Unifying Access: AWS SSO Federation with Okta
As businesses increasingly adopt cloud services, the need for efficient and secure identity and access management becomes paramount. Amazon Web Services (AWS) offers a robust solution in the form of AWS IAM Identity Center formerly known as AWS Single Sign-On (SSO), simplifying access across multiple AWS accounts in AWS Organization and applications. Integrating AWS SSO with Okta, a leading identity management platform, can further enhance user experience and security. In this blog, I’ll talk about concept of AWS SSO Federation with Okta and delve into the architecture that drives this seamless identity management.
The Power of AWS SSO Federation
AWS SSO is designed to streamline access management for multiple AWS accounts and applications. It enables users to sign in once using their existing corporate enterprise credentials and access all their assigned AWS accounts and applications without the need for multiple logins. This not only simplifies the user experience but also reduces administrative overhead and enhances security by enforcing multi-factor authentication (MFA) policies.
AWS IAM Identity Center allows you to
Choose your preferred identity source (Okta One ID) for use across AWS Organization.
- Use multi-account permissions to give workforce users access to multiple AWS accounts or Applications.
- Use the power of application assignments to give your workforce users single sign-on access to AWS and cloud applications.
In the below diagram, we can have multiple identity source options. In this blog, we will talk about OKTA.
Figure 1.Multiple Identity Providers with AWS IAM Identity Center
Introducing Okta as an Identity Provider
Okta is a modern identity management platform that offers Single Sign-On (SSO), Multi-Factor Authentication (MFA), and centralized user management capabilities. By integrating Okta with AWS SSO, organizations can leverage their existing user identities to seamlessly access AWS resources.
Figure 2. Multi-account integration representation with Okta
AWS IAM Identity Center with Okta -Workflow
- With Okta One ID Federation, we can automatically provision users and groups into AWS IAM Identity Center using SCIM automated Provisioning.
- AWS SSO centralizes the administration of users and permission sets across all AWS accounts, so admins can more easily manage who gets access to what in AWS.
- Using Okta Lifecycle Management, users and groups defined in Okta are automatically synchronized with AWS SSO. With Okta SSO integration, Project-specific Group management would be performed in Okta IdP.
- AWS SSO admins can then assign permissions sets for those users and groups to authorize access for AWS services (e.g., Amazon EC2, Amazon S3) for specific AWS accounts.
- Changes made in Okta (for example, when someone leaves the org or changes roles) are automatically reflected downstream, through AWS SSO, to change access permissions instantly.
- •Using the Group Push feature, existing Okta groups and their memberships can be pushed to AWS SSO. Then, in AWS SSO, you can create role-oriented permission sets per account, which determines a user’s permissions to access a particular AWS account.
- .The final step is to assign users to AWS accounts and permissions sets. Now when a user signs into the AWS SSO user portal from Okta, they will only gain access (through the AWS management console) to the specific AWS accounts and resources that they are authorized to.
SAML Federation Architecture
The architecture diagram illustrates the AWS SSO Federation with any Identity provider( here it is Okta) flow.
Figure 3
SAML federation workflow with AWS SSO
- User Access Request: The user browses to your organization’s portal and selects the option to go to the AWS Management Console. In your organization, the portal is typically a function of your IdP that handles the exchange of trust between your organization and AWS.
- Okta Authentication: The portal verifies the user’s identity in your organization.
- SAML Assertion Generation: The portal generates a SAML authentication response that includes assertions that identify the user and include attributes about the user. We can also configure your IdP to include a SAML assertion attribute called Session Duration that specifies how long the console session is valid. We can also configure the IdP to pass attributes as session tags. The portal sends this response to the client's browser.
- SAML Assertion Exchange: The client browser is redirected to the AWS single sign-on endpoint and posts the SAML assertion.
- AWS SSO Authentication: The endpoint requests temporary security credentials on behalf of the user and creates a console sign-in URL that uses those credentials.
- Access AWS Resources: The client browser is redirected to the AWS Management Console. If the SAML authentication response includes attributes that map to multiple IAM roles, the user is first prompted to select the role for accessing the console.
Key Advantages of AWS SSO Federation with Okta
- Automatic Provisioning: Automatic provisioning of user and group information from Okta to AWS SSO using the SCIM V2.0 protocol.
