In this lab you will learn how to connect Okta as an identity source for AWS Single Sign-on (SSO). When you connect Okta to AWS SSO you can:
Control in Okta who has access to AWS SSO
Enable your users to be automatically signed-in to AWS SSO with their Okta Accounts
Manage permissions to AWS accounts and applications centrally in AWS SSO for your Okta enabled users
This lab requires an account with Administrator privileges and Control Tower. Ask a lab assistant for help if you do not have account credentials.
An Okta free trail account. Provide a work email (e.g.,
email@example.com), confirm email, set up MFA if required, and sign in as administrator.
Configure AWS SSO - Part 1
a. Navigate to the AWS SSO landing page. In the left navigation pane, choose Settings.
b. On the Settings page, find Identity source and choose Change.
c. On the Change identity source page, choose External identity provider.
d. In the Service provider metadata section, click Show Individual Metadata Values.
e. Click the copy icon next to to AWS SSO ACS URL and save this to a notepad for a later step.
f. Click the copy icon next to to AWS SSO Issuer URL and save this to a notepad for a later step.
g. Leave this browser open. You will return to this in Step 3.
To configure the integration of AWS SSO into Okta, you need to add AWS SSO as an application in Okta. In this scenario, Okta is the identity provider, and AWS SSO is the service provider, so we’re effectively setting up AWS SSO as a SaaS app from Okta’s perspective
a. Open a new browser window and sign into the Okta admin portal using the account you created in the Prerequisites.
b. In the header click Applications. Then click Applications in the dropdown menu.
c. Click Add Application.
d. On the left pane, click the green Create New App button.
e. Select SAML 2.0 as the Sign on method. Click Create
f. Name the app
AWS SSO Demo and choose Next.
g. In the Single sign on URL field, enter in the AWS SSO ACS URL you copied to your notepad in Step 1e.
h. In the Audience URI (SP Entitiy ID) field, enter in the AWS SSO issuer URL you copied to your notepad in Step 1f.
i. Next to Name ID format select EmailAddress from the dropdown menu.
j. Next to Application username select Email from the dropdown menu.
k. Click Next.
l. Select I’m a software vendor….
m. Click Finish.
n. You’ll return to the Sign On Settings page. Locate the Identity Provider metadata hyperlink. Right-click (or Mac equivalent) to Save Link As…
o. Save the file as
This is an XML file that contains the Okta URLs and x.509 certificate information for your AWS SSO Demo app in Okta. You’ll use this to finish your External IdP configuration in AWS SSO.
Configure AWS SSO - Part 2
a. Navigate back to your AWS SSO browser window.
b. In the Identity provider metadata section, click Browse to search for the metadata file (
okta-metadata) you downloaded and saved in Step 2o. Upload this file.
c. Click Next: Review
d. In the text box, type
CONFIRM and choose Change identity source to confirm changing the directory.
Assign Okta test user to AWS SSO app in Okta
Here you will enable your Okta user to use the AWS SSO Demo application
a. In the Okta browser, select the tab Assignments
b. Click the green Assign button, then click Assign to People.
c. Click the Assign button next to the user you’re currently logged in as, there should only be one user.
d. Ensure the username is the email address of your user. This should be the email address you used when you signed up for the Okta account.
e. Click Save and Go Back.
f. Click Done. Your user should now appear in the list assignments for the AWS SSO Demo application.
Create AWS SSO test user
*The objective of this section is to provision the Okta user in AWS SSO and assign the user access to AWS resources so you can test authentication between Okta and AWS SSO. For this example, we will show how to provision the user manually through the AWS SSO console.
a. Navigate to the AWS SSO landing page. In the left navigation pane, choose Users.
b. On the Users page, choose Add user.
c. On the Add user page, in the Username field, enter the email address associated with your Okta user If you do not use the correct email address, authentication will fail
d. In the Email and Confirm email address fields, enter the email you used in Step 5c.
e. Enter any value you like for First Name and Last Name.
f. Ensure Display name field is populated.
g. Click Next: Groups.
h. Click Add user.
i. To assign the user to your AWS account, in the AWS SSO console, in the left navigation pane, click AWS accounts.
j. On the AWS Accounts page, select the AWS organization tab. Check the box next to the AWS account you want to assign to the user. Then click Assign users
k. On the Assign Users page, find and check the box next to the user you created. Then click Next: Permission sets.
l. Under the Select permission sets section, check the box next to the permission set you want to assign to the user. If you don’t have an existing permission set, click Create new permission set.
Note: Permission sets define the level of access that users and groups have to an AWS account. To learn more about permission sets, see the AWS SSO Permssion Sets page.
m. Click Finish.
Test SSO - Initiate Login from Okta
Test your Okta single sign-on configuration
a. Return to your Okta browser window, and click My Apps.
b. Dismiss any notifications you receive, then click the AWS SSO Demo application title.
c. You should be redirected to AWS SSO, landing on the AWS SSO user portal
Note: for first try, an extra set of redirects is expected, as AWS SSO completes the sign-in exchange over SAML with Okta
Test SSO - Initiate Login from AWS SSO
a. Navigate to the AWS SSO landing page. In the left navigation pane, click Settings.
b. Under User portal click the User portal URL link.
c. You will be redirected to Okta, and asked to login if you have not already authenticated to Okta in that browser window.
d. Following login, you’ll be redirected back to the AWS SSO user portal.
Copyright 2020, Amazon Web Services, All Rights Reserved.