In this lab we will walk through how to deploy Okta with AWS Control Tower. We will be effectively deploying the landing zone v2.x Okta customization manually using StackSets.


  1. This lab requires an account with Administrator privileges and Control Tower.
  2. This lab assumes you already have an Okta account. If you don’t you can sign up for a free account to access AWS console – https://www.okta.com/aws

PLEASE READ: The lab instructions below are collapsed. Few browsers does not display the expand button next to them. Please click on each instruction to expand.


1. Add a new Amazon Web Services Application on the Okta console

1.1) [Click Me to Expand] Login to Okta as an administrator and click on [Admin] at the upper right of the console

1.2) Select Applications then [Add Application]

1.3) Select Add Amazon Web Services Application

2.1) You can find, customize, and copy your AWS Account URL in the Dashboard of your IAM Concole.

Expected format:

<!-- or customized with a globally unique name -->


<!-- or customized with a globally unique name -->

[optional] You can also customize your alias but it must be globally unique.

2.2) Set the AWS Login URL to your Okta’s Account sign-in link and click [Next].



3. Define the Okta Sign-On Method

3.1 Select SAML 2.0 as the Sign-On Method

3.2 Write down the link shown on “_Identity Provider Metadata_” and click [Done]

It should look like below IGNORE the query strings after metadata


It is a publicly accessible URL and YOU WILL NEED THAT URL LATER

4. Deploy Okta within AWS Control Tower

[INFORMATION ONLY] This is based on the Landing Zone add-on for Okta

Refactoring was done since the Okta Add-On is not publicly available

4.1) Download the CloudFormation template aws-okta-integration.template


Modify the aws-okta-integration.template as stated below:

[~ line 26] Search OktaID and modify the value to aliasOktaIDP to avoid collisions in the shared account. This has only been tested with 8 characters, so use more at your own risk.

[~ line 337] Modify the OktaUser Username OktaSSOUser to aliasOktaSSOUser

Only one participant must run the template as is-now so that the Okta cross account role is created in the identity account – most likely the audit account – ask the lab leader

[~ line 84] Add the condition CreateOktaCrossAccountRole: !Not [!Condition ‘CreateOktaUser’] to the end of the Conditions section

Add the condition statement Condition: CreateOktaCrossAccountRole to the OktaListRolesRole resource.

4.2) Go to the CloudFormation StackSet console in the Master account and click [Create StackSet]

4.3) Select Upload a template to Amazon S3 and select the aws-okta-integration.template

4.4) Give the StackSet a good name like OktaIntegration.

If using a shared account, use your alias myaliasOktaIntegration

4.5) Enter the Okta Identity Provider Metadata URL you copied from your Okta application configuration in Step 3

4.6) Change the roles that are pre-populated.
This is OPTIONAL unless you use a SHARED account
IF YOU ARE USING A SHARED ACCOUNT , you will need to make these unique by adding your ALIAS to each role name. To prevent role clashes with a fortcoming lab, you can add the lab number to your prefix. Example: alias05

4.7) Enter the account number of the Audit account for the Identity Account.

4.8) Click Next (twice)no_details

Did you know there are 11 AWS Certifications?

4.9) Specify the Admin and Execution Roles, and click [Next]

Select AWSControlTowerStackSetRole from the list under IAM Admin Role ARN.

Type AWSControlTowerExecution for IAM Execution Role Name and click on Next

4.10) Specify the Accounts and Region to deploy into, and click [Next]

Include the Audit account (or whatever Identity Account you picked) and decide on your own whether you also want to deploy stacks in:

  • Accounts
  • Organizational Units (OUs)
  • or a CSV list of valid accounts.

These are the accounts that you will configure to all Okta access to.

IF YOU ARE USING A SHARED ACCOUNT , then deploy only into the audit account and your Account Factory account).

4.11) Review, Acknowledge the IAM box, and [Submit]

4.12) Wait for all of the instances to be created successfully.


TIP: When integrating with a third party IdP it is a good practice to keep AWS SSO available for break glass scenarios. For example access can be restricted only to the Infosec team but quickly expanded to others. Unlike other IdP AWS SSO can dynamically generate IAM policies to all accounts of the Organization without going through stackset deployments

4.13) Create user keys for the OktaSSOUser in the Audit account you selected for Identity Management

a) Check for an IAM user OktaSSOUser (if using a SHARED account, use aliasOktaSSOUser).

b) Create access key and write down the AccessKey and SecretKey for the user

5. Complete Okta Application configuration

5.1) Add the Identity Provider ARN on the Okta Amazon Web Services Sign-On console

Format is arn:aws:iam::[account_id]:saml-provider/OktaIDP where [account_id] is the Audit account you selected for Identity management.

If using a SHARED account, add your alias to OktaIDP, i.e. aliasOktaIDP.

TIP: You can lookup your IdP ARN in your Audit account/IAM Console/Identity providers

5.2) Configure the API Integration with the OktaSSOUser

5.3) Enable user creation

5.4) OPTIONAL: Create more users

5.5) Assign proper roles to users
Go back to Application User Assignment

Assign roles to your selected user

6. Login to Okta

6.1) Login to the Okta Console as a regular user
Use a different user and the same login portal URI. Example: https://egglz4ct.okta.com/
Click on the AWS Application
Assign roles to your selected user

6.2) Select the Account and Role you want to assume and access the AWS Console
Click on the AWS Application

Exploring the Solution

Deleting AWS resources deployed in this lab

There is nothing that incurs charges but you can:

  1. Delete the Stacks deployed from the OktaIntegration StackSet
  2. Dele the StackSet OktaIntegration itself
  3. Delete the application and users created in the Okta portalß


Copyright 2019, Amazon Web Services, All Rights Reserved.