# Federated Access With Okta
**Objective:** Configure AWS IAM Identity Center (AWS SSO) with Okta to enable federated login to AWS using Okta as the Identity Provider (IdP).
**Outcome:** Users will log in to AWS using Okta credentials instead of IAM Users, and IAM Identity Center will dynamically assign IAM Roles.
***
## **Summary of Setup**
| **Step** | **Action** |
| ---------- | -------------------------------------- |
| **Step 1** | Enable IAM Identity Center in AWS |
| **Step 2** | Set up AWS IAM Identity Center in Okta |
| **Step 3** | Link IAM Identity Center with Okta |
| **Step 4** | Map Okta Groups to AWS IAM Roles |
| **Step 5** | Test AWS Login with Okta Credentials |
| **Bonus** | Enable AWS CLI authentication via SSO |
## **Prerequisites**
* **AWS IAM Identity Center (AWS SSO) is enabled** in your AWS account.
* **Okta Admin access** (to configure the enterprise app).
* **AWS Organizations is set up** (for multi-account management).
***
## **Step 1: Enable IAM Identity Center in AWS**
### **Go to IAM Identity Center Console**
* Navigate to **AWS Console → IAM Identity Center**.
* Click **Enable IAM Identity Center** (if not already enabled).
* Select **"Use an external identity provider (IdP)"**.
* Copy the **IAM Identity Center SAML Metadata URL** – needed for Okta configuration.
IAM Identity Center is now ready for federation with Okta.
***
## **Step 2: Configure Okta as the Identity Provider for AWS**
### **Set Up AWS IAM Identity Center in Okta**
* Log in to the **Okta Admin Console** (`https://admin.okta.com`).
* Navigate to **Applications** → Click **Create App Integration**.
* Select **SAML 2.0** as the Sign-on method.
* Enter **"AWS IAM Identity Center"** as the app name.
* Click **Next**.
### **Configure SAML Settings in Okta**
* **Single sign-on URL:** Paste the **IAM Identity Center SAML Metadata URL** copied from AWS.
* **Audience URI (SP Entity ID):** Enter `urn:amazon:webservices`.
* **Name ID format:** `EmailAddress`.
* Click **Next** → **Save Configuration**
* Download the **Okta Metadata XML File**.
**Okta is now configured to authenticate AWS users.**
***
## **Step 3: Configure IAM Identity Center to Use Okta**
### **Import Okta Metadata into AWS**
* Navigate back to **AWS IAM Identity Center → Settings → Identity Source**.
* Click **Change Identity Source**.
* Select **SAML 2.0-based authentication**.
* Upload the **Okta Metadata XML** file downloaded earlier.
* Click **Next**, review the settings, and **Accept Change**.
**AM Identity Center is now linked to Okta!**
***
## **Step 4: Sync Okta Groups with AWS IAM Identity Center**
### **Create Groups in Okta**
* In Okta, go to Directory → Groups → Create Group.
* Create a group SecureCart-Developers.
* Add developers to this group who need AWS access.
### **Assign Groups in AWS IAM Identity Center**
* Go to **AWS Console → IAM Identity Center → AWS Accounts**.
* Select the **AWS Account** you want to grant access to.
* Click **Assign Users & Groups**.
* Choose **Okta Groups** (e.g., `SecureCart-Developers`).
* Select a **Permission Set** (e.g., **AdministratorAccess, ReadOnlyAccess**).
* Click **Save**.
**Users in the Okta group can now assume IAM Roles dynamically.**
***
## **Step 5: Test AWS Login Using Okta Credentials**
### **Test User Login**
* Open the **IAM Identity Center User Portal URL** (`https://securecart.awsapps.com/start`).
* Click **Sign in with Okta**.
* Enter **Okta username & password**.
* After authentication, users can see **assigned AWS accounts**.
* Click an account → Assume the **assigned IAM Role**.
**Users now authenticate using Okta and access AWS resources securely!**
***
## **Bonus: AWS CLI Authentication with Okta & SSO**
**Developers can authenticate to AWS CLI using Okta credentials.**
```sh
aws configure sso
aws sso login --profile SecureCart-Dev
aws sts get-caller-identity
```
Result: Users authenticate via Okta and assume an IAM Role without needing IAM credentials.
***
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/copy-of-task-statement-1.1-design-secure-access-to-aws-resources/federated-access-with-okta-1.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.