How to set up SSO with AWS Identity and Access Management

This is a step by step guide on how to set up SSO for Amazon Web Services (AWS) Identity and Access Management (IAM) on Okta.

okta-assign-aws-sso

Essentially by federating Okta to Amazon Web Services (AWS) Identity and Access Management (IAM) accounts, end users get single sign on access to all their assigned AWS roles with their Okta credentials.

Such that when users sign into AWS from Okta, they are automatically logged into their assigned AWS role on AWS.

The key steps we will be going through will be:

Prerequisites
A dd AWS IAM app to your Okta instance
Set up SSO settings on AWS IAM
Set up SSO settings on Okta
Test and confirm that it is working

Prerequisites

Before you can start setting up Single Sign On (SSO) for Amazon Web Services (AWS) Identity and Access Management (IAM) and Okta, we need to check the following:

Access to Amazon Web Services (AWS) Identity and Access Management (IAM) Admin Console - Confirm that you have administrator access to Amazon Web Services (AWS) Identity and Access Management (IAM) Admin Console.
Access to Okta Admin Console - Confirm that you have administrator access to Okta's Admin Console. If you do not have an Okta account, you can create a free Okta Trial account or Okta Developer account.
(Recommended) Use the same email address for your Amazon Web Services (AWS) Identity and Access Management (IAM) administrator account as your Okta administrator account. This will make it easier for you to administer the accounts.

1. Add Amazon Web Services (AWS) Identity and Access Management (IAM) app to your Okta instance

Under Applications> Applications, search for the AWS Account Federation app in the Okta Integration Network (App Integration Catalog). The AWS Account Federation app, is the Amazon Web Services (AWS) Identity and Access Management (IAM) app we want to use in this example.

add-aws-iam-app-okta

Add AWS Account Federation app in.

add-aws-iam-app-okta2

Fill in the AWS Account Federation options and click Next.

Application label - Name yourAWS Account Federation app.

add-aws-iam-app-okta3

Click SAML 2.0.

add-aws-iam-app-okta4

add-aws-iam-app-okta5

Scroll down and click on "View Setup Instructions".

zoho-directory-sign-on-settings2

You will then be sent to View Setup Instructions for Amazon Web Services (AWS) Identity and Access Management (IAM) in a separate web browser tab.

Click back on Okta.

Right click on "Identity Provider metadata".

zoho-directory-sign-on-settings2

Click "Save Link As..." from the right click menu.

configure-tencent-cloud-sso9

Save this to your computer.

Give it a name, for example "metadata.xml". Please make sure you save it as .xml file extension.

configure-tencent-cloud-sso13

We will need this later for our AWS IAM SSO settings.

On Okta, leave the default settings and click Done.

add-aws-iam-app-okta6

We will come back with AWS details to populate the fields here.

That is, leave these as default for now:

AWS Environment (Required for SAML SSO) - Regular AWS
ACS URL (optional & only relevant to SAML SSO) - Leave as default
Identity Provider ARN (Required only for SAML SSO) - Leave as default. We will copy and paste the identity provider ARN from AWS later.
Session Duration (Required only for SAML SSO)- Leave as default
Join all roles - Leave as default
Use Group Mapping - Leave as default

2. Set up SSO settings on Amazon Web Services (AWS) Identity and Access Management (IAM)

Log into your Amazon Web Services (AWS) Identity and Access Management (IAM) account

In a new browser tab, log in to your Amazon Web Services (AWS) Identity and Access Management (IAM) account as an administrator (with administrator access). https://aws.amazon.com/console

Open Single Sign-On Settings

In Amazon Web Services (AWS) Identity and Access Management (IAM), open your Single Sign-On (SSO) settings. We will find this in the "Identity Providers" section.

To get there, go to:

AWS Console > Services > Security, Identity & Compliance > IAM > Identity Providers

add-aws-sso-iam

add-aws-sso-iam2

Once there, click on "Add Provider".

add-aws-sso-iam3

Then you will be presented an "Add an Identity provider" page. We will fill this in as follows and click "Add provider" when we are done.

Provider type - SAML
Provider name - Okta
Metadata document - We will upload the metadata.xml file we downloaded from Okta earlier.

add-aws-sso-iam4

Once added, you will be presented an SSO summary page.

add-aws-sso-iam5

Click on "Okta" and review your settings.

add-aws-sso-iam6-1

We will need copy to Identity Provider "ARN" details here. Identity Provider ARN value. You will need it later during this configuration.

add-aws-sso-iam7

Add Okta as a trusted source for AWS roles

We need to create and/or update your existing AWS IAM roles to provide permissions for Okta to retrieve and assign roles to users (that will log in from Okta to AWS).

To do this, we need to add Okta as a trusted source for your AWS roles.

