Posted On: May 28, 2020

Customers can now connect their Okta Identity Cloud to AWS Single Sign-On (SSO) once, manage access to AWS centrally in AWS SSO, and enable end users to sign in using Okta to access all their assigned AWS accounts. The integration helps customers simplify AWS access management across multiple accounts while maintaining familiar Okta experiences for administrators who manage identities, and for end users as they sign in. AWS SSO and Okta Identity Cloud use standards-based automation to provision users and groups into AWS SSO, saving administration time and increasing security. 

The interoperability of AWS SSO and the Okta Identity Cloud enables administrators to assign users and groups access centrally to their AWS Organizations accounts and AWS SSO integrated applications. This makes it easier for an AWS administrator to manage access to AWS and ensure Okta users have the right access to the right AWS accounts. Ongoing management is also simplified. For example, when using group assignments, Okta administrators can simply grant or remove AWS account access by adding or removing users from an Okta group. 

AWS SSO and the Okta Identity Cloud use the System for Cross-domain Identity Management (SCIM) standard to automate the process of provisioning users and groups into AWS SSO. AWS SSO also authenticates Okta users to their assigned AWS accounts through the Security Assertion Markup Language (SAML 2.0) standard. To configure the SCIM and SAML connections, administrators can use the AWS SSO app available on the Okta Integration Network.  

Your end users get their familiar Okta sign-in experience including MFA and central access to all of their assigned AWS accounts and AWS integrated services, including AWS IoT SiteWise Monitor and Amazon SageMaker Notebooks. In addition, your users can use their Okta credentials to sign in to the AWS Management Console, AWS Command Line Interface (CLI), and mobile app. Now, your developers can simply sign in to the AWS Command Line Interface (CLI) using their Okta credentials and benefit from AWS CLI features such as automatic short-term credential generation and rotation. 

It is easy to get started with AWS SSO. With just a few clicks in the AWS SSO management console, you can choose AWS SSO, Active Directory, or an external identity provider, now including Okta, as your identity source. Your users sign in with the convenience of their familiar sign-in experience and get single-click access to all their assigned accounts from the AWS SSO user portal. To learn more, please visit AWS Single Sign-On. To connect the Okta Identity Cloud to AWS SSO as an external identity provider, please see the AWS News blog Single Sign-On between Okta Universal Directory and AWS, or the AWS SSO documentation

There is no cost for AWS SSO, and it is available in the US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Asia Pacific (Singapore), Asia Pacific (Sydney), EU (Ireland), EU (Frankfurt), and EU (London) Regions.