Okta
Single Sign On - Okta
Overview
In this lab we will walk through how to integrate Okta with Control Tower. We’ll be leveraging the external identity provider capabilities of the AWS Single Sign On service and enabling automated account provisioning. Whilst roles and rights will be managed by the permissions sets feature.
Prerequisites
- This lab requires an account with Administrator privileges and Control Tower.
- We will be utilizing an Okta Developer free account to create our Okta instance and test users for this lab. Sign up for an account here https://developer.okta.com/signup/
- You’ll want to have picked out an
alias
(the mailbox/username) and realm
(the 2nd order a domain for .local), try to select a lowercase alpha-numberics
In this section we are going to configure AWS SSO to use Okta as an External Identity Provider.

- On the AWS SSO Dashboard click the Choose your identity source link.
- In the Identity Source section, in the row Identity Source, click the Change link.
- Select External Identity Provider
- in the Service provider metadata section click Show individual metadata values
- Leave this browser tab open, and open a new tab to access your Okta Console
Okta - Create an Amazon Web Services (AWS) App
https://developer.okta.com/docs/guides/saml-application-setup/overview/
First we need to create an Amazon Web Services (AWS) integration app.

- Sign in to the Okta console (if you don’t have one, Sign up here)
- On the very top of the screen if it shows Developer Console, change this to Classic UI
- Click Applications on the toolbar and then Applications
- Click Add Application, then click into the Search text field and type “AWS Single Sign-on”
- Click on the app AWS Single Sign-on, click Add
- General Settings
- App name : AWS :
Your Organization
- Check Do not display application icon in the Okta Mobile app
- Click Done
Click Sign On
You’ll need to copy and paste the following fields from the tab you left open on the AWS SSO - Identity Provider Metadata console,

click Edit to get started
- Single sign on URL :
AWS SSO ACS URL
- check Use this for Recipient URL and Destination URL
- uncheck Allow this app to request other SSO URLs
- Audience URI (SP Entity ID) :
AWS SSO issuer URL
- Default RelayState :
leave blank
- Name ID format : EmailAddress
- Application username : Okta username
- Click Finish
Still on the Sign On page of the App,
- Click the link Identity Provider metadata
- save the xml it displays as okta-idp.xml on your computer, close the browser tab displaying the metadata.
Leave this browser tab open
AWS SSO - Change Identity Provider
In this section we are going to upload the details of our Okta Identity Provider.

- Switch back to the browser tab On the AWS SSO - Identity provider metadata
- Click Browse and select the okta-idp.xml document you saved above
- Click Next: Review
- Review and confirm
- Review the information provided
- Type CONFIRM in the field at the bottom
- click Change Identity source
- Once the reconfiguration has completed click Return to settings
AWS SSO - Automated Provisioning
This is an optional setup although highly recommend for managing users at scale.

- Click on the link Enable automatic provisioning
- You’ll need to copy and paste the following fields into the Provisioning form on the tab you left open on the Okta AWS SSO - SCIM 2.0 (OAuth Bearer Token) console,
if you receive an error please delete the trailing ‘/’ from the SCIM 2.0 Base Url.
Okta - Automated Provisioning
Still within the AWS Single Sign On app, click Provisioning

- On the Provisioning page
- Click Configure API Integration
- check enable API integration
- enter the parameters from the AWS SSO page
- SCIM 2.0 Base Url :
SCIM endpoint
- OAuth Bearer Token :
Access token
- Click Test API Credentials
if you get an error:

Then remove the trailing ‘/’ from the Base URL, and try again.
* Click Save

- Click To App in the lefthand menu
- click Edit
- check Create Users
- check Update User Attributes
- check Deactivate Users
- click Save

