AWS Logo
Menu

Integrating AWS IAM Identity Center with Okta

In this comprehensive guide, we walk you through the process of integrating AWS IAM Identity Center with Okta to streamline and secure identity management within your organization. With detailed steps and illustrative screenshots, you'll learn how to configure Okta for seamless integration with AWS IAM Identity Center, manage users and groups in Okta, define and apply permission sets in AWS IAM Identity Center

iam-identity-centeroktaaws-iam
Justin Mathew Biji
Published Aug 5, 2024
Last Modified Aug 9, 2024

What is IAM Identity Center?

AWS IAM Identity Center is the recommended AWS service for managing human user access to AWS resources. It is a single place where you can assign your workforce users, also known as workforce identities, consistent access to multiple AWS accounts and applications. IAM Identity Center is offered at no additional charge.
With IAM Identity Center, you can create or connect workforce users and centrally manage their access across all their AWS accounts and applications. You can use multi-account permissions to assign your workforce users access to AWS accounts. You can use application assignments to assign your users access to AWS managed and customer managed applications.

Manage your identity source

Your identity source in IAM Identity Center defines where your users and groups are managed. After you configure your identity source, you can look up users or groups to grant them single sign-on access to AWS accounts applications, or both.
You can have only one identity source per organization in AWS Organizations. You can choose one of the following as your identity source:
  • Identity Center directory – When you enable IAM Identity Center for the first time, it is automatically configured with an Identity Center directory as your default identity source. This is where you create your users and groups, and assign their level of access to your AWS accounts and applications.
  • Active Directory – Choose this option if you want to continue managing users in either your AWS Managed Microsoft AD directory using AWS Directory Service or your self-managed directory in Active Directory (AD).
  • External identity provider – Choose this option if you want to manage users in an external identity provider (IdP) such as Okta or Microsoft Entra ID.

Architecture

Configure Okta

  1. Sign Up for an Okta Developer Account
  2. Sign up using your Google Account, GitHub, or by entering your personal details
  3. Install the Okta Verify App on your mobile device.
  4. Scan the QR Code
  5. Open the Okta Verify App and scan the QR code displayed on your screen.
  6. Access the Okta Dashboard
    • After successfully logging in, you will be directed to the Okta landing page.
  7. Navigate to the Applications Section
    • In the Okta admin dashboard, look at the left-hand menu pane.
    • Find and expand the Applications section by clicking on it.
  8. Access the Applications Page
    • After expanding Applications, click on Applications in the dropdown menu. This will take you to the Applications page.
  9. Browse the App Catalog
    • On the Applications page, locate and click the Browse App Catalog button. This will open the app catalog where you can search for applications.
  10. Search for AWS IAM Identity Center
    • In the search box that appears, type AWS IAM Identity Center.
    • Click on the app that matches AWS IAM Identity Center to select it.
  11. Add the Integration
    • After selecting the AWS IAM Identity Center app, click the Add Integration button. This will initiate the process to add the integration.
    • Provide an Application Label in Add AWS IAM Identity Center and click Done button.
  12. Open the Sign On Tab
    1. Once you have selected the AWS IAM Identity Center app, you will be directed to the app’s settings page.
    2. Click on the Sign On tab to view SAML settings.
  13. View the SAML Metadata
  14. Copy the SAML Metadata
    • In the new browser tab displaying the XML file, find and select all content between <md:EntityDescriptor> and </md:EntityDescriptor>.
    • Right-click and choose Copy to copy the selected XML content.
  15. Save the Metadata to a File
    • Open a text editor (such as Notepad on Windows or TextEdit on macOS).
    • Paste the copied XML content into the text editor.
    • Save the file with the name metadata.xml to a convenient location on your computer.
  16. Keep the Okta Admin Dashboard Open
    1. Do not close the Okta admin dashboard as you will need it for additional configuration steps later.

