Federate your Organization’s Active Directory users to AWS Console & AWS CLI, using Okta & AWS SSO
If you or your organization is using Microsoft Active Directory and Okta; this article will help you integrate AWS SSO with Okta so that you can federate your Active Directory users to AWS Console and AWS CLI via Okta using existing Active Directory credentials.
(*You can also Connect AWS SSO to a self-managed Active Directory; but this post of mine is specific for Enterprises/customers who are using Okta for extending SSO to applications.)
Organizations adopting the AWS Cloud require to manage identities with single source of truth. They may have already been using external identity providers such as Okta and onboarded their Enterprise applications or SaaS application such as Workday, so their users don’t have to create, maintain and remember credentials for every application.
Identity federation is a system of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources. In this system, an identity provider (IdP) is responsible for user authentication, and a service provider (SP), such as a service or an application, controls access to resources.
Federation is a common approach to building access control systems which manage users centrally within a central IdP and govern their access to multiple applications and services acting as SPs.
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
Here are the high-level steps towards the solution (you can start from step 2 if you have your existing MS Active Directory):
1. Download and install Okta agent on domain controller
2. Setup & configure Okta to connect to MS Active Directory
3. Setup AWS SSO in AWS
4. Configure AWS SSO application in Okta
5. Assign Groups/users to AWS SSO application in Okta
Step 0: For demo perspective, I have created a SimpleAD (with DNS name: simplead.awshero.co.uk) in AWS account instead of Microsoft Active Directory. Here, my organization’s domain is awshero.co.uk; yours can be example.com or something else and you would be using a Microsoft Active Directory at on-premise.
A Windows 2019 Server EC2 instance to connect and manage Active Directory and join the Active Directory domain, to act as domain controller:
Once running, login to EC2 using Administrator of the domain:
Install the required tools to interact with AD:
If everything gets successful, the Active Directory tools will be available in the Windows Start menu:
Go to ‘Active Directory Users and Computers’
Created one Group — ‘AWS-AdminAccess’ and two admin users under it. (you may be having lots of Groups and User in your Active Directory)
Now let’s move to setup and configure Okta (I presume that Okta is already setup in your organization, if not then refer the Okta documentation to create an Okta account and get start with Okta)
Step 1: Download and install Okta agent on the domain controller of Active Directory. (Refer the Okta documentation for detailed instructions.)
Once installed successfully, Active Directory should be visible on Okta Directory Integrations page:
Step 2: Now, it’s time to configure Active Directory in Okta. You would see the OUs (Organization Units) from the Active Directory are visible in Okta which you would like to sync the users and the groups from. Select and move to Next:
Next step is to identify the attributes from the Active Directory. Here is the Okta documentation for help on attribute mapping. I’ll stick to the defaults and click Next and your Active Directory configuration is done.
Before proceeding to the next step, let me explain the ways, users and groups can be synced in Okta.
1. Just-In-Time provisioning: JIT provisioning enables automatic user account creation in Okta the first time a user authenticates with Active Directory (AD) Delegated Authentication. Link
2. Schedule import: How often you want Okta to import users from Active Directory (AD). Link
Option 1: Schedule import
On ‘Import’ tab, clicking ‘Import Now’ button which will start importing the users and groups from Active Directory:
Two users which I created in Active Directory are now in Okta along with the Group ‘AWS-AdminAccess’:
OR Option 2: Just-in-Time (JIT) provisioning
There are some configurational changes need to be made before importing the users from MS Active Directory which automatically confirms and activate new users. Go to ‘Provisioning’ tab and make the changes as below:
Since it is JIT provisioning, users will only be created in Okta at the time of their login attempt via Okta: (I’ll be using JIT for this demo)
(*ignore the value 1 in the imported users confirmed; I tested this demo twice hence it is showing 1 user)
Next step is to configure this AWS Single Sign-On application in AWS and in Okta both.
Step 3: Configure AWS SSO in AWS by following this step by step guide
Step 4: Configure AWS SSO application in Okta
Under Applications → Applications → ‘Add Application’ button and search for AWS Single Sign On and click Add:
Give it a name and Done:
AWS SSO application will be added to Okta:
Step 5: When done, Assign the desired group(s) to the AWS SSO application in Okta:
We are ready for login. Use the AWS SSO URL as starting point; it will be redirected to the Okta login page. (*make sure you are logged out from any active AWS session or use the new browser window Firefox or Chrome Cognito).
You can get the AWS SSO URL by login into the AWS Account → AWS SSO service:
I’ll login with one of the Active Directory users which was imported in Okta, upon hitting the AWS SSO portal url Okta authentication page will be displayed where user has to use his existing Active Directory credentials:
Upon successful authentication, request will be redirected to the AWS SSO page but there will not be any AWS Accounts to show as the users do not have any AWS account(s) assigned to them:
Since, I used the JIT provisioning method in Okta, I can now see the second user admin2 in Okta, who attempted the login to AWS (* user admin1 was a part of my earlier test, please ignore)
Now, lets assign this user an AWS Account. To do that, login to AWS Account →AWS SSO →Users
You can see that the user admin2 is pushed by Okta to AWS SSO. To assign the user access, follow this AWS documentation
You can assign to the imported group as well:
Assignment completed:
Logout and hit AWS SSO portal URL again with same user (I have admin2 user) and sign in again:
Now admin2 user has an AWS Account to sign in with the permission set he has been assigned to use:
admin2 user logged in successfully to AWS Console:
Now, admin2 user wants to federate to AWS CLI with his Active Directory credentials. To access AWS CLI using SSO, user needs to follow below steps.
Click on the Command line or programmatic access from the AWS SSO widget page:
Copy the details as per the OS and select Option 2 (you can also follow other given options as well) and update the AWS credentials file:
Copy the AWS SSO URL:
(make sure you have AWS CLI v2 installed before you continue to next step)
Open the windows command prompt Type command ‘aws configure sso’ and enter the details as below:
After hitting the enter, the AWS CLI will be redirected to the Okta page where user has to enter the Active Directory credentials:
(*If you are not a browser person then you use the device url & the code AWS generated in AWS CLI)
Upon successful authentication, Sign-in to AWS CLI window will be displayed. Clicking the button will authorize the user to the AWS CLI:
AWS CLI will ask for a few details, after which user can interact with any AWS service he is authorized to use:
To logout from SSO, type aws sso logout command:
If all went well, I hope with the help of this article you would have been able to integrate your Active Directory with Okta and AWS SSO. And the users would have been able to federate to AWS Console and AWS CLI with their Active Directory credentials.
You no longer need to manage & store AWS credentials for AWS console and AWS CLI; you are just using your existing Active Directory credentials to login to console and AWS CLI.
I’ll share another article where I’ll be showcasing Azure AD Integration with AWS SSO, so if you have migrated from on-premise Microsoft Active Directory to Azure AD, you can federate your Azure AD users to AWS.
If you have any queries or issues do let me know in comments section, I’ll do my best to resolve your queries. If you want me to write an article on any AWS service or use case, do let me know that as well, I’ll try my best to write it up.
Please clap and follow me if you liked this article 😊
Thank you! Be safe.
