About integrating multiple AWS instances

This diagram illustrates the work flow you follow when you connect multiple Amazon Web Services (AWS) instances to Okta:

Set up AWS for SAML

Each AWS account must be configured for SAML access in order to exchange authentication and authorization data between AWS and Okta. This requires adding Okta as a trusted IDP to your AWS account and then creating a trust relationship for each role that permits access using the new IDP. These same steps provide SAML SSO in a single AWS account, but must be performed across all of your AWS accounts. For advanced organizations, this setup can be automated with AWS CloudFormation or AWS API scripts for simple SAML setup in each account.

Create a management layer of groups in an external directory

Once SAML is configured, create AWS role groups in an external directory for each role and account you want users to be able to access using Okta. This can be completed using a script between AWS and an external directory, by exporting a CSV file to an external directory and scripting against the CSV file on the external directory side, or manually.

Next, create a link between the AWS role-specific groups and other external-directory groups by assigning management groups as Members Of the AWS role groups to which you want to grant them access. Assign users to the management groups to allow access to all of the AWS roles and accounts for which the management group is a member.

Configure the AWS app in Okta for group-based role assignment

In Okta, import both the external-directory management groups and role groups using the appropriate Okta external agent.

Next, assign your management groups to the AWS application you set up earlier. This assigns the proper users to the AWS app.

Lastly, set up group-based role assignment to translate the names of each of your AWS role groups into a format that AWS can consume in order to list user roles in the Role Picker Page.