AWS : single Sign-on (SSO) with Okta

In this page, we will integrate AWS Single Sign-On with Okta (developer account).

Here is the summary of solution:

1. Users authenticate against Okta.
2. Users log on to AWS SSO upon successful authentication with Okta.
3. Users now can assume roles to perform tasks within their AWS environment using Security Assertion Markup Language (SAML), which is managed by AWS SSO.

     {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Federated": "arn:aws:iam::****:saml-provider/AWSSSO_bb421e8d48559f88_DO_NOT_DELETE"
               },
               "Action": [
                   "sts:AssumeRoleWithSAML",
                   "sts:TagSession"
               ],
               "Condition": {
                   "StringEquals": {
                       "SAML:aud": "https://signin.aws.amazon.com/saml"
                   }
               }
           }
       ]
   }
   

This post is closely following this blog (Single Sign-On between Okta Universal Directory and AWS).

Create a developer account with Okta:

To add AWS SSO application to Okta, navigate to the Okta administration console and login with Okta administrator credentials, then I navigate to the Applications tab. Then, click the Add Integration button and add AWS SSO application.

Select the AWS SSO application and download the SAML Meta Data file generated by Okta by clicking the Identity Provider metadata. Keep this file (IDP-metadata.xml), we need it later to configure the AWS side of the single sign-on:

Now that we have the metadata file, open the AWS Management Console in a new tab while keeping the Okta tab open as the procedure is not finished there yet. Navigate to AWS Single Sign-On and click Enable AWS SSO.

In Settings navigation panel, set the Identity source by clicking the Change link:

Select External identity provider from the list of options. Then, select the XML file we downloaded from Okta.

Click Change identity source to complete the AWS Single Sign-On side of the process.

Here, we need to take note of the two values AWS SSO ACS URL and AWS SSO Issuer URL because we must enter these in the Okta console.

Now that we have configured Okta for single sign-on for users to connect using AWS Single Sign-On, we want to enable automatic provisioning of user accounts. As new accounts are added to Okta, and assigned to the AWS SSO application, a corresponding AWS Single Sign-On user is created automatically. So, an administrator does not need to do any work to configure a corresponding account in AWS to map to the Okta user.

On the AWS Single Sign-On Console, navigate to Settings and then click the Enable identity synchronization link.

Then, as shown below, we'll have a dialog containing the values for the SCIM endpoint and an OAuth bearer access token (hidden by default). We need both of these values to use in our Okta application settings.

Back to the tab open on the Okta console, and click on Provisioning tab under the AWS SSO Application. Click Configure API Integration and select Enable API integration. Then put the values Base URL (AWS Single Sign-On Console SCIM endpoint) and API Token (AWS Single Sign-On Console Access token). Make sure to remove the trailing / at the end of the URL. The URL ends with scim/v2

Click Test API Credentials to verify everything works as expected and click Save.

Then, click To App to enable users creation, update, and deactivate as shown below:

Now that the provisioning enabled, we need to assign the users and groups that we want to synchronize from Okta to AWS Single Sign-On.

AWS SSO supports automatic provisioning (synchronization) of user and group information from Okta into AWS SSO using the System for Cross-domain Identity Management (SCIM) v2.0 protocol.

To configure this connection in Okta, you use your SCIM endpoint for AWS SSO and a bearer token that is created automatically by AWS SSO. When you configure SCIM synchronization, you create a mapping of your user attributes in Okta to the named attributes in AWS SSO. This causes the expected attributes to match between AWS SSO and your IdP. - okta

Note: SSO is a way to authenticate, and SCIM is a way to provision. SCIM is to automate the exchange of user identity data between cloud apps. For example, SCIM synchronization is done by Okta's pushing users & groups.

