Connect Okta to a single AWS instance

This method of getting your AWS integration up and running positions you for a multi-instance integration, if you should require this solution later.

Connecting Okta to an AWS instance to provide SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. into AWS roles for users is a four-step process.

Step 1: Configure Okta as the identity provider in the AWS account


In order to use SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. for AWS, you have to set up Okta as an identity provider in AWS and establish the SAML connection.


  1. From the AWS Console, select Services.
  2. Click Security and Identity Compliance > IAM.

  3. From the left-navigation menu, click Identity Providers.

  4. Click Create Provider.

  5. From the Configure Provider page, do the following:

  6. Click Next.
  7. Click Create.
  8. Locate the identity provider you just created by the Provider Name in the list of Identity Providers.

  9. Click the name and make a copy of the Provider ARN value.

    The copy is needed later during this configuration.

Step 2: Add Okta Identity Provider as a trusted source in your AWS roles


With Okta configured as the identity provider in AWS, you can now create or update existing IAM roles for Okta to retrieve and assign to users. Okta can only provide SSO for your users with roles that have been configured to grant access to the Okta SAML Identity Provider you configured in Step 1: Configure Okta as the identity provider in the AWS account.


To grant SSO access to existing roles in your account:

  1. From the AWS Console, go to Roles and select the desired role for Okta SSO access.
  2. Click the Trust Relationship tab for the desired role and then click Edit Trust Relationship.

  3. Modify the Identity & Access Management (IAM) trust relationship policy to permit SSO into Okta using the SAML IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. you configured in the previous step.
    • If your policy is currently empty, you can copy and paste the policy listed below and replace <COPY & PASTE SAML ARN VALUE HERE> with the Amazon Resource Name (ARN) value you copied from Step 1: Configure Okta as the identity provider in the AWS account.
    • If you have a current trust relationship in place, then you may need to modify your existing policy document to also include Okta SSO access. At minimum, you will need to include everything within the Statement code block — including the configurations for Effect, Principal, Actions, and Conditions. Replace <COPY & PASTE SAML ARN VALUE HERE> with the ARN value you copied from Step 1: Configure Okta as the identity provider in the AWS account.

        "Version": "2012-10-17",
        "Statement": [
              "Effect": "Allow",
              "Principal": {
                  "Federated": "<COPY & PASTE SAML ARN VALUE HERE>"
              "Action": "sts:AssumeRoleWithSAML",
              "Condition": {
                  "StringEquals": {
                      "SAML:aud": ""

To grant SSO access to a new role:

  1. Go to Roles > Create New Role.
  2. Click SAML 2.0 federation.

  3. Select Okta from the SAML provider drop-down list and then select Allow programmatic and AWS Management Console access.

  4. From the Verify role page, click Next.
  5. Select the policy to be assigned to the role for which you're creating end-users and then click Next.

Step 3: Generate the AWS API access key for Okta to download AWS roles


In the AWS master account, you need to create an AWS user with specific permissions so Okta can dynamically fetch a list of available roles from your accounts. This makes assigning users and groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. to specific AWS roles easy and secure for administrators.


  1. From the AWS Console, choose Identity and Access Management (IAM) > Users and then click Add user.

  2. From the Add user page (step 1 view), specify a user name.

    Example: OktaSSOuser

  3. From the Select AWS access type area, select Programmatic access and then click Next Permissions.

  4. From the Add user page (step 2 view), click Attach existing policies directly and then Create policy.

    The Create policy page (step 1 view) opens in a new IAM Management Console browser tab.

  5. Click the JSON tab.

  6. Delete the existing code in the JSON tab and then paste the following code in the tab:

        "Version": "2012-10-17",
        "Statement": [
              "Effect": "Allow",
              "Action": [
              "Resource": "*"
  7. Click Review policy.

  8. From the Create policy page (step 2 view), enter a policy name and description.

    Example policy name: OktaMasterAccountPolicy

  9. Click Create Policy.

    The appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. returns you to the first browser tab where you can continue assigning policies to your IAM user.

