam::${accountid}:saml-provider/[SAML Provider Name],
    arn:aws:iam::${accountid}:role/${role}

    Replace [SAML Provider Name] with the name of the SAML provider for your AWS accounts (see Enable group-based role mapping in Okta). The rest of the string should not be altered, only copied and pasted.

  8. Scroll down and click Save.

Next steps

Top