Click the Assignments tab and add Okta users and groups. Click Assign, and select the Okta users and groups we want to have access to AWS

The users are now synchronized to AWS Single Sign-On, and the users can see the AWS Single Sign-On application appear in the Okta portal (logged in with my personal gmail user):

To verify the assigned users are synchronized, switch back to the AWS Single Sign-On console and select the Users tab. As we can see in the picture below, the users assigned in Okta console are present:

Note that at this time, the users have only access to sign in. To manage permissions in terms of what they can access once signed into AWS, we should set up permissions in AWS Single Sign-On.

Back to AWS SSO Console, click AWS Accounts on the left tab bar and select the account from my AWS Organizations that we're giving access to.

Click Assign users to assign SSO users or groups to a set of IAM permissions. For this example, I assign just one user, the one with gmail address.

Click Select permission sets and Create permission set to create a set of IAM policies to describe the set of permissions we're granting to the Okta users. For this case, we're granting a read-only permission on all AWS services:

Let's test the SSO.

Using the AWS Single Sign-On user portal (the URL is on the AWS Single Sign-On settings page):

Click Management Console:

Using Okta portal (https://dev-8020297.okta.com/):

Click AWS SSO:

This time, we may want to click "Command line ...."

Unfortunately, it appears that we cannot combine AWS SSO with JIT (JUST-IN-TIME) with OKTA. So, JIT (temporary elevated access) and AWS SSO (persistent access) should be used in parallel.

Using the broker alongside your existing access solution.

Refs:

1. Single Sign-On between Okta Universal Directory and AWS
2. How to Configure SAML 2.0 for AWS Single Sign-on

AWS (Amazon Web Services)

