AWS

5 Mins Read

How to Automate Provisioning from Okta to IAM Identity Center

Voiced by Amazon Polly

Introduction

Organizations are adopting AWS Cloud to run their workloads by creating AWS accounts. The users with unique identities interact with the AWS resources and applications. It requires the creation of multiple identities to interact with individual entities for individual users. Remembering multiple usernames and passwords to interact with individual systems and applications is challenging. The user seeks a username and password to connect with different applications and accounts. “Identity Federation” enables linking identity from one system with another trusted system so that users can use single identities to connect with other systems. Identity Federation is made possible using Security Assertion Markup Language (SAML), OpenID, OAuth, etc. Okta is an identity management service that can provide a single sign-on experience for on-premises and cloud resources to organization users. This blog discusses the Integration of Okta with AWS IAM Identity Center so that users with Okta can access AWS accounts and SaaS applications using their own identities.

Customized Cloud Solutions to Drive your Business Success

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

AWS IAM Identity Center

Without IAM Identity Center, an individual must log in to each account in different identity providers like Active Directory, external third-party services, and AWS separately, with a corresponding username and password. AWS IAM Identity Center provides a single place to create users and groups and centrally manage their access to AWS accounts and applications. You can assign permissions to access different AWS accounts and assign applications to the users in IAM Identity Center.

Features of IAM Identity Center

IAM Identity Center includes the following features:

Workforce identities

The members in your organization are called workforce users or identities. You can create your own users in IAM Identity Center or connect and synchronize your own users in identity sources like Microsoft Active Directory and external identity providers like Okta Universal Directory or Microsoft Azure AD to access AWS accounts and applications.

Application assignments for SAML applications

Users in IAM Identity Center can access SAML 2.0 applications, such as Microsoft 365, and Salesforce, using application assignments without creating separate federations.

 

Multi-account permissions

You can implement IAM permissions across multiple AWS accounts centrally using multi-account permissions in AWS accounts. You can create custom permissions and assign them to workforce identities to control access to specific accounts.

AWS access portal

The AWS access portal is a simple web portal that provides one-click access to AWS accounts and applications of workforce users.

Okta Integration with AWS IAM Identity Center

An organization uses Okta Universal Directory to manage its workforce users and wants to access AWS resources and applications using the same identities. Okta integration with AWS IAM Identity Center enables to synchronize Okta identities with AWS, centrally manages controlled access to AWS accounts, and assigns them to access applications.

Figure 1: Integration of Okta with AWS IAM Identity Center

The following tasks need to be performed for integrating Okta with AWS IAM Identity Center:

  1. Create a free tier Okta account and configure SAML 2.0 for IAM Identity Center.
  2. In AWS IAM Identity Center, enable provisioning.
  3. In Okta, configure provisioning and assign access for users and groups.
  4. Assign User Access to AWS accounts.

Task 1: Create a free tier Okta account and configure SAML 2.0 for IAM Identity Center.

You can create an Okta account using your email id, mobile number, and country. Once an account is created, you can search for AWS IAM Identity Center in the applications.

On the Sign On tab, Under SAML Signing Certificates, click on Actions and select View IdP Metadata. Save contents as metadata.xml on your machine.

In AWS IAM Identity Center, select Change Identity Source and choose external identity provider. In Identity Provider Metadata, click Choose file and upload the metadata.xml file you saved in Task1. Copy the AWS access portal sign-in URL, IAM Identity Center Assertion Consumer Service (ACS) URL, and IAM Identity Center issuer URL in Notepad for further reference.

In Okta, select the Sign On tab for the IAM Identity Center SAML app and click Edit. Enter your AWS IAM Identity Center SSO ACS URL and AWS IAM Identity Center SSO issuer URL values from Notepad. Select Okta username for Application username format and click on Save.

 

Task 2: In AWS IAM Identity Center, enable provisioning.

In IAM Identity Center, select Settings. Enable Automating Provisioning box. Copy the SCIM endpoint and access token information in Notepad for further reference.

Task 3: In Okta, configure provisioning and assign access for users and groups.

In Okta, go to the IAM Identity Center app, select the Provisioning tab, and then choose Integration. Select Configure API Integration, then Enable API integration to enable provisioning. Copy the SCIM endpoint value saved in the previous step in the Base URL field and remove the trailing slash from the URL. Also, copy the Access Token value saved in the earlier step of API Token. Select Test API Credentials to verify the credentials entered are valid, and click on Save.

In the Provisioning tab, under Settings, select To App, choose Edit, and then select the Enable check box for each Provisioning Feature you want to enable. Click on Save.

In the IAM Identity Center app, select the Assignments tab, select Assign and choose Assign to People. Select Okta users, click on Assign and click on Done. Similarly, select the Assignments tab, select Assign and choose Assign to groups. Select Okta groups, click on Assign and click on Done.

Task 4: Assign User Access to AWS accounts.

In AWS IAM Identity Center, in Multi-account permissions, select aws accounts, select the account, and click on Assign users or groups. Select Okta user and click on Next. In add permissions, select Permission Set and click on Submit.

In the Setting summary, click on AWS access portal URL. It will navigate you to  AWS accounts. Select the account to sign in.

 

Conclusion

Okta integration with AWS IAM Identity Center enables Okta identities to synchronize with IAM Identity Center and centrally manage multiple AWS accounts and assign applications to access using a single username and password.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training PartnerAWS Migration PartnerAWS Data and Analytics PartnerAWS DevOps Competency PartnerAWS GenAI Competency PartnerAmazon QuickSight Service Delivery PartnerAmazon EKS Service Delivery Partner AWS Microsoft Workload PartnersAmazon EC2 Service Delivery PartnerAmazon ECS Service Delivery PartnerAWS Glue Service Delivery PartnerAmazon Redshift Service Delivery PartnerAWS Control Tower Service Delivery PartnerAWS WAF Service Delivery PartnerAmazon CloudFront Service Delivery PartnerAmazon OpenSearch Service Delivery PartnerAWS DMS Service Delivery PartnerAWS Systems Manager Service Delivery PartnerAmazon RDS Service Delivery PartnerAWS CloudFormation Service Delivery PartnerAWS ConfigAmazon EMR and many more.

WRITTEN BY Rashmi D

Rashmi Dhumal is working as a Subject Matter Expert in AWS Team at CloudThat, India. Being a passionate trainer, “technofreak and a quick learner”, is what aptly describes her. She has an immense experience of 20+ years as a technical trainer, an academician, mentor, and active involvement in curriculum development. She trained many professionals and student graduates pan India.

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!