Configure Okta as the AWS account identity provider

To use SAML for AWS, you have to set up Okta as an identity provider in AWS and establish the SAML connection.

  1. Add the AWS Account Federation app to Okta if it hasn't been added previously:
    1. In the Admin Console, go to ApplicationsApplications.

    2. Click Browse App Catalog.
    3. Search the catalog for AWS Account Federation. Select it and click Add Integration.
    4. Configure your general settings, and then click Next.
    5. Select SAML 2.0 from the Sign on methods section.
    6. Click Done.
  1. View and download the identity provider (IdP) metadata:
    1. In the Admin Console, go to ApplicationsApplications.

    2. Search for your AWS Account Federation app instance and select it.
    3. Go to the Sign On tab.
    4. Click Edit in the Settings section, and then select SAML 2.0.
    5. Click Copy to copy the metadata URL.
    6. Open a new tab, and then paste the URL in the address bar.
    7. Right-click on the metadata page and choose Save as... or Save Page As (depending on your browser). If you're using Firefox, select set the Save as type to All files. The metadata is stored as an .xml file.
    8. Choose a location to save the file, enter a file name, and then click Save.
    9. Optional. Get a copy of the active certificate. From the SAML Signing Certificates section, click the Actions dropdown menu of the active certificate and select Download certificate.
  2. Sign in to the AWS Management Console.

  3. Go to Identity and Access Management (IAM).

  4. Select Identity providers in the menu bar.

  5. Click Add provider.

  6. Enter the following in the Configure provider section:

    • Provider type: Select SAML.

    • Provider name: Enter a name for the provider (for example, Okta).

    • Metadata document: Click Choose file and select the metadata file that you created in step 2.

  7. Click Add provider.

  8. Click View provider in the notification banner or select the provider from the list of available identity providers. Copy the provider's ARN value. An upcoming configuration step requires this value.

Next steps

Add Okta as a trusted source for AWS roles