Configure Okta as the AWS account identity provider

To use SAML for AWS, you have to set up Okta as an identity provider in AWS and establish the SAML connection.

  1. Add the AWS app to Okta if it hasn't been added previously:
    1. In the Admin Console, go to ApplicationsApplications.

    2. Click Add Application.
    3. In the Search for an application field, enter AWS.
    4. Select Add for the AWS Account Federation.
    5. On the General Settings page, accept or edit the default values, then click Next.
    6. In the Sign On Methods section of the Sign-On Options pane, select SAML 2.0.
    7. Click Done.
  1. Download the identity provider metadata file:
    1. In the Admin Console, go to ApplicationsApplications.

    2. Enter AWS in the Search field.
    3. Click the AWS application that you added in step 1, then click the Sign On tab.
    4. Scroll down to the SAML Signing Certificates section. Click the Actions dropdown of the active certificate. If you require the certificate, click Download certificate.

    5. Click View IdP metadata and then save the contents of the tab that opens. Right-click on the page and choose Save As or Save Page As (depending on your browser). If you're using Firefox, select set the Save as type to All files. The metadata is stored as an .xml file.

    6. Click Edit in the Settings section, then select SAML 2.0.
    7. Right-click the Identity Provider metadata link below the View Setup Instructions button, then select Save Link As.
    8. Browse to a location to save the file, enter a file name, then click Save.
  2. Sign-in to the AWS Management Console.

  3. Go to Identity and Access Management (IAM) Service.

  4. Select Identity Providers in the menu bar.

  5. Click Add provider.

  6. On the Configure provider page, enter the following:

    • Provider type: Select SAML.

    • Provider name: Enter a name for the provider (for example, Okta).

    • Metadata document: Click Choose file and select the metadata file that you created in step 2.

  7. Finish provider configuration.

  8. Locate the Identity Provider that you created in the list of Identity Providers and copy its Provider ARN value. An upcoming configuration step requires this value.

Next steps

Add Okta as a trusted source for AWS roles