AWS IAM Identity Center Configuration in AWS Console

  1. Open the IAM Identity Center console dashboard
    1. Go to the IAM Identity Center console.
  2. Enable IAM Identity Center
    • If this is your first time accessing IAM Identity Center, you'll be prompted to enable it. Click Enable button
  3. Enable with AWS Organizations
    • You'll have two options: Enable with AWS Organizations or Enable in only this AWS account.
    • For this workshop choose Enable with AWS Organizations and click Continue button This will allow you to manage access across your entire organization.
    • The other option, Enable in only this AWS account doesn't support granting users and groups access to AWS accounts in an AWS organization
  4. Confirm Identity Source:
    • In the IAM Identity Center setup section, choose the Confirm identity source button.
    • Location: The setup section is on the IAM Identity Center console homepage under Settings.
    • Alternatively, navigate to Settings and then choose the Identity source tab.
  5. Change Identity Source:
    • By default, the Identity Center directory will be the identity source.
    • To change this, choose the Change identity source option from the Actions dropdown menu.
  6. Select External Identity Provider (Okta)
    • Select External identity provider and click Next.
  7. Upload the Metadata File:
    • Upload the SAML metadata file (metadata.xml) downloaded from Okta (Step 15)
    • Click Next
  8. Review and confirm
    • Type ACCEPT in the confirmation text box
    • Click Change identity source button
      review
  9. Enable Automatic Provisioning in IAM Identity Center
    • In the IAM Identity Center console on the Settings page, locate the Automatic provisioning information box, and then choose Enable.
    • This enables automatic provisioning in IAM Identity Center and displays the necessary SCIM endpoint and access token information.
  10. Copy SCIM Endpoint and Access Token
    • In the Inbound automatic provisioning dialog box, copy each of the values for the following options:
      • SCIM endpoint
      • Access token
    • Later in this workshop, you will enter these values to configure provisioning in Okta.
    • Choose Close.

Configure Okta to Integrate with AWS IAM Identity Center

  1. Navigate to IAM Identity Center Application in Okta
    • Return to the Okta admin dashboard
    • Navigate to the IAM Identity Center application created before.
  2. Open the Provisioning Tab
    • On the IAM Identity Center app page, choose the Provisioning tab.
    • In the left navigation under Settings, choose Integration.
  3. Enable API Integration
    • Choose Edit, and then select the checkbox next to Enable API integration to enable provisioning.
    • Configure Okta with the SCIM provisioning values from IAM Identity Center that you copied earlier
      • In the Base URL field, enter the SCIM endpoint value. Make sure that you remove the trailing forward slash at the end of the URL.
      • In the API Token field, enter the Access token value.
    • Choose Test API Credentials to verify the credentials entered are valid. The message AWS IAM Identity Center was verified successfully! displays.
    • Choose Save. You are navigated to the Settings area, with Integration selected.
  4. Enable Provisioning to App
    • Under Settings, choose To App, and then select the Enable checkbox for each of the Provisioning to App features you want to enable. For this workshop, select all the options.
    • Choose Save.
  5. Verify the connection
    • Verify the connection by clicking the Test API Credentials button.
    • Choose Save.
  6. Select checkbox for Create Users, Update User Attributes, Deactivate Users to manage users from OKTA

Provision groups from Okta

  1. Navigate to IAM Identity Center App in Okta
    • Return to the Okta admin dashboard
    • Navigate to Groups Section
  2. Open Directory
    • In the left-hand menu pane, click on Directory.
  3. Access Groups
    • Choose Groups from the dropdown menu. This will take you to the list of existing groups.
  4. Add New Group
    • Click on the Add Group button to create a new group.
  5. Enter Group Details:
    • Fill in the required details for the new group, including:
    • Group Name: Enter a descriptive name for the group.
    • Group Description (optional): Provide a description for the group’s purpose.
  6.  Save the New Group
    • After entering the details, click Save to create the group.
  7. Check Group List to Verify User Created:
    • Ensure that the newly created group appears in the Groups section.
    • Reload the page to see the newly created group

Provision users from Okta

  1. Open Okta Dashboard
    • Return to the Okta admin dashboard
  2. Navigate to People Section in Directory
    • In the left-hand menu pane, click on Directory.
    • Choose People from the dropdown menu. This will take you to the list of existing users.
    • Click on the Add Person button to create a new user.
  3. Enter User Details
    1. Fill in the required details for the new user, including:
      • First Name
      • Last Name
      • Username
      • Email
      • Password
      • Select the group created in the previous stage.
  4. Save the New User
    • After entering the details, click Save to create the user.
  5. Check User List to Verify User Created:
    • Ensure that the newly created user appears in the People section.
    • Reload the page to see the newly created user

