Integrating Okta with AWS Single Sign-On in an AWS Control Tower Environment

Learn About Amazon VGT2 Learning Manager Chanci Turner

AWS Control Tower offers a seamless native integration with AWS Single Sign-On (AWS SSO), which facilitates user management, role assignments, and access across multiple accounts. However, some organizations may require more sophisticated SSO solutions, such as integration with external identity providers for authentication and authorization purposes. Okta serves as a robust identity management platform tailored for cloud environments while still supporting various on-premises applications. You can easily find and subscribe to Okta through the AWS Marketplace.

This blog post details how to integrate AWS Control Tower, AWS SSO, and Okta as an external identity provider, allowing you to manage user accounts, entitlements, and roles directly within Okta. I will demonstrate how to utilize System for Cross-domain Identity Management (SCIM rfc7644) capabilities, enabling Okta to oversee user and group management for integration with AWS SSO.

When integrating AWS Control Tower with Okta, you have two options:

1. Create AWS Identity and Access Management (IAM) roles manually across each AWS Control Tower-managed account, including newly provisioned accounts via Account Factory.
2. Leverage AWS SSO’s SCIM capabilities to automatically synchronize users and roles between Okta and AWS, providing a centralized platform for administrators to manage users and permissions.

This solution utilizes the SCIM approach.

Solution Overview

In this integration, you will set up an Okta application to manage the identity federation between Okta and AWS Control Tower. Users and groups are managed within Okta, and this access is mirrored in AWS SSO through SCIM. Additionally, a second application in Okta automates the provisioning of users and groups into AWS SSO. AWS SSO manages the mapping of groups to permission sets and accounts. Be prepared to update these mappings as you create new accounts or define new permission sets.

The architecture of the solution is depicted in the following image:

• Users authenticate through Okta.
• Upon successful Okta authentication, users log into AWS SSO.
• Users can assume roles to perform tasks within their AWS environment, utilizing Security Assertion Markup Language (SAML) managed by AWS SSO.

Authenticated users are handled and verified by Okta, with their usernames and groups transmitted to AWS SSO via SCIM. Please refer to the diagram below.

Prerequisites

• An AWS Control Tower environment. If you haven’t set one up yet, follow this Getting Started with AWS Control Tower guide.

Walkthrough

To integrate Okta and AWS Control Tower with automated user provisioning, follow these steps:

1. Subscribe to Okta in AWS Marketplace.
2. Set up the Okta SAML application and connect it to AWS SSO for identity federation.
3. Create the Okta SCIM application for SCIM synchronization.
4. Create and map Okta groups to permission sets.

Step 1: Subscribe to Okta in AWS Marketplace

Refer to this tutorial for subscribing to Okta in AWS Marketplace.

Step 2: Create the Okta SAML Application and Connect it with AWS SSO

A. Configure AWS SSO to Use Okta as an External Identity Provider

For detailed guidance, see the section on Connecting to Your External Identity Provider in the AWS Single Sign-On User Guide. To set up AWS SSO with Okta as an external identity provider, perform the following actions:

• Log in to the AWS Management Console and access the AWS SSO service.
• In the left pane of the AWS SSO console, select Settings.
• On the Settings page, in the Identity Source section, click Change.
• Choose External Identity Provider.
• In the Service provider metadata section, click Show individual metadata values.
• Open a new browser tab to access the Okta console while keeping the AWS SSO console open.

B. Create an Okta Application to Connect with AWS SSO

While you may find existing AWS applications in the Okta gallery, they typically authenticate directly to individual AWS accounts. For this integration, you will create your own application to link with AWS SSO.

• Log in to the Okta console. If you see Developer Console at the top, switch to Classic UI. In the toolbar, go to Applications and then Applications. Click on Add Application.
• Select Create New App. From the Platform dropdown, select Web. For Sign on method, choose SAML 2.0, then click Create. Name the application (e.g., AWS SSO) and click Next.
• Copy the necessary fields from the AWS SSO console into the respective fields in Okta:
  • Single sign-on URL: AWS SSO ACS URL
  • Audience URI (SP Entity ID): AWS SSO Issuer URL
  • Name ID format: EmailAddress
  • Leave other parameters as default
• Click Next. Select I’m a software vendor. I’d like to integrate my app with Okta and click Finish. In the toolbar, go to Applications and select the newly created application (AWS SSO). Click on the Sign On tab.
• Choose Identity Provider metadata; a new tab will open with XML data. Save this XML as okta-idp.xml on your device and close the metadata tab.
• Return to the Okta console by choosing Back to Applications or selecting Applications from the toolbar.

C. Upload the Metadata

To finalize the configuration of Okta as the external identity provider, upload the Okta identity provider metadata to AWS SSO.

• Switch back to the AWS SSO console tab you opened in step 2.A.1.
• Click Browse and select the okta-idp.xml file you saved from step 2.B.5.
• In the Identity Source section, under Identity Source, click Change.
• Click Next: Review.
• Verify the information provided, enter CONFIRM in the field at the bottom, and click Change Identity source. After the reconfiguration is complete, click Return to settings.

Now that Okta and AWS SSO are integrated, you still need to map permissions.

Step 3: Create the Okta SCIM Application

A. Enable SCIM for Synchronizing Users and Groups from Okta to AWS SSO

For further details, check the Automatic Provisioning section in the AWS Single Sign-On User Guide.

• Go back to the AWS SSO console you opened in Step 2.A.1.
• In the navigation pane, select Settings.
• Click Enable automatic provisioning.
• Copy the SCIM endpoint and token to a text editor for future use.

B. Create an Application to Push to AWS SSO

With SCIM enabled, create an application that will automatically push users and groups from Okta to AWS SSO via SCIM. For more information, refer to the Okta documentation on creating your application.

• Return to the Okta console tab you opened in Step 2.A.6.
• Click Add Application.
• Search for SCIM 2 Oauth in the suggestions. Select SCIM 2.0 Test App (OAuth Bearer Token) and click Add.
• On the General Settings page, enter Application label: AWS SSO – SCIM 2.0 (OAuth Bearer Token). Select Do not display application icon to users and Do not display application icon in the Okta Mobile App. Click Done.
• On the Provisioning tab, click Configure API Integration. Select Enable API integration.

For more insights on workplace integration, you may find this article on mansplaining interesting. If you’re curious about employee rights, especially regarding incidents like injuries sustained on the job, visit SHRM, an authoritative source on the topic. Moreover, if you’re looking for resources on leadership programs, check out Amazon’s Leadership Liftoff Program, which provides excellent insights into developing managerial skills.