I will show you an example of this through creating a new role, where we need to create a new policy and create a new role. Then attach the new policy to our role.

The next section will cover:

Creating a new policy
Creating a new role

Creating a new policy

In the AWS Console, we will go to:

AWS Console > Services > Security, Identity & Compliance > IAM > Policies

Click "Create policy".

add-aws-sso-policy

Click on "JSON" tab.

add-aws-sso-roles6

add-aws-sso-roles7

Copy and paste the following json detail to your set up.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListAccountAliases"
],
"Resource": "*"
}
]
}

add-aws-sso-roles8

(Optional) But you can click on the "Visual editor" tab and you will see how this is reflected:

add-aws-sso-roles9

Click "Next: Tags" when you are done.

add-aws-sso-roles10

add-aws-sso-roles11

Click "Next: Review".

add-aws-sso-roles13

add-aws-sso-roles12

Give your policy a name, for example, "Oktassopolicy".

We can then leave the rest defaults, and click "Create policy".

add-aws-sso-roles15

You will then see your new policy when you search the name you have defined.

add-aws-sso-roles16

Creating a new role

In the AWS Console, we will go to:

AWS Console > Services > Security, Identity & Compliance > IAM > Roles

add-aws-sso-roles

Click "Create Role".

add-aws-sso-roles2

Click on "SAML 2.0 federation" under the "Select type of trusted entity" section.

add-aws-sso-roles3

Select "SAML provider" as "Okta"

Select "Allow programmatic and AWS Management Console access"

add-aws-sso-roles4

Click "Next: Permissions".

With the policy we created earlier, we can now attach this new policy to our Role.

add-aws-sso-roles17

We can click on "Next: Tags".

On the "Add tags (optional)" page, click "Next: Review".

add-aws-sso-roles13

add-aws-sso-roles18

Give your policy a name, for example, "Oktassorole".

We can then leave the rest defaults, and click "Create role".

add-aws-sso-roles21-1

add-aws-sso-roles20

You will now see the new role we have created, with a "Trusted entities" relationship with our Identity Provider Okta.

add-aws-sso-roles22

Add a user to AWS to generate the AWS API access key

In the AWS Console, we will create a new AWS user with specific permissions that will allow Okta to dynamically fetch a list of available roles from your accounts.

This is important so that we can populate the roles in Okta to assign roles from Okta to AWS later. Example below.

role-setting-aws

This will also make assigning users and groups to specific AWS roles easy and secure for administrators.

Creating a new user

In the AWS Console, we will go to:

AWS Console > Services > Security, Identity & Compliance > IAM > Users

add-new-user-aws1

Click "Add Users".

add-new-user-aws2

Set user details and click "Next: Permissions" when you are done.

User name - oktasso
Access type - Programmatic access

add-new-user-aws3

Click "Next: Permissions".

add-new-user-aws4

Select "Attach existing policies directly".

Find the policy we created earlier, and attach this policy to our user.

add-new-user-aws5

We can click on "Next: Tags".

add-aws-sso-roles10

On the "Add tags (optional)" page, click "Next: Review".

add-aws-sso-roles13

We can now review the user and when we are ready click "Create user".

add-new-user-aws7

Click "Create user".

add-new-user-aws8

You will now see the new user details successfully created page.

Copy the keys in the Access key ID and Secret access key somewhere safe and click Close.

We will need these keys to complete our configurations.

add-new-user-aws9

3. Set up SSO settings on Okta

We now need to configure the Amazon Web Services Account Federation app in Okta.

In Okta Admin Console, go to Applications > Applications >AWS Account Federation app.

On the "Sign On" tab
On the "Provisioning" tab

On the "Sign On" tab

You will see the details you need to fill in your AWS Account Federation "SSO Provider details". (Under "Sign On" tab).

On this page, click Edit and fill in the details. Click Save when you are done.

identity-provider-arn-aws

AWS Environment - Regular AWS
ACS URL - Leave as default
Identity Provider ARN: Paste the identity provider ARN you copied. For example arn:aws:iam::111111111111:saml-provider/okta
Session Duration: Leave the default value, or enter your preferred value.
Join all roles: Only select this check box if you want to make AWS SAML use all roles.
Use Group Mapping: Only select this check box to connect Okta to multiple AWS instances using user groups functionality.

Click Save.

On the "Provisioning" tab

api-provisioning-access-okta

Provisioning setup is needed to import information from AWS for SAML single sign on (SSO) to work. In particular is the AWS roles, which will be used by Okta for assigning users/ groups to specific AWS roles that you have set.

This setup under the (Provisioning tab) is required to provide API access to Okta in order to download a list of AWS roles to assign during user assignment. The AWS app integration enables you to assign multiple roles to users and pass those roles in the SAML assertion. Please note that the AWS Account Federation app does not support true user provisioning.

