In this tutorial, it will show how to configure AWS Single Sign-On and OKTA as an external identity provider, to manage users, accounts, and roles with OKTA.
Prerequisites:
- Have first set up the AWS Organizations service and have All features set to enabled.
The following steps shows the solution architecture:
1. Users authenticate against Okta.
2. Users log on to AWS SSO upon successful authentication with Okta.
3. Users now can assume roles to perform tasks within their AWS environment using Security Assertion Markup Language (SAML), which AWS SSO manages.
Enable AWS SSO
1. Sign in to the AWS Management Console with your AWS Organizations management account credentials.
2. Open the AWS SSO console.
3. Choose Enable AWS SSO.
Connect to your OKTA external identity provider
1. Open the AWS SSO console.
2. Choose Settings.
3. On the Settings page, choose the Identity source tab and then choose Actions > Change identity source.
4. Under Choose identity source, select OKTA identity provider and then choose Next.
5. Under Configure external identity provider, do the following:
1. Under Identity provider metadata, choose Choose File, and locate the metadata file that you downloaded from the OKTA identity provider. Then upload the file.
2. Choose Next.
6. After you read the disclaimer and are ready to proceed, enter ACCEPT.
7. Choose Change identity source.
Synchronization of Users and Group
Enable provisioning in AWS SSO
1. Open the AWS SSO console.
2. Choose Settings in the left navigation pane.
3. On the Settings page, locate the Automatic provisioning information box and then choose Enable. This immediately enables automatic provisioning in AWS SSO and displays the necessary SCIM endpoint and access token information.
4. In the Inbound automatic provisioning dialog box, copy each of the values for the following options. You will need to paste these in later when you configure provisioning in your IdP.
1. SCIM endpoint
2. Access token
5. Choose Close.
Configure provisioning in Okta
1. In a separate browser window, log in to the Okta admin portal and navigate to the AWS Single Sign-On app.
2. On the AWS Single Sign-On app page, choose the Provisioning tab, and then choose Integration.
3. Choose Configure API Integration, and then select the check box next to Enable API integration to enable provisioning.
4. In the previous procedure you copied the SCIM endpoint value in AWS SSO. Paste that value into the Base URL field in Okta. Make sure that you remove the trailing forward slash at the end of the URL. Also, in the previous procedure, you copied the Access token value in AWS SSO. Paste that value into the API Token field in Okta.
5. Choose Test API Credentials to verify the credentials entered are valid.
6. Choose Save.
7. Under Settings, choose To App, choose Edit, and then select the Enable check box for each of the Provisioning Features you want to enable.
8. Choose Save.
Assign access for users and groups in Okta
Use the following procedures in Okta to assign access to your users and groups. Okta users who belong to groups that you assign here are synchronized automatically to AWS SSO. To minimize administrative overhead in both Okta and AWS SSO, we recommend that you assign and push groups instead of individual users.
After you complete this step and the first synchronization with SCIM is completed, the users and groups that you have assigned appear in AWS SSO. Those users are able to access the AWS SSO user portal using their Okta credentials.
To assign access to users
1. On the AWS Single Sign-On app page, choose the Assignments tab.
2. On the Assignments page, choose Assign and then choose Assign to People.
3. Choose the Okta user or users to whom you want to assign access to the AWS Single Sign-On app. Choose Assign, choose Save and Go Back, and then choose Done. This starts the process of provisioning the user or users into AWS SSO.
To assign access to groups
1. On the AWS Single Sign-On app page, choose the Assignments tab.
2. On the Assignments page, choose Assign and then choose Assign to Groups.
3. Choose the Okta group or groups that you want to assign access to the AWS Single Sign-On app. Choose Assign, choose Save and Go Back, and then choose Done. This starts the process of provisioning the users in the group into AWS SSO.
4. Choose the Push Groups tab. Choose the Okta group or groups that you chose in the previous step.
5. Then choose Save. The group status changes to Active after the group and its members have successfully been pushed to AWS SSO.
Create a permission set (using PowerUserAccess job function policy)
1. Open the AWS SSO console.
2. Choose AWS accounts.
3. On the Permission sets tab, choose Create permission set
4. On the Create new permission set page, select Use an existing job function policy option, select PowerUserAccess job function policy and choose Create.
Assign access to OKTA groups
1. Assign access to OKTA groups
2. Open the AWS SSO console.
3. Choose AWS accounts.
4. On the AWS organization tab, under AWS account, select one or more accounts and then choose Assign users.
5. On the Select Users or Groups page, choose Groups tabs, select the group to assign to the AWS account, and then choose Next: Permission sets.
6. On the Select permission sets page, select PowerUserAccess permission set, and choose Finish.
7. On the Complete page, choose Proceed to AWS accounts.
Credits: