How to Automate Provisioning from Okta to IAM Identity Center

Introduction

Organizations are adopting AWS Cloud to run their workloads by creating AWS accounts. The users with unique identities interact with the AWS resources and applications. It requires the creation of multiple identities to interact with individual entities for individual users. Remembering multiple usernames and passwords to interact with individual systems and applications is challenging. The user seeks a username and password to connect with different applications and accounts. “Identity Federation” enables linking identity from one system with another trusted system so that users can use single identities to connect with other systems. Identity Federation is made possible using Security Assertion Markup Language (SAML), OpenID, OAuth, etc. Okta is an identity management service that can provide a single sign-on experience for on-premises and cloud resources to organization users. This blog discusses the Integration of Okta with AWS IAM Identity Center so that users with Okta can access AWS accounts and SaaS applications using their own identities.

AWS IAM Identity Center

Without IAM Identity Center, an individual must log in to each account in different identity providers like Active Directory, external third-party services, and AWS separately, with a corresponding username and password. AWS IAM Identity Center provides a single place to create users and groups and centrally manage their access to AWS accounts and applications. You can assign permissions to access different AWS accounts and assign applications to the users in IAM Identity Center.

Features of IAM Identity Center

IAM Identity Center includes the following features:

Workforce identities

The members in your organization are called workforce users or identities. You can create your own users in IAM Identity Center or connect and synchronize your own users in identity sources like Microsoft Active Directory and external identity providers like Okta Universal Directory or Microsoft Azure AD to access AWS accounts and applications.

Application assignments for SAML applications

Users in IAM Identity Center can access SAML 2.0 applications, such as Microsoft 365, and Salesforce, using application assignments without creating separate federations.

Multi-account permissions

You can implement IAM permissions across multiple AWS accounts centrally using multi-account permissions in AWS accounts. You can create custom permissions and assign them to workforce identities to control access to specific accounts.

AWS access portal

The AWS access portal is a simple web portal that provides one-click access to AWS accounts and applications of workforce users.

Okta Integration with AWS IAM Identity Center

An organization uses Okta Universal Directory to manage its workforce users and wants to access AWS resources and applications using the same identities. Okta integration with AWS IAM Identity Center enables to synchronize Okta identities with AWS, centrally manages controlled access to AWS accounts, and assigns them to access applications.

Figure 1: Integration of Okta with AWS IAM Identity Center

The following tasks need to be performed for integrating Okta with AWS IAM Identity Center:

1. Create a free tier Okta account and configure SAML 2.0 for IAM Identity Center.
2. In AWS IAM Identity Center, enable provisioning.
3. In Okta, configure provisioning and assign access for users and groups.
4. Assign User Access to AWS accounts.

Task 1: Create a free tier Okta account and configure SAML 2.0 for IAM Identity Center.

You can create an Okta account using your email id, mobile number, and country. Once an account is created, you can search for AWS IAM Identity Center in the applications.

On the Sign On tab, Under SAML Signing Certificates, click on Actions and select View IdP Metadata. Save contents as metadata.xml on your machine.

In AWS IAM Identity Center, select Change Identity Source and choose external identity provider. In Identity Provider Metadata, click Choose file and upload the metadata.xml file you saved in Task1. Copy the AWS access portal sign-in URL, IAM Identity Center Assertion Consumer Service (ACS) URL, and IAM Identity Center issuer URL in Notepad for further reference.

In Okta, select the Sign On tab for the IAM Identity Center SAML app and click Edit. Enter your AWS IAM Identity Center SSO ACS URL and AWS IAM Identity Center SSO issuer URL values from Notepad. Select Okta username for Application username format and click on Save.

Task 2: In AWS IAM Identity Center, enable provisioning.

In IAM Identity Center, select Settings. Enable Automating Provisioning box. Copy the SCIM endpoint and access token information in Notepad for further reference.

Task 3: In Okta, configure provisioning and assign access for users and groups.

In Okta, go to the IAM Identity Center app, select the Provisioning tab, and then choose Integration. Select Configure API Integration, then Enable API integration to enable provisioning. Copy the SCIM endpoint value saved in the previous step in the Base URL field and remove the trailing slash from the URL. Also, copy the Access Token value saved in the earlier step of API Token. Select Test API Credentials to verify the credentials entered are valid, and click on Save.

In the Provisioning tab, under Settings, select To App, choose Edit, and then select the Enable check box for each Provisioning Feature you want to enable. Click on Save.

In the IAM Identity Center app, select the Assignments tab, select Assign and choose Assign to People. Select Okta users, click on Assign and click on Done. Similarly, select the Assignments tab, select Assign and choose Assign to groups. Select Okta groups, click on Assign and click on Done.

Task 4: Assign User Access to AWS accounts.

In AWS IAM Identity Center, in Multi-account permissions, select aws accounts, select the account, and click on Assign users or groups. Select Okta user and click on Next. In add permissions, select Permission Set and click on Submit.

In the Setting summary, click on AWS access portal URL. It will navigate you to  AWS accounts. Select the account to sign in.

Conclusion

Okta integration with AWS IAM Identity Center enables Okta identities to synchronize with IAM Identity Center and centrally manage multiple AWS accounts and assign applications to access using a single username and password.

About CloudThat