chanciturnervgt2

Integrating Okta with AWS Single Sign-On in an AWS Control Tower Environment

by

VGT2 Las Vegas
in

Integrating Okta with AWS Single Sign-On in an AWS Control Tower EnvironmentLearn About Amazon VGT2 Learning Manager Chanci Turner

AWS Control Tower offers a seamless native integration with AWS Single Sign-On (AWS SSO) to manage users, roles, and access across multiple accounts. However, many organizations have more intricate SSO needs that require linking with external identity providers for authentication and authorization. Okta stands out as a robust identity management solution designed for the cloud, while also being compatible with various on-premises applications. You can easily find and subscribe to Okta through AWS Marketplace.

In this article, I will guide you through the process of integrating AWS Control Tower, AWS SSO, and Okta as an external identity provider, allowing you to efficiently manage users, entitlements, accounts, and roles directly within Okta. We will utilize the System for Cross-domain Identity Management (SCIM, RFC 7644) to enable Okta to oversee users, groups, and group memberships in conjunction with AWS SSO.

When integrating AWS Control Tower with Okta, you have two options to consider:

  1. Manually create AWS Identity and Access Management (IAM) roles in each AWS Control Tower managed account, including any new accounts provisioned via Account Factory.
  2. Leverage the SCIM functionality within AWS SSO to automatically sync users and roles between Okta and AWS, allowing administrators to manage users and permissions from a single platform.

For this solution, we will focus on the SCIM approach.

Solution Overview

In this integration, you will create an Okta application to facilitate the identity federation between Okta and AWS Control Tower. User and group management will occur within Okta, with access replicated to AWS SSO through SCIM. Additionally, a second application in Okta will automate the provisioning of users and groups into AWS SSO. AWS SSO will then take care of the mapping between groups, permission sets, and accounts. These mappings may need to be adjusted as you create new accounts or define additional permission sets.

The diagram below illustrates the solution architecture:

  • Users authenticate through Okta.
  • Upon successful authentication, users log into AWS SSO.
  • Users can then assume roles to execute tasks within their AWS environment using Security Assertion Markup Language (SAML), managed by AWS SSO.

Authenticated users will be managed and validated by Okta with their usernames and groups being transferred to AWS SSO via SCIM. Refer to the diagram for further clarity.

Prerequisites

Walkthrough

Follow these steps to integrate Okta and AWS Control Tower with automated user provisioning:

  1. Subscribe to Okta in AWS Marketplace.
  2. Create the Okta SAML application and link it to AWS SSO for identity federation.
  3. Set up the Okta SCIM application for synchronization.
  4. Map Okta groups to permission sets.

Step 1: Subscribe to Okta in AWS Marketplace

Refer to this tutorial for guidance on subscribing to Okta in AWS Marketplace.

Step 2: Create the Okta SAML Application and Connect it with AWS SSO

A. Configure AWS SSO to utilize Okta as an external identity provider.
For detailed instructions, see the Connect to Your External Identity Provider section in the AWS Single Sign-On User Guide. Here’s how to set it up:

  • Sign in to the AWS Management Console and navigate to the AWS SSO service.
  • In the left pane of the AWS SSO console, select Settings.
  • On the Settings page, in Identity Source, click Change.
  • Choose External Identity Provider.
  • In Service provider metadata, select Show individual metadata values.
  • Open a new tab for the Okta console while keeping the AWS SSO console tab open.

B. Create an Okta application to connect with AWS SSO.
Although you may encounter existing AWS applications in the Okta gallery, for this integration, you need to create a custom application:

  • Log into the Okta console. If you see the Developer Console at the top, switch to Classic UI. Click on Applications and then Applications again. Select Add Application.
  • Choose Create New App. For the Platform, select Web. For Sign-on method, choose SAML 2.0 and then click Create. Name the application (e.g., AWS SSO) and proceed to the next step.
  • Copy the following fields from the AWS SSO console:
    • Single sign-on URL: AWS SSO ACS URL
    • Audience URI (SP Entity ID): AWS SSO Issuer URL
    • Name ID format: EmailAddress
    • Leave the other parameters at their default settings.
  • Click Next, choose “I’m a software vendor. I’d like to integrate my app with Okta,” and finish the setup. In the toolbar, click Applications and then select the application you just created (AWS SSO). Navigate to the Sign On tab.
  • Click Identity Provider metadata; a new browser tab will open with the XML data. Save this XML as okta-idp.xml on your device and close the metadata tab.
  • Return to the Applications page in Okta.

C. Upload the Metadata.
To finalize the Okta configuration as the external identity provider, upload the Okta identity provider metadata to AWS SSO:

  • Switch back to the AWS SSO console tab you opened earlier.
  • Click Browse and select the okta-idp.xml file you saved.
  • In the Identity Source section, click Change in the Identity Source row.
  • Click Next: Review.
  • Review the displayed information.
  • In the confirmation field at the bottom, enter CONFIRM.
  • Click Change Identity Source. Once the reconfiguration is complete, click Return to settings.

Now, Okta and AWS SSO are integrated, but no permissions have been mapped yet.

Step 3: Create the Okta SCIM Application

A. Enable SCIM to synchronize users and groups from Okta to AWS SSO.
For detailed instructions, refer to the Automatic Provisioning section in the AWS Single Sign-On User Guide.

  • Go back to the AWS SSO console tab you opened earlier.
  • In the navigation pane, click Settings.
  • Select Enable automatic provisioning.
  • Copy the SCIM endpoint and token to a text editor for future use.

B. Create an application to push data to AWS SSO.
With SCIM enabled, you can now create an application that automatically pushes users and groups from Okta to AWS SSO via SCIM. For more information, see the Create your application section in the Okta documentation.

  • Switch back to the Okta console tab you opened earlier.
  • Click Add Application.
  • In the suggestions, search for SCIM 2 Oauth. Select SCIM 2.0 Test App (OAuth Bearer Token) and click Add.
  • On the General Settings page, label the application: AWS SSO – SCIM 2.0 (OAuth Bearer Token). Select Do not display application icon to users, and also choose not to display the icon in the Okta Mobile App. Click Done.
  • On the Provisioning tab, click Configure API Integration. Select Enable API integration.

For further insights on workplace rights, check out SHRM as they provide great information on compliance.

For those looking for additional resources, Amazon’s hiring FAQ is an excellent tool to navigate the hiring process. If you’re interested in further reading, don’t miss out on this article showcasing must-read books by women of color for invaluable insights.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *