AWS OpenID database access via Okta

Overview

Team Edition allows for database connections through AWS OpenID with Okta authentication. This guide details the process for establishing such connections. Please ensure you meet all the prerequisites outlined below before proceeding with the configuration steps.

Prerequisites

• AWS OpenID Configuration: An active configuration of AWS OpenID is necessary. This includes a properly set up AWS account with OpenID Connect enabled. Additionally, ensure the account has the required permissions to create and manage identity providers and roles.
• Okta setup: Access an Okta account with the necessary permissions to configure applications.
• Team Edition administrative access: Ensure administrative privileges in Team Edition.

Configuration steps

1. Create an Application in Okta:

   • Initiate the process by creating an application in Okta. For detailed steps, consult the official Okta documentation on application creation.

   

2. Add Identity Provider in AWS IAM:

   • Add an identity provider in AWS IAM. This allows AWS to authenticate users managed by Okta. For comprehensive instructions, refer to the official AWS documentation on identity providers.

   

   Hints for AWS IAM Identity Provider configuration

   - Provider URL: Use your Okta domain, for example, your-domain.okta.com/. - Audience: Enter Okta's client ID, which can be copied from the application created in Okta.

3. Configure a Role for Web Identity in AWS:

   • The next step is configuring an AWS role for web identity. This role will be used to grant permissions based on the authenticated identity from Okta. For a detailed walkthrough, visit the official AWS documentation on creating roles for identity providers.

   

4. Log in to Team Edition as an Administrator.

5. Enable AWS Services and AWS OpenID Provider:

6. Navigate to Settings -> Administration -> Server Configuration and select the checkboxes for both Cloud (AWS) and AWS OpenID.

7. Configure Identity Provider

   • Continue to Settings -> Administration -> Identity Providers.
   • Click on the + Add button to begin configuring a new identity provider.

   

   Below is the table with fields to be completed for configuring the identity provider:

   Field	Description
   Provider	Select AWS OpenID from the dropdown menu.
   ID	Enter a custom name for the identity provider.
   Configuration name	Specify the configuration name.
   Description (optional)	Provide a brief description of the identity provider.
   Icon URL (optional)	Enter the URL of an icon to represent this identity provider in Team Edition.
   Client ID	Use the Client ID from the Okta application.
   Client Secret	Use the Client Secret from the Okta application.
   IDP auth endpoint URL	Format as https://{okta_domain}/oauth2/v1/authorize.
   IDP token endpoint URL	Format as https://{okta_domain}/oauth2/v1/token.
   Custom scopes	The custom scopes. Use with ; delimiter.
   Role ARN	Enter the ARN for the WebIdentity role from AWS.
   Name of an AWS role claim	Name of the AWS role claim that contains the name of the AWS role.

   Important

   The Role ARN added during this step acts as the default role. It's not advisable to use an administrator role at this step. It is recommended to use a role with minimum privileges during provider setup.
   
   After the provider is configured, you will see an AWS Role ARN field for each user, where you can specify a role with higher privileges, if necessary.

   • After filling in the fields, click on the Create button to complete the identity provider configuration.

   Info

   For instructions on configuring AWS Regions, see AWS Settings.

8. Copy Redirect and Sign out Links:

9. Enter the newly created identity provider.

10. Copy the Redirect link and the Sign out link.

    

11. Update Redirect URIs in Okta:

12. In your Okta application, navigate to General -> Login.
13. Under Sign-in redirect URIs, paste the copied Redirect link.
14. In the same section, locate Sign-out redirect URIs and paste the Sign out link there.

15. Click Save in Okta to finalize these configurations.

    

16. Now you can log in through the newly created Federated authentication method in Team Edition, using the Configuration name you assigned during the setup.

    

17. Verify the Integration of AWS OpenID and Okta

    1. Once logged in, click on your username in Team Edition and navigate to the User Info tab.
    2. Here, you should see two tokens. Their presence indicates that the integration of AWS OpenID and Okta has been successfully completed, and Team Edition has access to the necessary credentials.

    

18. Following successful login, you can access the databases listed in Cloud Explorer that are integrated with your AWS account.