AWS Federated Identities

Question

Hello All,

Need your help with below use case:

***Scenario 1***: I have on-prem AD which contains all the users and group membership. I am using OKTA for SSO & 2FA. I want AWS SSO to pull users from on-prem AD and I want to use OKTA for SSO. I DON'T want to enable SCIM proviosning from OKTA to AWS.

****2nd Scenario****: Is it really required to create/bring users into AWS SSO or can we use a federated identity which means no physical account in AWS? An ephemeral account will be created at run time whenever user try to login through OKTA and will be removed when session is over.

I have gone through this link https://aws.amazon.com/identity/federation/

For scenario 1, it says either we can enable AD option or we can use OKTA as IDP. It doesn't tell both th eoptions together. I may be wrong. I don't have env to test this.

Link doesn't talk about Scenario 2 at all.

Answer

If you are using Active Directory as a choice of user directory and using Okta as an IdP, you don't need to leverage AWS SSO service. The example you referenced in that link is when you want to pull users from Okta Universal Directory or Azure AD. In your case, you have your users stored in AD. What you can do is follow the second option in the link of using [AWS IAM to manage federated fine-grained access to AWS accounts](https://aws.amazon.com/identity/federation/). You can use Okta as an IdP to do an IdP-initiated SSO (SAML). When users sign into your AD through Okta, you can access AWS console by assuming an IAM role. This will not create persistent IAM users in AWS. There is [a documentation from Okta](https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Service.html) to do the setup.

AWS Federated Identities

Relevant content