AWS

5 Mins Read

How to Automate Provisioning from Okta to IAM Identity Center

Voiced by Amazon Polly

Introduction

Organizations are adopting AWS Cloud to run their workloads by creating AWS accounts. The users with unique identities interact with the AWS resources and applications. It requires the creation of multiple identities to interact with individual entities for individual users. Remembering multiple usernames and passwords to interact with individual systems and applications is challenging. The user seeks a username and password to connect with different applications and accounts. “Identity Federation” enables linking identity from one system with another trusted system so that users can use single identities to connect with other systems. Identity Federation is made possible using Security Assertion Markup Language (SAML), OpenID, OAuth, etc. Okta is an identity management service that can provide a single sign-on experience for on-premises and cloud resources to organization users. This blog discusses the Integration of Okta with AWS IAM Identity Center so that users with Okta can access AWS accounts and SaaS applications using their own identities.

Freedom Month Sale — Upgrade Your Skills, Save Big!

  • Up to 80% OFF AWS Courses
  • Up to 30% OFF Microsoft Certs
Act Fast!

AWS IAM Identity Center

Without IAM Identity Center, an individual must log in to each account in different identity providers like Active Directory, external third-party services, and AWS separately, with a corresponding username and password. AWS IAM Identity Center provides a single place to create users and groups and centrally manage their access to AWS accounts and applications. You can assign permissions to access different AWS accounts and assign applications to the users in IAM Identity Center.

Features of IAM Identity Center

IAM Identity Center includes the following features:

Workforce identities

The members in your organization are called workforce users or identities. You can create your own users in IAM Identity Center or connect and synchronize your own users in identity sources like Microsoft Active Directory and external identity providers like Okta Universal Directory or Microsoft Azure AD to access AWS accounts and applications.

Application assignments for SAML applications

Users in IAM Identity Center can access SAML 2.0 applications, such as Microsoft 365, and Salesforce, using application assignments without creating separate federations.

 

Multi-account permissions

You can implement IAM permissions across multiple AWS accounts centrally using multi-account permissions in AWS accounts. You can create custom permissions and assign them to workforce identities to control access to specific accounts.

AWS access portal

The AWS access portal is a simple web portal that provides one-click access to AWS accounts and applications of workforce users.

Okta Integration with AWS IAM Identity Center

An organization uses Okta Universal Directory to manage its workforce users and wants to access AWS resources and applications using the same identities. Okta integration with AWS IAM Identity Center enables to synchronize Okta identities with AWS, centrally manages controlled access to AWS accounts, and assigns them to access applications.

Figure 1: Integration of Okta with AWS IAM Identity Center

The following tasks need to be performed for integrating Okta with AWS IAM Identity Center:

  1. Create a free tier Okta account and configure SAML 2.0 for IAM Identity Center.
  2. In AWS IAM Identity Center, enable provisioning.
  3. In Okta, configure provisioning and assign access for users and groups.
  4. Assign User Access to AWS accounts.

Task 1: Create a free tier Okta account and configure SAML 2.0 for IAM Identity Center.

You can create an Okta account using your email id, mobile number, and country. Once an account is created, you can search for AWS IAM Identity Center in the applications.

On the Sign On tab, Under SAML Signing Certificates, click on Actions and select View IdP Metadata. Save contents as metadata.xml on your machine.

In AWS IAM Identity Center, select Change Identity Source and choose external identity provider. In Identity Provider Metadata, click Choose file and upload the metadata.xml file you saved in Task1. Copy the AWS access portal sign-in URL, IAM Identity Center Assertion Consumer Service (ACS) URL, and IAM Identity Center issuer URL in Notepad for further reference.

In Okta, select the Sign On tab for the IAM Identity Center SAML app and click Edit. Enter your AWS IAM Identity Center SSO ACS URL and AWS IAM Identity Center SSO issuer URL values from Notepad. Select Okta username for Application username format and click on Save.

 

Task 2: In AWS IAM Identity Center, enable provisioning.

In IAM Identity Center, select Settings. Enable Automating Provisioning box. Copy the SCIM endpoint and access token information in Notepad for further reference.

Task 3: In Okta, configure provisioning and assign access for users and groups.

In Okta, go to the IAM Identity Center app, select the Provisioning tab, and then choose Integration. Select Configure API Integration, then Enable API integration to enable provisioning. Copy the SCIM endpoint value saved in the previous step in the Base URL field and remove the trailing slash from the URL. Also, copy the Access Token value saved in the earlier step of API Token. Select Test API Credentials to verify the credentials entered are valid, and click on Save.

In the Provisioning tab, under Settings, select To App, choose Edit, and then select the Enable check box for each Provisioning Feature you want to enable. Click on Save.

In the IAM Identity Center app, select the Assignments tab, select Assign and choose Assign to People. Select Okta users, click on Assign and click on Done. Similarly, select the Assignments tab, select Assign and choose Assign to groups. Select Okta groups, click on Assign and click on Done.

Task 4: Assign User Access to AWS accounts.

In AWS IAM Identity Center, in Multi-account permissions, select aws accounts, select the account, and click on Assign users or groups. Select Okta user and click on Next. In add permissions, select Permission Set and click on Submit.

In the Setting summary, click on AWS access portal URL. It will navigate you to  AWS accounts. Select the account to sign in.

 

Conclusion

Okta integration with AWS IAM Identity Center enables Okta identities to synchronize with IAM Identity Center and centrally manage multiple AWS accounts and assign applications to access using a single username and password.

Freedom Month Sale — Discounts That Set You Free!

  • Up to 80% OFF AWS Courses
  • Up to 30% OFF Microsoft Certs
Act Fast!

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

WRITTEN BY Rashmi D

Rashmi Dhumal is working as a Subject Matter Expert in AWS Team at CloudThat, India. Being a passionate trainer, “technofreak and a quick learner”, is what aptly describes her. She has an immense experience of 20+ years as a technical trainer, an academician, mentor, and active involvement in curriculum development. She trained many professionals and student graduates pan India.

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!