Okta

Single Sign On - Okta

Overview

In this lab we will walk through how to integrate Okta with Control Tower. We’ll be leveraging the external identity provider capabilities of the AWS Single Sign On service and enabling automated account provisioning. Whilst roles and rights will be managed by the permissions sets feature.

Prerequisites

  • This lab requires an account with Administrator privileges and Control Tower.
  • We will be utilizing an Okta Developer free account to create our Okta instance and test users for this lab. Sign up for an account here https://developer.okta.com/signup/
  • You’ll want to have picked out an alias (the mailbox/username) and realm (the 2nd order a domain for .local), try to select a lowercase alpha-numberics

AWS SSO - Service Provider Metadata

In this section we are going to configure AWS SSO to use Okta as an External Identity Provider.

  • On the AWS SSO Dashboard click the Choose your identity source link.
  • In the Identity Source section, in the row Identity Source, click the Change link.
  • Select External Identity Provider
  • in the Service provider metadata section click Show individual metadata values
  • Leave this browser tab open, and open a new tab to access your Okta Console

Okta - Create an Amazon Web Services (AWS) App

https://developer.okta.com/docs/guides/saml-application-setup/overview/ First we need to create an Amazon Web Services (AWS) integration app.

  • Sign in to the Okta console (if you don’t have one, Sign up here)
  • On the very top of the screen if it shows Developer Console, change this to Classic UI
  • Click Applications on the toolbar and then Applications
  • Click Add Application, then click into the Search text field and type “AWS Single Sign-on”
  • Click on the app AWS Single Sign-on, click Add
  • General Settings
    • App name : AWS : Your Organization
    • Check Do not display application icon in the Okta Mobile app
    • Click Done

  • Click Sign On You’ll need to copy and paste the following fields from the tab you left open on the AWS SSO - Identity Provider Metadata console,

  • click Edit to get started

    • Single sign on URL : AWS SSO ACS URL
    • check Use this for Recipient URL and Destination URL
    • uncheck Allow this app to request other SSO URLs
    • Audience URI (SP Entity ID) : AWS SSO issuer URL
    • Default RelayState : leave blank
    • Name ID format : EmailAddress
    • Application username : Okta username
    • Click Finish

  • Still on the Sign On page of the App,

    • Click the link Identity Provider metadata
    • save the xml it displays as okta-idp.xml on your computer, close the browser tab displaying the metadata.

  • Leave this browser tab open

AWS SSO - Change Identity Provider

In this section we are going to upload the details of our Okta Identity Provider.

  • Switch back to the browser tab On the AWS SSO - Identity provider metadata
    • Click Browse and select the okta-idp.xml document you saved above
  • Click Next: Review
  • Review and confirm
    • Review the information provided
    • Type CONFIRM in the field at the bottom
    • click Change Identity source
    • Once the reconfiguration has completed click Return to settings

AWS SSO - Automated Provisioning

This is an optional setup although highly recommend for managing users at scale.

  • Click on the link Enable automatic provisioning
  • You’ll need to copy and paste the following fields into the Provisioning form on the tab you left open on the Okta AWS SSO - SCIM 2.0 (OAuth Bearer Token) console,

if you receive an error please delete the trailing ‘/’ from the SCIM 2.0 Base Url.

Okta - Automated Provisioning

Still within the AWS Single Sign On app, click Provisioning

  • On the Provisioning page
    • Click Configure API Integration
    • check enable API integration
    • enter the parameters from the AWS SSO page
      • SCIM 2.0 Base Url : SCIM endpoint
      • OAuth Bearer Token : Access token
    • Click Test API Credentials if you get an error:

Then remove the trailing ‘/’ from the Base URL, and try again. * Click Save

  • Click To App in the lefthand menu
    • click Edit
    • check Create Users
    • check Update User Attributes
    • check Deactivate Users
    • click Save

  • Click on Push Groups
  • Click on + Push Groups then Find Groups by Rule
    • Rule name : AWS Groups
    • Group name : starts with : realmAWS
    • check Immediately push groups found by this rule
    • Click Create Rule

Okta - Assign the Apps to the Group of Users

First we need to create a group, to represent users that should have access the AWS app in Okta

  • On the Okta console (on the top ribbon), click Directory - Groups

  • Click Add Group

  • Add Group

    • Name : AWS Users
    • Group Description : All Users that should have access to the AWS app.
    • Click Add Group

  • Click on the Group AWS Users in the list

    • Click Manage Apps
    • On the App AWS : Your Organization Click Assign
      • This is the app users will launch into the AWS Console
    • Click Save and go back
    • Click Done

Okta - Create a Group

Earlier we created a rule to push Groups to AWS SSO that had the prefix realmAWS now let create such a group and check this happens. We going to create a group to represent out Financial Operations team members, who should have permissions to access billing information on our Organizations master payer.

