Set up an Okta AWS Federation connector
This connector integrates with Okta for AWS federation through Okta groups. It’s useful for organizations that use the SAML to AWS app config in Okta, wherein Okta mints a SAML cert with correct group memberships to drive IAM roles for the federated user.
Capabilities
| Resource | Sync | Provision |
|---|---|---|
| Accounts | ✅ | |
| Groups assigned to the AWS app | ✅ | ✅ |
| Application assignments for the AWS app | ✅ |
Available hosting methods
Choose the hosting method that best suits your needs:
| Method | Availability | Notes |
|---|---|---|
| Cloud hosted | ✅ | A built-in, no-code connector hosted by ConductorOne. |
| Self-hosted | A connector hosted and run in your own environment. |
Gather Okta credentials
Each setup method requires you to pass in credentials generated in Okta. Gather these credentials before you move on.
API token permissions and ConductorOne capabilities
ConductorOne’s capabilities depend on the permissions of the API token used to set up the connector:
| ConductorOne capability | Read-only admin token | Read-only + app admin + group admin token | Super admin token |
|---|---|---|---|
| Review group membership | ✅ | ✅ | ✅ |
| Provision group membership | ✅ | ✅ | |
| Review application assignment | ✅ | ✅ | ✅ |
| Provision application assignment | ✅ | ✅ | |
| Review Okta roles | ✅ |
Instead of generating a new API token, you can use an existing API token generated with Super Admin, Read Only Admin or a combination of Read Only/App Admin/Group Admin privileges. To learn more about Okta roles, visit https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm
(Optional) Create a service account for the API token
A user with the Read Only Admin or Super Admin role in Okta must perform this task.
If desired, you can create a service account user in Okta that has the permissions for the API token.
Navigate to Directory > People and click Add person.
Enter the necessary user details to create a user. You might want to use identifiers that make it easily recognizable as a service account, such as First Name: ReadOnly, Last Name: ServiceUser.
Set the Password for the account and store it securely in a vault.
Navigate to Security > Administrator and click Add administrator.
Enter the email address for your newly created Service Account to select the user.
Select the administrator roles to grant: Read Only Admin, Super Administrator, or a combination of Read Only + Application Admin + Group Admin.
Click Add Administrator.
Create an API token
When creating an API token, Okta assigns the permissions of the currently logged-in user to the token. If, for example, you wish to use a Read Only Admin-scoped API token, you must log in to Okta as a user with the Read Only Admin role assigned.
Log into Okta with the account you’ll use to generate the API token. The account must have Read Only Administrator, Super Administrator, or a combination of Read Only/App Admin/Group Admin privileges. The permissions on the API token affects what features and functionality are available from ConductorOne. Before you begin, review the chart in API permissions and ConductorOne capabilities to make sure you’re creating a token with the right permissions for your needs.
In the Okta console, navigate to Security > API and click Tokens.
Click Create Token.
Give your token a name, such as ConductorOne, and click Create Token.
Copy and save the new API token.
That’s it! Next, move on to the instructions for your chosen setup method.
Set up an Okta AWS Federation cloud-hosted connector
To complete this task, you’ll need:
- The Connector Administrator or Super Administrator role in ConductorOne
- Access to the set of Okta credentials generated by following the instructions above
In ConductorOne, click Connectors > Add connector.
Search for Okta AWS Federation and click Add.
Choose how to set up the new Okta AWS Federation connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
Find the Settings area of the page and click Edit.
Enter your Okta domain (the URL of your Okta instance is
<YOUR DOMAIN>.okta.com) into the Okta domain field.Paste your API token into the API token field.
Optional. If desired, click the checkbox to Sync custom roles.
Optional. If desired, click the checkbox to Skip secondary emails when syncing user information.
Click Save.
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
That’s it! Your Okta AWS Federation connector is now pulling access data into ConductorOne.