This setup might fail without parameter values that are customized for your organization. Please use the Okta Administrator Dashboard to add an application and view the values that are specific for your organization.
The Okta/AWS Single Sign-on SAML integration currently supports the following features:
For more information on the listed features, visit the Okta Glossary.
Log in to the AWS Management Console.
Navigate to Security, Identity, & Compliance > AWS Single Sign-On:
Click Enable AWS SSO:
Under Identity source, select Change:
Enter the following:
Select External identity provider.
Click Show individual metadata values.
Make a copy of the AWS SSO Sign-in URL, AWS SSO ACS URL, and AWS SSO issuer URL values. These values will be used later on.
IdP SAML metadata: Save the following file as metadata.xml, then upload it into AWS.
Sign into the Okta Admin dashboard to generate this value.
Click Next: Review.
Important: Changing your source to or from Active Directory removes all existing user and group assignments. You must manually reapply assignments after you have successfully changed your source.
Review the list of changes. Once you are ready to proceed, type CONFIRM, then click Change identity source.
In Okta select the Sign On tab for the AWS Single Sign-On SAML app, then click Edit:
Enter your AWS SSO ACS URL and AWS SSO issuer URL values you made a copy of in step 6 into the corresponding fields.
Application username format: Select one of the options from the dropdown menu.
Note: All users in AWS SSO require a unique username, so the mapped value should be unique within your organization.
Go to the AWS SSO Sign-in URL you made a copy of in step 6.