1. AWS : EKS (Elastic Container Service for Kubernetes)
2. AWS : Creating a snapshot (cloning an image)
3. AWS : Attaching Amazon EBS volume to an instance
4. AWS : Adding swap space to an attached volume via mkswap and swapon
5. AWS : Creating an EC2 instance and attaching Amazon EBS volume to the instance using Python boto module with User data
6. AWS : Creating an instance to a new region by copying an AMI
7. AWS : S3 (Simple Storage Service) 1
8. AWS : S3 (Simple Storage Service) 2 - Creating and Deleting a Bucket
9. AWS : S3 (Simple Storage Service) 3 - Bucket Versioning
10. AWS : S3 (Simple Storage Service) 4 - Uploading a large file
11. AWS : S3 (Simple Storage Service) 5 - Uploading folders/files recursively
12. AWS : S3 (Simple Storage Service) 6 - Bucket Policy for File/Folder View/Download
13. AWS : S3 (Simple Storage Service) 7 - How to Copy or Move Objects from one region to another
14. AWS : S3 (Simple Storage Service) 8 - Archiving S3 Data to Glacier
15. AWS : Creating a CloudFront distribution with an Amazon S3 origin
16. AWS : Creating VPC with CloudFormation
17. AWS : WAF (Web Application Firewall) with preconfigured CloudFormation template and Web ACL for CloudFront distribution
18. AWS : CloudWatch & Logs with Lambda Function / S3
19. AWS : Lambda Serverless Computing with EC2, CloudWatch Alarm, SNS
20. AWS : Lambda and SNS - cross account
21. AWS : CLI (Command Line Interface)
22. AWS : CLI (ECS with ALB & autoscaling)
23. AWS : ECS with cloudformation and json task definition
24. AWS Application Load Balancer (ALB) and ECS with Flask app
25. AWS : Load Balancing with HAProxy (High Availability Proxy)
26. AWS : VirtualBox on EC2
27. AWS : NTP setup on EC2
28. AWS: jq with AWS
29. AWS & OpenSSL : Creating / Installing a Server SSL Certificate
30. AWS : OpenVPN Access Server 2 Install
31. AWS : VPC (Virtual Private Cloud) 1 - netmask, subnets, default gateway, and CIDR
32. AWS : VPC (Virtual Private Cloud) 2 - VPC Wizard
33. AWS : VPC (Virtual Private Cloud) 3 - VPC Wizard with NAT
34. DevOps / Sys Admin Q & A (VI) - AWS VPC setup (public/private subnets with NAT)
35. AWS - OpenVPN Protocols : PPTP, L2TP/IPsec, and OpenVPN
36. AWS : Autoscaling group (ASG)
37. AWS : Setting up Autoscaling Alarms and Notifications via CLI and Cloudformation
38. AWS : Adding a SSH User Account on Linux Instance
39. AWS : Windows Servers - Remote Desktop Connections using RDP
40. AWS : Scheduled stopping and starting an instance - python & cron
41. AWS : Detecting stopped instance and sending an alert email using Mandrill smtp
42. AWS : Elastic Beanstalk with NodeJS
43. AWS : Elastic Beanstalk Inplace/Rolling Blue/Green Deploy
44. AWS : Identity and Access Management (IAM) Roles for Amazon EC2
45. AWS : Identity and Access Management (IAM) Policies, sts AssumeRole, and delegate access across AWS accounts
46. AWS : Identity and Access Management (IAM) sts assume role via aws cli2
47. AWS : Creating IAM Roles and associating them with EC2 Instances in CloudFormation
48. AWS Identity and Access Management (IAM) Roles, SSO(Single Sign On), SAML(Security Assertion Markup Language), IdP(identity provider), STS(Security Token Service), and ADFS(Active Directory Federation Services)
49. AWS : Amazon Route 53
50. AWS : Amazon Route 53 - DNS (Domain Name Server) setup
51. AWS : Amazon Route 53 - subdomain setup and virtual host on Nginx
52. AWS Amazon Route 53 : Private Hosted Zone
53. AWS : SNS (Simple Notification Service) example with ELB and CloudWatch
54. AWS : Lambda with AWS CloudTrail
55. AWS : SQS (Simple Queue Service) with NodeJS and AWS SDK
56. AWS : Redshift data warehouse
57. AWS : CloudFormation
58. AWS : CloudFormation Bootstrap UserData/Metadata
59. AWS : CloudFormation - Creating an ASG with rolling update
60. AWS : Cloudformation Cross-stack reference
61. AWS : OpsWorks
62. AWS : Network Load Balancer (NLB) with Autoscaling group (ASG)
63. AWS CodeDeploy : Deploy an Application from GitHub
64. AWS EC2 Container Service (ECS)
65. AWS EC2 Container Service (ECS) II
66. AWS Hello World Lambda Function
67. AWS Lambda Function Q & A
68. AWS Node.js Lambda Function & API Gateway
69. AWS API Gateway endpoint invoking Lambda function
70. AWS API Gateway invoking Lambda function with Terraform
71. AWS API Gateway invoking Lambda function with Terraform - Lambda Container
72. Amazon Kinesis Streams
73. AWS: Kinesis Data Firehose with Lambda and ElasticSearch
74. Amazon DynamoDB
75. Amazon DynamoDB with Lambda and CloudWatch
76. Loading DynamoDB stream to AWS Elasticsearch service with Lambda
77. Amazon ML (Machine Learning)
78. Simple Systems Manager (SSM)
79. AWS : RDS Connecting to a DB Instance Running the SQL Server Database Engine
80. AWS : RDS Importing and Exporting SQL Server Data
81. AWS : RDS PostgreSQL & pgAdmin III
82. AWS : RDS PostgreSQL 2 - Creating/Deleting a Table
83. AWS : MySQL Replication : Master-slave
84. AWS : MySQL backup & restore
85. AWS RDS : Cross-Region Read Replicas for MySQL and Snapshots for PostgreSQL
86. AWS : Restoring Postgres on EC2 instance from S3 backup
87. AWS : Q & A
88. AWS : Security
89. AWS : Security groups vs. network ACLs
90. AWS : Scaling-Up
91. AWS : Networking
92. AWS : Single Sign-on (SSO) with Okta
93. AWS : JIT (Just-in-Time) with Okta