  10. Click the first IAM Management Console browser tab.

  11. From the Add user page (step 2 view), ensure that Attach existing policies directly is selected.

  12. Locate and select the policy you just created.

    Use the refresh button to update your search.

  13. Click Next: Tags.

  14. From the Add user page (step 3 view), click Next: Review.

  15. From the Add user page (step 4 view), click Create user.

  16. From the Add user page (step 5 view), make a copy of your access key ID and secret access key.

    The keys are needed in Step 4: Configure the AWS app in Okta to configure the AWS app in Okta.

    This is the only time that you will be able to see and copy these keys.

Step 4: Configure the AWS app in Okta

  1. From the Okta Admin Dashboard, choose Applications > Applications.

  2. Click the Sign On tab for the AWS app and then click Edit.
    1. From the Advanced Sign-On Settings area, select your environment type from the AWS Environment drop-down.

      If your environment type is not listed, you can specify your desired ACS URLACS Endpoint – Assertion Consumer Service URL – often referred to simply as the SP login URL. This is the endpoint provided by the SP where SAML responses are posted. The SP needs to provide this information to the IdP. in the ACS URL field.

    2. Paste in the Identity Provider ARN field the identity provider ARN that you made a copy of earlier.
    3. Specify in the Session Duration field the desired session duration for users.

      • Join all roles: Enables merging all available roles assigned to users.

        If a user is directly assigned Role1 and Role2 (user-to-app assignment), and the user belongs to group GroupAWS with RoleA and RoleB assigned (group-to-app assignment), then:

        • Join all roles OFF: Role1 and Role2 are available upon login to AWS
        • Join all roles ON: Role1, Role2, RoleA, and RoleB are available upon login to AWS
      • Use Group Mapping: Enables the ability to connect Okta to multiple AWS instances using user groups functionality.
    4. Click Save/Next.

  3. Provide API access to Okta in order to download a list of AWS roles to assign during user assignment.

    1. Click the ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. tab for the AWS app and then click Edit.


      The AWS app integration does not support provisioning. This setup under the Provisioning tab is required to provide API access to Okta in order to download a list of AWS roles to assign during user assignment. The AWS app integration enables you to assign multiple roles to users and pass those roles in the SAML assertion.

    2. Click the Enable API Integration check box.

      • If your environment type is listed in the AWS Environment drop-down under the Sign-on tab, you do not need to complete the ACS URL field.

      • If your environment type is not listed in the AWS Environment drop-down, then enter your API URL in the ACS URL field. You may have to contact AWS to learn the API URL for your environment.

    3. In the Access Key and Secret KeyAn Okta-generated string of characters that allows end users to set up (enroll) their mobile device in to Okta Verify. End users enter the Secret Key in the Okta Verify app during the set up process as an alternative to scanning a QR code. fields, enter the keys you made copies of in Step 3: Generate the AWS API access key for Okta to download AWS roles.
    4. Click Test API Credentials to verify API credentials are working.
    5. Click Save.

  4. Scroll down and enable the Create Users feature (but not Update User Attributes).

    You are not creating or updating any users in AWS, but activating parts of the API that enables Okta to retrieve Okta-trusted roles from the AWS account.

  5. Click Next (or Save).

  6. In the Assignments tab, select Assign to People from the Assign drop-down menu.

  7. In the Assign Amazon Web Services to People window, select a user to assign access, select the desired roles for that user, and then click Save and Go Back.

    In this example, two roles are assigned to the test user.


    If you see the attribute IdP and Role Pairs (internal attribute), ignore it. It is an internal attribute and it doesn't affect user assignment.

    With the assignment complete, an AWS app appears on the test user's Okta orgThe Okta container that represents a real-world organization..

  8. Log in to your Okta org as the test user and then click the AWS app.

    The AWS window lists the roles available to the user in Okta.

  9. Select the desired role to use when logging in to AWS.

  10. Ensure that there are no errors and the user is able to log in with the assigned role.

  11. You can return to Okta and assign users and groups, or groups, to the AWS app.