You will see the details you need to fill in your AWS Account Federation "Enable API integration". (Under "Provisioning" tab).

Click the "Provisioning" tab.

api-provisioning-access-okta

Click "Enable API Integration" checkbox.

Fill in the API integration details and click "Test API Credentials".

API URL (optional): Optional, we can leave this blank.
Access Key: Paste the access key you copied from AWS earlier.
Secret Key: Paste the secret key you copied from AWS earlier.
Connected Accounts IDs (optional): Optional, we can leave this blank.

aws-provisioning-okta

If you are looking for your Access Key and Secret Key, you will find them in the "Access keys" section.

AWS Console > Services > Security, Identity & Compliance > IAM > Users> select a user > "Access keys"

aws-provisioning-okta3

Once API integration is successful, we can turn on functions.

Under Settings> To App> Provisioning to App > Edit

Check the "Enable" checkboxes for the following and click Save.

Create users
Update user attributes

aws-provisioning-okta2

4. Test that SSO is working with Amazon Web Services (AWS) Identity and Access Management (IAM)

When you are ready, let's test that it works.

In Okta Admin Console, let's assign a user to the application. (Applications> Applications> AWS Account Federation app)

Go to "Assignments" tab. (Applications> Applications> AWS Account Federation app> "Assignments)

Select "Assign" and "Assign to People".

assign-test-user

aws-assign-to-people

Select our test user, click "Assign"

aws-assign-to-people2

Select the AWS role options for the "Role" from the dropdown menu. This is populated (via the API integration) with the applicable roles you have created in AWS.

aws-assign-to-people3

When you are ready, click "Save and Go Back".

save-and-go-back-aws

Now let's log into our Okta instance as a test user. You may need to refresh your browser if you had the browser window already open.

Then click on "AWS Account Federation" application icon (chiclet).

okta-assign-aws-sso-1

Success, you will be logged in successfully to your AWS Account Federation account!

test-okta-aws-sso

Tips and Troubleshooting

To get new list of AWS roles from AWS (use "Refresh Application Data" function)
Reset the API connection
Reset the AWS Account Federation assignment
Other AWS error messages that might come up

To get new list of AWS roles from AWS (use "Refresh Application Data" function)

If you create another new IAM Role after setting up the API integration in Okta it does not get populated in Okta automatically. To get this new role, do the following:

Go to the Applications> Applications.

Click "More", and then click "Refresh Application Data".

refresh-application-data

This downloads the latest roles, profiles and groups from apps configured with user provisioning. Okta uses this data when creating new users in those apps.

Amazon Web Services Sign In

Your request included an invalid SAML response. To logout, click here

Reset the API connection

AWS Account Federation> Provisioning> Integration> Edit> Test API Credentials

Reset the AWS Account Federation assignment

We can do this by unassigning and assigning user to the AWS app.

"Identity Provider ARN"

"Identity Provider ARN" setting is found under AWS Account Federation app> Sign On> Advanced Sign-on Settings> Identity Provider ARN.

arn:aws:iam::1111111111:saml-provider/Okta

"Role ARN"

"Role ARN" setting is found under AWS Account Federation app> Assignment> Assign to People> Your test user > Role

Mapping error

"There are no AWS Account Federation user attributes that can be set at a group level. You can edit an individual's AWS Account Federation user attributes under the People tab for AWS Account Federation"

Solution:

Make sure you have enabled "Import Groups" to import Groups from AWS to Okta, in your "Okta> Application> AWS Account Federation > Provisioning> Integration> API Integration" settings.
The issue was that there were differences in formatting between Active Directory group’s name and Okta Group Filter.
Make sure you have added active directory user into the role groups, that’s why it prompts that no user can be set at a group level.

Tool - SAML Tracer

You can consider installing a SAML tracer in your Chrome or Firefox browser for testing. This allows you to see the SAML payloads being sent. So you open the SAML Tracer and click from your Okta SSO page, click on your app and it populates as the page loads. Similar to inspect element but specific for looking at SAML requests.

Chrome Extension - SAML Tracer

A debugger for viewing SAML messages
A tool for viewing SAML and WS-Federation messages sent through the browser during single sign-on and single logout.

Here's a couple of examples of what it captures.

Click the SAML row (It will be marked with "SAML" in orange)

Click on the "Summary" tab, and you will see the details summarised.

saml-tracer-aws-sso

Click on the "SAML" tab, and you will see the raw SAML xml details.

saml-tracer-aws-sso-raw

Other AWS error messages that might come up

For other AWS error messages that might compe up, see Amazon Web Services' summary of these error messages to expect and how to manage them https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html .