This guide provides instructions for federating access to Amazon WorkLink using an existing SAML 2.0 based Okta Identity Provider. These instructions only cover the Identity provider (IdP) configuration portion of Amazon WorkLink, and not other areas of the service. For more information about Amazon WorkLink, see getting started with Amazon WorkLink.
 
Pre-requisites
Complete the following pre-requisites before federating access to Amazon WorkLink:
 
  • Confirm that you have access to the Okta portal with administrative privileges

Note: Amazon WorkLink only supports SP (service provider) initiated flows.

1. Open the Amazon WorkLink console.

2. On the fleets page, select the fleet, then choose view details.

3. Choose identity provider (IdP), then choose Link IdP.

4. Under provider type, select SAML.

5. Under service provider metadata document, choose download.

6. Open the downloaded XML file in a text editor.

7. Copy the values for entityID and AssertionConsumerService location.

Download the service provider document from Amazon WorkLink

(click to expand)

Download the service provider document from Amazon WorkLink

1. From the Okta portal, select the applications tab, then choose add application.

 

Add application from Okta portal

(click to expand)

Add application from Okta portal

2. For platform, choose web.

3. For sign on method, select SAML 2.0.

4. Choose create.

Select platform and sign on method

(click to expand)

Select platform and sign on method

5. Under the general settings tab, enter the app name for you fleet. For example, Amazon WorkLink.

6. Choose next.

Fill out general settings

(click to expand)

Fill out general settings

7. Under the configure SAML tab, select SAML settings. Enter the following values:
    a. Single sign on URL: Paste the AssertionConsumerService location you copied from the Amazon WorkLink service provider document step 1.
    b. Audience URI (SP Entity ID): Paste the entityID from the Amazon WorkLink service provider document.
    c. Name ID format: Choose EmailAddress.
    d. Application username: Choose email.

Configure SAML settings

(click to expand)

Configure SAML settings

8. Choose next.
9. Choose finish.


1. After the application is created in Okta, choose the sign on tab and download the Identity Provider metadata .xml file to your computer.
2. From the Amazon WorkLink console, choose Link identity Provider (IdP).
3. Under IdP metadata document, choose choose file.
4. Select the IdP metadata file you downloaded from Okta.
5. Choose Link IdP.
6. Follow the Okta documentation instructions to assign a user to the application under the assignments tab.


Install the Amazon WorkLink app from the Apple App store or Google Play Store to validate your Identity Provider federation.

Note: Users are not able to sign in using SSO unless the following requirements are met.

  • The user exists in your Okta directory.
  • The user is assigned to the Amazon WorkLink application in Okta.
  • The user has been sent an Amazon WorkLink user invites from your WorkLink fleet. The user invite contains the fleet specific company code, which is required for logging into the application.