About integrating multiple AWS instances

This diagram illustrates the work flow you follow when you connect multiple Amazon Web Services (AWS) instances to Okta:

Set up AWS for SAML

Each AWS account must be configured for SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. access in order to exchange authentication and authorization data between AWS and Okta. This requires adding Okta as a trusted IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. to your AWS account and then creating a trust relationship for each role that permits access using the new IDP. These same steps provide SAML SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. in a single AWS account, but must be performed across all of your AWS accounts. For advanced organizations, this setup can be automated with AWS CloudFormationAWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts. This file serves as the single source of truth for your cloud environment. or AWS API scripts for simple SAML setup in each account.

Create a management layer of groups in an external directory

Once SAML is configured, create AWS role groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. in an external directory for each role and account you want users to be able to access using Okta. This can be completed using a script between AWS and an external directory, by exporting a CSV file to an external directory and scripting against the CSV file on the external directory side, or manually.

Next, create a link between the AWS role-specific groups and other external-directory groups by assigning management groups as Members Of the AWS role groups to which you want to grant them access. Assign users to the management groups to allow access to all of the AWS roles and accounts for which the management group is a member.

Configure the AWS app in Okta for group-based role assignment

In Okta, import both the external-directory management groups and role groups using the appropriate Okta external agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations..

Next, assign your management groups to the AWS application you set up earlier. This assigns the proper users to the AWS appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..

Lastly, set up group-based role assignment to translate the names of each of your AWS role groups into a format that AWS can consume in order to list user roles in the Role Picker Page.