Add Okta as a trusted source for AWS roles

After you configure Okta as the Amazon Web Services (AWS) account identity provider, you create or update existing IAM roles for Okta to retrieve and assign to users. Okta can only provide single sign-on (SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.) for users with roles that have been configured to grant access to the Okta SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. identity provider you configured in Add Okta as a trusted source for AWS roles.

  1. On the AWS Management Console, click Roles in the left pane.
  2. Click Create New Role.
  3. Click SAML 2.0 federation.
  4. Select Okta from the SAML provider drop-down list and then select Allow programmatic and AWS Management Console access.
  5. Click Next: Permissions.
  6. Select a permissions policy and click Next: Tags.
  7. Optional. Add descriptive tags for the role and click Next: Review.
  8. Enter a role name in the Role name field, add an optional description for the role, and click Create Role.
  9. Click the role name you created, click the Trust Relationship tab and then click Edit trust relationship.
  10. Select one of these options to permit Generate the AWS API access key SSO:
    • If the policy document is empty, you can copy and paste the provided policy and replace <COPY & PASTE SAML ARN VALUE HERE> with the Amazon Resource Name (ARN) value you copied from Add Okta as a trusted source for AWS roles.


"Version": "2012-10-17",

"Statement": [


"Effect": "Allow",

"Principal": {



"Action": "sts:AssumeRoleWithSAML",

"Condition": {

"StringEquals": {

"SAML:aud": ""






    • Modify your existing policy document to include Generate the AWS API access key SSO access. You need to include everything within the Statement code block — including the configurations for Effect, Principal, Actions, and Conditions. Replace <COPY & PASTE SAML ARN VALUE HERE> with the ARN value you copied when you completed Add Okta as a trusted source for AWS roles.

  1. Click Update Trust Policy.

Next steps