Synchronize Users and Groups from Okta with IAM Identity Center

  1. Assign People
    • In the Okta IAM Identity Center app page, choose the Assignments tab.
    • In the Assignments page, choose Assign, and then choose Assign to people.
    • Choose the Okta users that you want to have access to the IAM Identity Center app. Choose Assign, choose Save and Go Back, and then choose Done.
    • This starts the process of provisioning the users into IAM Identity Center.
  2. Assign Groups:
    • In the Assignments page, choose Assign, and then choose Assign to groups.
    • Choose the Okta groups that you want to have access to the IAM Identity Center app. Choose Assign, choose Save and Go Back, and then choose Done.
    • This starts the process of provisioning the users in the group into IAM Identity Center.
  3. Push Groups
    • Choose the Push Groups tab.
    • Choose the Okta group that contains all the groups that you assigned to the IAM Identity Center app.
    • If the group that created in the previous step not found in the list, choose Find groups by name option by clicking (+)Push Groups Menu Button.
    • Enter the group name that we created in the previous step. developer-group-from-okta
    • Click Save Button.
    • The group status changes to Active after the group and its members have been pushed to IAM Identity Center.
  4. Synchronize Individual Users:
    • If you have users that aren't members of the groups that you pushed to IAM Identity Center, add them individually:
    • In the Assignments page, choose Assign, and then choose Assign to People.
    • Choose the Okta users that you want to have access to the IAM Identity Center app. Choose Assign, choose Save and Go Back, and then choose Done.
    • This starts the process of provisioning the individual users into IAM Identity Center.
  5. Verify Synchronization
    • Return to the IAM Identity Center console. In the left navigation, select Users; you should see the user list populated by your Okta users.

Grant Okta users access to accounts

For an example, we will be providing AmazonS3FullAccess permission to the `developer-from-okta` group members that we created from okta.
  1. Access AWS IAM Identity Center
    • Open your AWS Management Console and navigate to AWS IAM Identity Center.
    • In the IAM Identity Center navigation pane, under Multi-account permissions, choose AWS accounts.
  2. Select Management Account
    • On the AWS accounts page, the Organizational structure displays your organizational root with your accounts underneath it in the hierarchy. Select the checkbox for your management account, then select Assign users or groups.
  3. Open Assign Users and Groups Workflow
    • The Assign users and groups workflow displays. It consists of three steps.
  4. Select User
    • Choose the group that needed the S3 bucket Full Permission. Then choose Next.
  5. Create Permission Set
    • Choose Create permission set to open a new tab that steps you through the three sub-steps involved in creating a permission set.
  6. Permission Set Type
    • In Permission set type, choose Custom permission set.
  7. Specify Policies
    • In Specify policies and permissions boundary, select AmazonS3FullAccess
    • Choose Next.
  8. Specify Permission Set Details
    • Provide a valid name for the permission-set
    • Keep the other values as default and choose Next.
  9. Review and Create
    • Verify that the Permission set type uses the AWS managed policy AmazonS3FullAccess. Choose Create.
    • A notification appears informing you that the permission set was created. You can close this tab in your web browser now.
  10. Select Created Permission Set
    • In the Permissions sets area, choose the Refresh button.
    • The AdministratorAccess permission set you created appears in the list. Select the checkbox for that permission set and then choose Next.
  11. Review and Submit
    • Review the selected user and permission set, then choose Submit. The page updates with a message that your AWS account is being configured. Wait until the process completes.
       

Verify the access

  1. Copy AWS access portal URL
    • Open your AWS Management Console and navigate to AWS IAM Identity Center.
    • Copy AWS access portal URL under Settings Summary
  2. [Optional] Optionally you can edit the AWS access portal URL to a friendly name
  3. Open the URL
    1. This will open the okta login page
    2. Login with the password you have provided while creating the user
    3. You will see the permission set that created. Click on that to open the AWS console.
    4. Congrats, you have now full access in S3.

Conclusion

You have successfully configured okta and integrated with AWS IAM Identity Center.
 

1 Comment