In this 3 part series, we’re looking at integrating Amazon AppStream and Okta using an Okta Developer account. In the first post, we created an Okta Developer account, Okta applications for our AppStream stacks, and saved our Okta Identity Provider metadata. In this post (#2 of the series), we’ll be setting up Identity Providers and an IAM role in AWS to support AppStream/Okta integration.
Configuring Okta Identity Providers in AWS
With the Identity Provider metadata from Okta on-hand, let’s open up the AWS console and create the required AWS IDPs and IAM role.
- Login to the AWS console and launch the IAM dashboard.
2. On the IAM dashboard, click Identity providers | Add provider
3. On the Add an Identity provider page, select SAML as the Provider type. Enter a Provider name the helps you to properly identify the Okta application that this IDP is used for. Click Choose file to select the appropriate IDP metadata file for this IDP.
4. Once the metadata has been selected, click Add provider.
5. With the provider added, click Assign Role
6. On the Assign role pop-up, select Create a new role and click Next. Note, you have to create a unique IDP for each Okta application however, you can use the same IAM role for multiple providers. For each additional IDP, you can create new roles or use an existing one.
7. On the Select type of trusted entity page, set the following attributes and click Next: Permissions.
- Type of trusted entity – SAML 2.0 federation
- SAML provider – should be filled in with the IDP you just created in step #4
- Attribute – SAML:sub_type
- Value – persistent
8. On the Attach permissions policies page, select the policy to attach to the role and click Next: Tags. In this example, the AmazonAppStreamFullAccess policy was chosen.
9. On the Add tags page, enter any tags necessary or required for your organization and click Next:Review.
10. On the Review page, specify a Role name and description and click Create role.
11. When setting up the Okta application settings, you will need the Role ARN and the AWS IDP ARN. Copy those values and have them at the ready.
If Adding a Second IDP….
- Though you must create an IAM IDP for every Okta application you wish to make available, you can assign the same IAM Role to each IDP you create. After you create IDP, copy its ARN. Click Roles, locate the role that was created to support the first Okta application and click Trust relationships | Edit trust relationship
2. On the Edit Trust Relationship screen, add the ARN of the second IDP and click Update Trust Policy.
In this post, we looked at the steps to create an AWS IAM IDP and Role to support Okta/AppStream integration. Remember to have the IDP and Role ARNs available as you will need them when finalizing the configuration of the Okta applications. In the next post, we’ll complete the Okta/AppStream integration and then test access to the AppStream stacks.