Disclaimer

Federated Identity: Okta and AWS SSO

aws iam

Intro

In this post I’ll go through the steps required to set up Okta as an external Identity Provider (IdP) for AWS SSO, and enable automated user and group provisioning.

There is an excellent AWS blog article describing this process, in case you want to stop reading this one.

One thing I’ve done differently was to also provision groups, so that permission sets can be assigned to them, rather than individual users - more details here.

Okta - Initial steps

I switched to the Classic UI then searched for AWS Single sign-on in the list of application.

Add the AWS Single sign-on app

Added the application using Applications -> Add Application

Download the Identity Provider metadata

I saved the metadata file using the Identity Provider metadata link, as it is required later in the process.

AWS - Enable AWS SSO

I enabled AWS SSO.

AWS - Configure External Identity Provider

Next, I changed the identity source from AWS SSO to External Identity Provider

Noted the values in the Service provider metadata section.

IdP SAML metadata - Upload the metadata file downloaded in a previous step from Okta.

Okta - Sign-on config

I updated AWS SSO ACS URL and AWS SSO ACS URL using the values obtained during the External identity provider setup in AWS SSO.

Automatic Provisioning

AWS - Enable Automatic Provisioning

Noted down the SCIM endpoint(remove the trailing /) and the Access token.

Okta - Enable Automatic Provisioning

I set the values below, tested them using Test API Credentials, and saved the changes.

Base URL: the SCIM endpoint

API Token: Access token

Assign app to group

I assigned the app to an existing group with one user.

Assign app to an existing group

Check user in AWS SSO

The Okta user was provisioned in AWS SSO.

Okta - Configure group

The Okta group was not provisioned in AWS SSO.

Some more configuration is required in the Push Groups tab of the AWS Single Sign-on” application in Okta.

AWS - Check group

The group was now present in AWS SSO.

Assign the permission set to an AWS account

I assigned a permission set following the steps used before

Log into AWS with the Okta user

Okta

When logging into Okta with an user belonging to the group I had configured, I could see the AWS Single Sign-on app.

Single Sign-On

After clicking the app, the following page loads, where I could choose the AWS account, and the method to access it: AWS Console or CLI.

AWS Console

I have successfully repeatead the steps described in the Accessing AWS accounts using AWS SSO post.

AWS CLI

Did the same for the CLI.

AWS CLI - aws configure sso

This is only available in AWS CLI version 2 as described in the user guide.

It’s an alternative to configuring CLI access using export commands

aws configure sso
SSO start URL [None]: https://d-936702831c.awsapps.com/start                    
SSO Region [None]: eu-west-1                                                    
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.eu-west-1.amazonaws.com/

Then enter the code:

<code-placehoder>
The only AWS account available to you is: <account-placeholder>
Using the account ID <account-placeholder>
The only role available to you is: ViewOnlyAccess
Using the role name "ViewOnlyAccess"
CLI default client Region [None]: eu-west-1                                     
CLI default output format [None]: json                                          
CLI profile name [ViewOnlyAccess-<account-placeholder>]: okta                            

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile okta

I executed AWS_PROFILE=okta aws sts get-caller-identity successfully, which returned:

...
    "Arn": "arn:aws:sts::<account-placeholder>:assumed-role/AWSReservedSSO_ViewOnlyAccess_<placeholder>/<email-placeholder>"
...