Federated Access With Okta
Objective: Configure AWS IAM Identity Center (AWS SSO) with Okta to enable federated login to AWS using Okta as the Identity Provider (IdP). πΉ Outcome: Users will log in to AWS using Okta credentials instead of IAM Users, and IAM Identity Center will dynamically assign IAM Roles.
π Prerequisites
β AWS IAM Identity Center (AWS SSO) is enabled in your AWS account. β Okta Admin access (to configure the enterprise app). β AWS Organizations is set up (for multi-account management).
π οΈ Step 1: Enable IAM Identity Center in AWS
π Go to IAM Identity Center Console 1οΈβ£ Navigate to AWS Console β IAM Identity Center. 2οΈβ£ Click Enable IAM Identity Center (if not already enabled). 3οΈβ£ Select "Use an external identity provider (IdP)". 4οΈβ£ Copy the IAM Identity Center SAML Metadata URL β needed for Okta configuration.
β IAM Identity Center is now ready for federation with Okta.
π οΈ Step 2: Configure Okta as the Identity Provider for AWS
π Set Up AWS IAM Identity Center in Okta
1οΈβ£ Log in to the Okta Admin Console (https://admin.okta.com).
2οΈβ£ Navigate to Applications β Click Create App Integration.
3οΈβ£ Select SAML 2.0 as the Sign-on method.
4οΈβ£ Enter "AWS IAM Identity Center" as the app name.
5οΈβ£ Click Next.
π Configure SAML Settings in Okta
6οΈβ£ Single sign-on URL: Paste the IAM Identity Center SAML Metadata URL copied from AWS.
7οΈβ£ Audience URI (SP Entity ID): Enter urn:amazon:webservices.
8οΈβ£ Name ID format: EmailAddress.
9οΈβ£ Click Next β Save Configuration.
π Download the Okta Metadata XML File.
β Okta is now configured to authenticate AWS users.
π οΈ Step 3: Configure IAM Identity Center to Use Okta
π Import Okta Metadata into AWS 1οΈβ£ Navigate back to AWS IAM Identity Center β Settings β Identity Source. 2οΈβ£ Click Change Identity Source. 3οΈβ£ Select SAML 2.0-based authentication. 4οΈβ£ Upload the Okta Metadata XML file downloaded earlier. 5οΈβ£ Click Next, review the settings, and Accept Change.
β IAM Identity Center is now linked to Okta!
π οΈ Step 4: Sync Okta Groups with AWS IAM Identity Center
π Create Groups in Okta 1οΈβ£ In Okta, go to Directory β Groups β Create Group. 2οΈβ£ Create a group SecureCart-Developers. 3οΈβ£ Add developers to this group who need AWS access.
π Assign Groups in AWS IAM Identity Center
1οΈβ£ Go to AWS Console β IAM Identity Center β AWS Accounts.
2οΈβ£ Select the AWS Account you want to grant access to.
3οΈβ£ Click Assign Users & Groups.
4οΈβ£ Choose Okta Groups (e.g., SecureCart-Developers).
5οΈβ£ Select a Permission Set (e.g., AdministratorAccess, ReadOnlyAccess).
6οΈβ£ Click Save.
β Users in the Okta group can now assume IAM Roles dynamically.
π οΈ Step 5: Test AWS Login Using Okta Credentials
π Test User Login 1οΈβ£ Open the IAM Identity Center User Portal URL (https://securecart.awsapps.com/start).
2οΈβ£ Click Sign in with Okta.
3οΈβ£ Enter Okta username & password.
4οΈβ£ After authentication, users can see assigned AWS accounts.
5οΈβ£ Click an account β Assume the assigned IAM Role.
β Users now authenticate using Okta and access AWS resources securely!
π π― Bonus: AWS CLI Authentication with Okta & SSO
β Developers can authenticate to AWS CLI using Okta credentials.
π Result: Users authenticate via Okta and assume an IAM Role without needing IAM credentials.
π Summary of Setup
Step
Action
Step 1
Enable IAM Identity Center in AWS
Step 2
Set up AWS IAM Identity Center in Okta
Step 3
Link IAM Identity Center with Okta
Step 4
Map Okta Groups to AWS IAM Roles
Step 5
Test AWS Login with Okta Credentials
Bonus
Enable AWS CLI authentication via SSO
Last updated