In this lab we will walk through how to deploy Okta with AWS Control Tower using IAM federation. We will be using AWS CloudFormation StackSets to deploy IAM roles (Admin, PowerUser, ReadOnly) and register Okta as Identity providers on each linked accounts.
INFO: Depending on when you sign up for Okta (developer or enterprise version), your Okta admin console might look slighly different from the screenshot provided.
In this section we are going to setup integration app in Okta for AWS SSO. First we need to create an AWS Account Federation integration app.
1.2 Select Applications then Add Application
1.3 Search for AWS Account Federation and select Add
1.4 On the Okta App General Settings section:
AWS Control Tower IAM Federation
1.5 On the Okta App Sign-On Options section:
Identity Provider metadataURL value as you will need it on the next section.
Identity Provider metadataURL should be in format like:
https://[your okta id].okta.com/app/[random id]/sso/saml/metadata?isNewAppInstanceSetup=true
1.6 Dont close this brower tab, you will return to this later
INFO: template used in this lab is based on the Landing Zone add-on for Okta
In this section, we will launch the CloudFormation StackSet using the URL for Identity Provider metadata that we setup earlier.
2.1 Open this CloudFormation template in new tab aws-okta-integration.template and save it to your local computer.
2.2 Sign in to AWS Control Tower management account using Administrator role.
2.3 Ensure your AWS console are in the home region where your AWS Control Tower is deployed.
2.4 Navigate to CloudFormation StackSet using this quick link
2.4 Select Upload a template file , choose the file that you downloaded earlier on step 2.1
2.5 Select Next
2.6 Enter the StackSet name, for example
2.7 On the Parameters section, fill in the following parameters:
Identity Provider metadata(from step 1.5)
2.8 Click Next
2.9 On the Permissions section:
IMPORTANT : make sure to double check the value that you enter on step 2.9 to ensure successfull deployment.
2.10 Click Next
2.11 On the Accounts section:
2.12 On the Specify regions section:
2.13 Click Next
2.14 On the Review section:
2.15 Refresh the AWS CloudFormation StackSet console, wait until operation completed and all StackSet instances deployed successfully.
TIP : When integrating with a third party IdP it is a good practice to keep AWS SSO available for break glass scenarios. For example access can be restricted only to the Infosec team but quickly expanded to others. Unlike other IdP AWS SSO can dynamically generate IAM policies to all accounts of the Organization without going through stackset deployments
On the previous steps, you have deployed AWS CloudFormation StackSet that creates IAM user
OktaSSOUser in the Audit account. In this section you will generate AccessKey and SecretKey to allow Okta to programmatically access the Audit account.
3.1 Sign in to AWS Control Tower Audit account using Administrator role. (Tips: use AWS SSO portal)
3.2 Navigate to IAM console using this quicklink
3.3 Select Users from the sidebar
3.4 Select the IAM user
3.5 Select Security credentials tab
3.6 Click Create access key
3.7 Write down the
SecretKey value in secure temporary notes.
Warning : keep this information secure and treat it like regular password
On this section, we will complete the setup on Okta portal by entering the credentials from the previous section.
4.1 Return to your Okta tab
4.2 On the Okta app
AWS Control Tower IAM Federation screen, select Sign On tab and select Edit
4.3 On Advanced Sign-on Settings
Auditaccount IDP ARN
[audit account_id]is the Audit account you selected for Identity management.
4.5 On the Okta app
AWS Control Tower IAM Federation screen, select Provisioning tab
4.5 Select Integration from the side bar.
AccessKeyvalue from step 3.7
SecretKeyvalue from step 3.7
4.6 Still on Provisining tab, two new side menu should appear now.
4.7 Select To App from the side bar.
On this section we will create test user in Okta and assign the user to the
AWS Control Tower IAM Federation Okta app.
5.1 Return to your Okta admin console (https://developer.okta.com/login/)
5.2 From the sidebar, select Directory and select People, then select Add person
5.3 From the sidebar, select Applications, and then select the
AWS Control Tower IAM Federation Okta app.
On this section, you will try to login as Okta regular user (non Admin) and use the provided Okta app to login to AWS.
6.1 Login to the Okta Console as a regular user
6.2 Select the
AWS Control Tower IAM Federation Okta app
6.3 Select the AWS account and IAM role you want to assume and access the AWS Console
Congratulations, you have completed the IAM Federation labs for Okta!
There is nothing that incurs charges but you can:
Copyright 2021, Amazon Web Services, All Rights Reserved.