Ctrlk
Courses

Federated Access With Okta

Objective: Configure AWS IAM Identity Center (AWS SSO) with Okta to enable federated login to AWS using Okta as the Identity Provider (IdP).

Outcome: Users will log in to AWS using Okta credentials instead of IAM Users, and IAM Identity Center will dynamically assign IAM Roles.

Summary of Setup

Step

Action

Step 1

Enable IAM Identity Center in AWS

Step 2

Set up AWS IAM Identity Center in Okta

Step 3

Link IAM Identity Center with Okta

Step 4

Map Okta Groups to AWS IAM Roles

Step 5

Test AWS Login with Okta Credentials

Bonus

Enable AWS CLI authentication via SSO

Prerequisites

  • AWS IAM Identity Center (AWS SSO) is enabled in your AWS account.

  • Okta Admin access (to configure the enterprise app).

  • AWS Organizations is set up (for multi-account management).

Step 1: Enable IAM Identity Center in AWS

Go to IAM Identity Center Console

  • Navigate to AWS Console → IAM Identity Center.

  • Click Enable IAM Identity Center (if not already enabled).

  • Select "Use an external identity provider (IdP)".

  • Copy the IAM Identity Center SAML Metadata URL – needed for Okta configuration.

IAM Identity Center is now ready for federation with Okta.

Step 2: Configure Okta as the Identity Provider for AWS

Set Up AWS IAM Identity Center in Okta

  • Log in to the Okta Admin Console (https://admin.okta.com).

  • Navigate to Applications → Click Create App Integration.

  • Select SAML 2.0 as the Sign-on method.

  • Enter "AWS IAM Identity Center" as the app name.

  • Click Next.

Configure SAML Settings in Okta

  • Single sign-on URL: Paste the IAM Identity Center SAML Metadata URL copied from AWS.

  • Audience URI (SP Entity ID): Enter urn:amazon:webservices.

  • Name ID format: EmailAddress.

  • Click NextSave Configuration

  • Download the Okta Metadata XML File.

Okta is now configured to authenticate AWS users.

Step 3: Configure IAM Identity Center to Use Okta

Import Okta Metadata into AWS

  • Navigate back to AWS IAM Identity Center → Settings → Identity Source.

  • Click Change Identity Source.

  • Select SAML 2.0-based authentication.

  • Upload the Okta Metadata XML file downloaded earlier.

  • Click Next, review the settings, and Accept Change.

AM Identity Center is now linked to Okta!

Step 4: Sync Okta Groups with AWS IAM Identity Center

Create Groups in Okta

  • In Okta, go to Directory → Groups → Create Group.

  • Create a group SecureCart-Developers.

  • Add developers to this group who need AWS access.

Assign Groups in AWS IAM Identity Center

  • Go to AWS Console → IAM Identity Center → AWS Accounts.

  • Select the AWS Account you want to grant access to.

  • Click Assign Users & Groups.

  • Choose Okta Groups (e.g., SecureCart-Developers).

  • Select a Permission Set (e.g., AdministratorAccess, ReadOnlyAccess).

  • Click Save.

Users in the Okta group can now assume IAM Roles dynamically.

Step 5: Test AWS Login Using Okta Credentials

Test User Login

  • Open the IAM Identity Center User Portal URL (https://securecart.awsapps.com/start).

  • Click Sign in with Okta.

  • Enter Okta username & password.

  • After authentication, users can see assigned AWS accounts.

  • Click an account → Assume the assigned IAM Role.

Users now authenticate using Okta and access AWS resources securely!

Bonus: AWS CLI Authentication with Okta & SSO

Developers can authenticate to AWS CLI using Okta credentials.

Result: Users authenticate via Okta and assume an IAM Role without needing IAM credentials.

Last updated