Federated Identity: Okta and AWS SSO
| aws | iam |
Intro
In this post I’ll go through the steps required to set up Okta as an external Identity Provider (IdP) for AWS SSO, and enable automated user and group provisioning.
There is an excellent AWS blog article describing this process, in case you want to stop reading this one.
One thing I’ve done differently was to also provision groups, so that permission sets can be assigned to them, rather than individual users - more details here.
Okta - Initial steps
I switched to the Classic UI then searched for AWS Single sign-on in the list of application.
Add the AWS Single sign-on app
Added the application using Applications -> Add Application
Download the Identity Provider metadata
I saved the metadata file using the Identity Provider metadata link, as it is required later in the process.
AWS - Enable AWS SSO
I enabled AWS SSO.
AWS - Configure External Identity Provider
Next, I changed the identity source from AWS SSO to External Identity Provider
Noted the values in the Service provider metadata section.
IdP SAML metadata - Upload the metadata file downloaded in a previous step from Okta.
Okta - Sign-on config
I updated AWS SSO ACS URL and AWS SSO ACS URL using the values obtained during the External identity provider setup in AWS SSO.
Automatic Provisioning
AWS - Enable Automatic Provisioning
Noted down the SCIM endpoint(remove the trailing /) and the Access token.
Okta - Enable Automatic Provisioning
I set the values below, tested them using Test API Credentials, and saved the changes.
Base URL: the SCIM endpoint
API Token: Access token
Assign app to group
I assigned the app to an existing group with one user.
Assign app to an existing group
Check user in AWS SSO
The Okta user was provisioned in AWS SSO.
Okta - Configure group
The Okta group was not provisioned in AWS SSO.
Some more configuration is required in the Push Groups tab of the AWS Single Sign-on” application in Okta.
AWS - Check group
The group was now present in AWS SSO.
Assign the permission set to an AWS account
I assigned a permission set following the steps used before
Log into AWS with the Okta user
Okta
When logging into Okta with an user belonging to the group I had configured, I could see the AWS Single Sign-on app.
Single Sign-On
After clicking the app, the following page loads, where I could choose the AWS account, and the method to access it: AWS Console or CLI.
AWS Console
I have successfully repeatead the steps described in the Accessing AWS accounts using AWS SSO post.
AWS CLI
Did the same for the CLI.
AWS CLI - aws configure sso
This is only available in AWS CLI version 2 as described in the user guide.
It’s an alternative to configuring CLI access using export commands
aws configure sso
SSO start URL [None]: https://d-936702831c.awsapps.com/start
SSO Region [None]: eu-west-1
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.eu-west-1.amazonaws.com/
Then enter the code:
<code-placehoder>
The only AWS account available to you is: <account-placeholder>
Using the account ID <account-placeholder>
The only role available to you is: ViewOnlyAccess
Using the role name "ViewOnlyAccess"
CLI default client Region [None]: eu-west-1
CLI default output format [None]: json
CLI profile name [ViewOnlyAccess-<account-placeholder>]: okta
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile okta
I executed AWS_PROFILE=okta aws sts get-caller-identity successfully, which returned:
...
"Arn": "arn:aws:sts::<account-placeholder>:assumed-role/AWSReservedSSO_ViewOnlyAccess_<placeholder>/<email-placeholder>"
...