Skip to content

AWS OpenID database access via Okta

Team Edition allows for database connections through AWS OpenID with Okta authentication. This guide details the process for establishing such connections. Please ensure you meet all the prerequisites outlined below before proceeding with the configuration steps.

Prerequisites

  • AWS OpenID Configuration: An active configuration of AWS OpenID is necessary. This includes a properly set up AWS account with OpenID Connect enabled. Additionally, ensure the account has the required permissions to create and manage identity providers and roles.
  • Okta setup: Access an Okta account with the necessary permissions to configure applications.
  • Team Edition administrative access: Ensure administrative privileges in Team Edition.

Configuration steps

  1. Create an Application in Okta:

  2. Add Identity Provider in AWS IAM:

    Hints for AWS IAM Identity Provider configuration

    - Provider URL: Use your Okta domain, for example, your-domain.okta.com/. - Audience: Enter Okta's client ID, which can be copied from the application created in Okta.

  3. Configure a Role for Web Identity in AWS:

  4. Log in to Team Edition as an Administrator.

  5. Enable AWS Services and AWS OpenID Provider:

  6. Navigate to Settings -> Administration -> Server Configuration and select the checkboxes for both Cloud (AWS) and AWS OpenID.

  7. Configure Identity Provider

    • Continue to Settings -> Administration -> Identity Providers.
    • Click on the + Add button to begin configuring a new identity provider.

    Below is the table with fields to be completed for configuring the identity provider:

    Field Description
    Provider Select AWS OpenID from the dropdown menu.
    ID Enter a custom name for the identity provider.
    Configuration name Specify the configuration name.
    Description (optional) Provide a brief description of the identity provider.
    Icon URL (optional) Enter the URL of an icon to represent this identity provider in Team Edition.
    Client ID Use the Client ID from the Okta application.
    Client Secret Use the Client Secret from the Okta application.
    IDP auth endpoint URL Format as https://{okta_domain}/oauth2/v1/authorize.
    IDP token endpoint URL Format as https://{okta_domain}/oauth2/v1/token.
    Custom scopes The custom scopes. Use with ; delimiter.
    Role ARN Enter the ARN for the WebIdentity role from AWS.
    Name of an AWS role claim Name of the AWS role claim that contains the name of the AWS role.
    Group: Administrators Administrators group ID. This is the group's unique ID. All users from this group will be associated with the role of Administrator
    Group: Developers Developers group ID. This is the group's unique ID. All users from this group will be associated with the role of Developer
    Group: Managers Managers group ID. This is the group's unique ID. All users from this group will be associated with the role of Manager
    Group: Editors Editors group ID. This is the group's unique ID. All users from this group will be associated with the role of Editor
    Group: Viewers Viewers group ID. This is the group's unique ID. All users from this group will be associated with the role of Viewer
    Restrict access if user role does not match If enabled, users whose SSO groups are not mapped to any role in the provider configuration will not be able to log in. User provisioning will also skip such users. If disabled, all authenticated users will be able to log in regardless of group mapping.

    Important

    The Role ARN added during this step acts as the default role. It's not advisable to use an administrator role at this step. It is recommended to use a role with minimum privileges during provider setup.

    After the provider is configured, you will see an AWS Role ARN field for each user, where you can specify a role with higher privileges, if necessary.

    • After filling in the fields, click on the Create button to complete the identity provider configuration.

    Info

    For instructions on configuring AWS Regions, see AWS Settings.

  8. Copy Redirect and Sign out Links:

  9. Enter the newly created identity provider.
  10. Copy the Redirect link and the Sign out link.

  11. Update Redirect URIs in Okta:

  12. In your Okta application, navigate to General -> Login.
  13. Under Sign-in redirect URIs, paste the copied Redirect link.
  14. In the same section, locate Sign-out redirect URIs and paste the Sign out link there.
  15. Click Save in Okta to finalize these configurations.

  16. Now you can log in through the newly created Federated authentication method in Team Edition, using the Configuration name you assigned during the setup.

  17. Verify the Integration of AWS OpenID and Okta

    1. Once logged in, click on your username in Team Edition and navigate to the User Info tab.
    2. Here, you should see two tokens. Their presence indicates that the integration of AWS OpenID and Okta has been successfully completed, and Team Edition has access to the necessary credentials.

  18. Following successful login, you can access the databases listed in Cloud Explorer that are integrated with your AWS account.