  • In the Okta console (on the top ribbon), click Directory then Groups
  • Click Add Group
  • Add Group
    • Name : realmAWSFinOpsUsers
    • Group Description : Cross Account Financial Operations Users.
  • Click Add Group
  • Open the AWS : Your Organization app and click on the Push Groups tab
  • We should see realmAWSFinOpsUsers listed and marked as Active
  • Switch to the browser tab On the AWS SSO
  • In the left panel, click Groups, you should see realmAWSFinOpsUsers listed with No users

AWS SSO - Assign Permission Sets

We’ll now create a permission with appropriate rights for the Financial Operations Team.

  • Switch to the browser tab On the AWS SSO
  • In the left panel, click AWS accounts, and then the Permission sets tab
  • Click Create permission set
  • Create new permission set
    • select Use an existing job function policy
    • Click Billing and click Create
  • Click on Billing in the list of permission sets
  • Billing - Permissions tab

AWS SSO - Assign Users

We now need to add the group of users represented by the group (from Okta) realmAWSFinOpsUsers with the permission set Billing to the master payer account.

  • Switch to the browser tab On the AWS SSO
  • In the left panel, click AWS accounts, and then the AWS Organization tab
  • Click Root
  • Check your master account and click Assign users
  • Assign Users
    • Click the Groups tab
    • Check realmAWSFinOpsUsers
    • Click Next: Permission sets
  • Select permission sets
    • check Billing
    • Click Finish
  • Complete
    • Click Proceed to AWS accounts

Okta - Create a user

In this section, you’ll create a test user in the Okta portal.

  • Switch to the browser tab on the Okta console
  • In the Okta console (on the top ribbon), click Directory then People
  • Click Add Person
  • Add Person
    • User type : User
    • First name : your first name
    • Last name : your last name
    • Primary email : alias@realm.local
    • Groups :
      • start typing realmAWS and click Add next to realmAWSFinOpsUsers
      • start typing AWS *and click Add next to AWS Users
    • Password : Set by admin
    • enter a password
    • uncheck User must change password on first login
    • Click Save
  • Switch to the browser tab On the AWS SSO
  • In the left panel, click Users,
    • In the list of users you should now see the account we created above
    • Click on the Display nameyour first name your last name” with Username of alias@realm.local
    • you should see that the user was
      • Created By : SCIM

Explore as our FinOps User

Now we can see what the experience we’ve configured for our test user.

  • Switch to the browser tab On the AWS SSO
  • In the left panel, click Dashboard,
  • Copy the User portal URL:
  • Open a browser window in Private or incognito mode and paste the user portal URL in to the address bar.
  • Browser should redirect you to your Okta log in page,
    • username : alias@realm.local
    • password : the one your created above
    • you may be asked to provide additional security questions based on you okta configuration
  • Once successfully logged in you should be return to the AWS Single Sign-On start page
  • Click on AWS Account (1)
    • Click on the name of your master account
    • On the line Billing click the link Management Console
    • A new tab should open and display the Billing & Cost Management Dashboard for your organization.

Deleting AWS resources deployed in this lab

In the Master account:

  • In the AWS SSO Dashboard
    • In the Identity Source section, in the row Identity Source, click the Change link.
    • Change identity source
      • Select AWS SSO,
      • click Next: Review
    • Review and confirm
      • Review the information provided
      • Type CONFIRM in the field at the bottom
      • click Change Identity source
    • Once the reconfiguration has completed click Return to settings
  • In the Okta console,
    • delete the app: AWS : Your Organization
    • delete the user:
      • alias@realm.local
    • delete the groups:
      • aliasAWSFinOpsUsers
      • AWS Users
  • Close the Okta account [optional]

Copyright 2020, Amazon Web Services, All Rights Reserved.