- Simplified Access Management: Users can access multiple AWS accounts and applications with a single set of corporate credentials.
- Enhanced Security: Centralized authentication and MFA policies from Okta improve overall security posture.
- Reduced Administrative Overhead: Centralized management of Users/Groups and Permissions from AWS Management account .IT teams spend less time managing user accounts and permissions.
- Auditing and Compliance: Centralized identity management allows for easier tracking and auditing of user access.
- Improved User Experience: Users enjoy a seamless sign-on experience across a diverse range of AWS Accounts and applications.
Implementation Steps
- Set Up Okta: Configure Okta as an identity provider and define the required applications.
- Configure AWS SSO (Service Provider): Set up the AWS SSO instance and define applications and user attributes.
- Sign in to the AWS Management Console and navigate to the AWS SSO service.
- On the left pane of the AWS SSO console, choose Settings.
- On the Settings page, click on Identity Source and then Actions< Change Identity Source]
Figure.4 Screenshot of Actions to change identity source in AWS&.SSO
- Select the External Identity Provider given below screenshot
Figure 5 External identity provider screenshot
- In Service Provider metadata, you can download the SP metadata file or copy and paste the following fields.
1. Okta to AWS SSO Integration
Create a SAML app in Okta and configure the AWS SSO metadata.
- Go to OKTA (IDP)
- Choose the Sign On sub-tab.
- Choose Identity Provider metadata; the browser will open a new tab with the XML data. Save the XML that it displays as okta-idp.xml on your computer and close the browser tab that displays the metadata.
- Saved as metadata okta
On the Okta console, choose Back to Applications or choose Applications on the toolbar.
2. Exchange the Metadata between SP and IDP
First, Upload the AWS SSO metadata to the OKTA Application.
- Log in to Okta and Click on Application in the Left-hand Panel.
- Click on Application (AWS IAM Identity Center AWS SSO).
- Click on Sign on and then click on the edit button.
3. Edit button to exchange Sign on Metadata
- Enter the details we captured in step 2. e and save the details.
- To complete the configuration of Okta as the external identity provider, upload the metadata of the Okta identity provider to AWS SSO.
- Switch to the AWS SSO console browser tab you opened in step 2. a.
- Choose Browse and select the okta-idp.xml document that you saved from step 3.1.c
- In the Identity Source section, in the Identity Source row, choose Change.
- Choose Next: Configure external identity provider.
AWS SSO Window to upload IDP Okta Metadata
- Click on IDP SAML metadata and choose the file. Upload the file which was downloaded as part of 3. c
- Review the information provided. Click on Next.
- In the field at the bottom, enter CONFIRM.
- Choose Change Identity source. After the reconfiguration has been completed, choose Return to Settings.
SCIM Provisioning Enablement
To enable automatic provisioning in the IAM Identity Center
- Sign in to the AWS Management Console and navigate to the AWS SSO service.
- On the left pane of the AWS SSO console, choose Settings.
- On the Settings page, locate the Automatic provisioning box and enable it.
- After enabling, it displays the SCIM endpoint and Access Token. We need to copy the values as we need to paste them when we configure provisioning on the IDP(Okta) Side.
Enablement of Automated SCIM Provisioning
Configure provisioning in Okta.
- Log in to Okta and Click on Application in Left-hand Panel.
- Click on Application AWS IAM Identity Center AWS SSO.
- Click on Provisioning and then click on the integration button.
Integration edit button for SCIM provisioning in OKTA
- Click on Enable API integration to enable provisioning.
- We need to enter the values we captured in 4.1.d
- Choose Test API Credentials to verify the credentials entered are valid and then save.
- AWS SSO Role Configuration: Define roles and permission sets in AWS SSO for users.
- Test and Monitor: Thoroughly test the integration and monitor for any issues or security concerns.
Conclusion
The integration of AWS SSO Federation with Okta represents a leap forward in modern identity and access management. By leveraging the power of single sign-on and centralizing user identities, organizations can significantly improve both security and user experience. The architecture’s simplicity and effectiveness make it an ideal solution for managing access to AWS resources across diverse applications and accounts. With the right implementation, AWS SSO Federation with Okta paves the way for streamlined access management in today’s dynamic cloud ecosystem.
If you have any questions or need a hand, please don’t hesitate to contact me on. Read, Comment and follow.