- Click on Push Groups
- Click on + Push Groups then Find Groups by Rule
- Rule name : AWS Groups
- Group name : starts with :
realm
AWS
- check Immediately push groups found by this rule
- Click Create Rule
Okta - Assign the Apps to the Group of Users
First we need to create a group, to represent users that should have access the AWS app in Okta
Okta - Create a Group
Earlier we created a rule to push Groups to AWS SSO that had the prefix realm
AWS now let create such a group and check this happens. We going to create a group to represent out Financial Operations team members, who should have permissions to access billing information on our Organizations master payer.
- In the Okta console (on the top ribbon), click Directory then Groups
- Click Add Group
- Add Group
- Name :
realm
AWSFinOpsUsers
- Group Description : Cross Account Financial Operations Users.
- Click Add Group
- Open the AWS :
Your Organization
app and click on the Push Groups tab
- We should see
realm
AWSFinOpsUsers listed and marked as Active
- Switch to the browser tab On the AWS SSO
- In the left panel, click Groups, you should see
realm
AWSFinOpsUsers listed with No users
AWS SSO - Assign Permission Sets
We’ll now create a permission with appropriate rights for the Financial Operations Team.

- Switch to the browser tab On the AWS SSO
- In the left panel, click AWS accounts, and then the Permission sets tab
- Click Create permission set
- Create new permission set
- select Use an existing job function policy
- Click Billing and click Create
- Click on Billing in the list of permission sets
- Billing - Permissions tab
AWS SSO - Assign Users
We now need to add the group of users represented by the group (from Okta) realm
AWSFinOpsUsers with the permission set Billing to the master payer account.

- Switch to the browser tab On the AWS SSO
- In the left panel, click AWS accounts, and then the AWS Organization tab
- Click Root
- Check
your master account
and click Assign users
- Assign Users
- Click the Groups tab
- Check
realm
AWSFinOpsUsers
- Click Next: Permission sets
- Select permission sets
- check Billing
- Click Finish
- Complete
- Click Proceed to AWS accounts
Okta - Create a user
In this section, you’ll create a test user in the Okta portal.

- Switch to the browser tab on the Okta console
- In the Okta console (on the top ribbon), click Directory then People
- Click Add Person
- Add Person
- User type : User
- First name :
your first name
- Last name :
your last name
- Primary email :
alias
@realm
.local
- Groups :
- start typing
realm
AWS and click Add next to realm
AWSFinOpsUsers
- start typing AWS *and click Add next to AWS Users
- Password : Set by admin
- enter a password
- uncheck User must change password on first login
- Click Save
- Switch to the browser tab On the AWS SSO
- In the left panel, click Users,
- In the list of users you should now see the account we created above
- Click on the Display name “
your first name
your last name
” with Username of alias
@realm
.local
- you should see that the user was
Explore as our FinOps User
Now we can see what the experience we’ve configured for our test user.
- Switch to the browser tab On the AWS SSO
- In the left panel, click Dashboard,
- Copy the User portal URL:
- Open a browser window in Private or incognito mode and paste the user portal URL in to the address bar.
- Browser should redirect you to your Okta log in page,
- username :
alias
@realm
.local
- password :
the one your created above
- you may be asked to provide additional security questions based on you okta configuration
- Once successfully logged in you should be return to the AWS Single Sign-On start page
- Click on AWS Account (1)
- Click on the name of your master account
- On the line Billing click the link Management Console
- A new tab should open and display the Billing & Cost Management Dashboard for your organization.
Deleting AWS resources deployed in this lab
In the Master account:
- In the AWS SSO Dashboard
- In the Identity Source section, in the row Identity Source, click the Change link.
- Change identity source
- Select AWS SSO,
- click Next: Review
- Review and confirm
- Review the information provided
- Type CONFIRM in the field at the bottom
- click Change Identity source
- Once the reconfiguration has completed click Return to settings
- In the Okta console,
- delete the app: AWS :
Your Organization
- delete the user:
- delete the groups:
alias
AWSFinOpsUsers
- AWS Users
- Close the Okta account [optional]
Copyright 2020, Amazon Web Services, All Rights Reserved.