Skip to main content

AWS Identity Center (SSO) ClickOps

This guide provides an overview of setting up AWS Identity Center (SSO) with ClickOps, detailing prerequisites and supported external identity providers. It explains how to integrate AWS SSO with providers like Azure AD, JumpCloud, Okta, and Google Workspace, including specific steps for configuring each.

How it Works

AWS Single Sign-On (AWS SSO) is a service that simplifies access management for AWS accounts and applications. It enables users to sign in to AWS once and access multiple AWS accounts and applications without the need to re-enter credentials. To use it with an identity provider (e.g. such as Okta) for AWS SSO, administrators typically need to configure the integration within the AWS Management Console. This involves setting up a new AWS SSO instance, connecting it the IdP, and specifying the users or groups that should have access to AWS resources. AWS SSO provides logging and auditing capabilities, allowing organizations to track user access to AWS resources and monitor security-related events

  1. SAML-Based Authentication

    The integration between the IdP and AWS SSO relies on the Security Assertion Markup Language (SAML) for authentication and authorization. SAML enables the exchange of authentication and authorization data between Okta and AWS, allowing users to log in once to Okta and gain access to AWS resources without additional logins.

  2. User Provisioning

    AWS SSO can be configured to automatically provision and de-provision user accounts based on changes in the IdP directory. This helps keep user access in sync with changes made in the Okta environment.

  3. AWS SSO Permission Sets

    AWS SSO allows administrators to define fine-grained access policies, specifying which AWS accounts and services users from the IdP can access

  4. Multi-Factor Authentication (MFA)

    Organizations using Okta for authentication with AWS SSO can enhance security by enforcing multi-factor authentication (MFA) for added identity verification.

Once configured, users can experience single sign-on when accessing AWS resources. They log in to their IdP account and seamlessly gain access to AWS without needing to provide credentials again.

It's important to note that the specifics of the integration process may be subject to updates or changes, so it's recommended to refer to the official AWS documentation and Okta documentation for the most accurate and up-to-date information based on your current date.

Prerequisites

First, enable the AWS IAM Identity Center (successor to AWS Single Sign-On) service in the core-root account. This is the account where the aws-sso component will be deployed.

  1. Navigate to the core-root account in the AWS Web Console
  2. Select your primary region
  3. Go to AWS IAM Identity Center (successor to AWS Single Sign-On)
  4. Enable the service

Configure your Identity Provider

These are the instructions for the most common Identity Providers. Alternatives are available, but the steps may vary depending on the provider.

It's important to note that the specifics of the integration process may be subject to updates or changes, so it's recommended to refer to the official AWS documentation and respective IdP documentation for the most accurate and up-to-date information based on your current date.

For providers not included in the following section, please follow the AWS documentation for setting up an IdP integration with AWS. This list includes Azure AD, CyberArk, OneLogin, and Ping Identity.

Okta is a common business suite that has an active director to manage users and permissions. We can utilize this to login to AWS by leveraging Applications that are used to sign in to things from your Okta Account.

Setup Okta

  1. Under the Admin Panel go to Applications
  2. Click Browse App Catalog
  3. Search for AWS IAM Identity Center and click Add Integration
  4. Keep the default settings of App Label ("AWS IAM Identity Center") and Application Visibility
  5. Go to Sign On and Copy information from the SAML Metadata section, this will be used in AWS SSO.
  6. Then go to Provisioning and click Configure API Integration

Setup AWS SSO

  1. Sign into AWS SSO under your management account (core-root)
  2. Go to the AWS IAM Identity Center (successor to AWS Single Sign-On) application
  3. Enable IAM Identity Center
  4. On the left panel click Settings
  5. Under Identity Source click edit and add an External identity provider
  6. Copy the information from Okta into the fields
  7. The Okta App will need to be updated with the Service provider metadata