AWS OpenID database access via Okta

Team Edition allows for database connections through AWS OpenID with Okta authentication. This guide details the process for establishing such connections. Please ensure you meet all the prerequisites outlined below before proceeding with the configuration steps.

Prerequisites

• AWS OpenID Configuration: An active configuration of AWS OpenID is necessary. This includes a properly set up AWS account with OpenID Connect enabled. Additionally, ensure the account has the required permissions to create and manage identity providers and roles.
• Okta setup: Access an Okta account with the necessary permissions to configure applications.
• Team Edition administrative access: Ensure administrative privileges in Team Edition.

Configuration steps

1. Create an Application in Okta:

   • Initiate the process by creating an application in Okta. For detailed steps, consult the official Okta documentation on application creation.

   

2. Add Identity Provider in AWS IAM:

   • Add an identity provider in AWS IAM. This allows AWS to authenticate users managed by Okta. For comprehensive instructions, refer to the official AWS documentation on identity providers.

   

   Hints for AWS IAM Identity Provider configuration

   - Provider URL: Use your Okta domain, for example, your-domain.okta.com/. - Audience: Enter Okta's client ID, which can be copied from the application created in Okta.

3. Configure a Role for Web Identity in AWS:

   • The next step is configuring an AWS role for web identity. This role will be used to grant permissions based on the authenticated identity from Okta. For a detailed walkthrough, visit the official AWS documentation on creating roles for identity providers.

   

4. Log in to Team Edition as an Administrator.

5. Enable AWS Services and AWS OpenID Provider:

6. Navigate to Settings -> Administration -> Server Configuration and select the checkboxes for both Cloud (AWS) and AWS OpenID.

7. Configure Identity Provider

   • Continue to Settings -> Administration -> Identity Providers.
   • Click on the + Add button to begin configuring a new identity provider.

   

   Below is the table with fields to be completed for configuring the identity provider:

   Field	Description
   Provider	Select AWS OpenID from the dropdown menu.
   ID	Enter a custom name for the identity provider.
   Configuration name	Specify the configuration name.
   Description (optional)	Provide a brief description of the identity provider.
   Icon URL (optional)	Enter the URL of an icon to represent this identity provider in Team Edition.
   Client ID	Use the Client ID from the Okta application.
   Client Secret	Use the Client Secret from the Okta application.
   IDP auth endpoint URL	Format as https://{okta_domain}/oauth2/v1/authorize.
   IDP token endpoint URL	Format as https://{okta_domain}/oauth2/v1/token.
   Custom scopes	The custom scopes. Use with ; delimiter.
   Role ARN	Enter the ARN for the WebIdentity role from AWS.
   Name of an AWS role claim	Name of the AWS role claim that contains the name of the AWS role.
   Group: Administrators	Administrators group ID. This is the group's unique ID. All users from this group will be associated with the role of Administrator
   Group: Developers	Developers group ID. This is the group's unique ID. All users from this group will be associated with the role of Developer
   Group: Managers	Managers group ID. This is the group's unique ID. All users from this group will be associated with the role of Manager
   Group: Editors	Editors group ID. This is the group's unique ID. All users from this group will be associated with the role of Editor
   Group: Viewers	Viewers group ID. This is the group's unique ID. All users from this group will be associated with the role of Viewer
   Restrict access if user role does not match	If enabled, users whose SSO groups are not mapped to any role in the provider configuration will not be able to log in. User provisioning will also skip such users. If disabled, all authenticated users will be able to log in regardless of group mapping.

   Important

   The Role ARN added during this step acts as the default role. It's not advisable to use an administrator role at this step. It is recommended to use a role with minimum privileges during provider setup.
   
   After the provider is configured, you will see an AWS Role ARN field for each user, where you can specify a role with higher privileges, if necessary.

   • After filling in the fields, click on the Create button to complete the identity provider configuration.

   Info

   For instructions on configuring AWS Regions, see AWS Settings.

8. Copy Redirect and Sign out Links:

9. Enter the newly created identity provider.

10. Copy the Redirect link and the Sign out link.

    

11. Update Redirect URIs in Okta:

12. In your Okta application, navigate to General -> Login.
13. Under Sign-in redirect URIs, paste the copied Redirect link.
14. In the same section, locate Sign-out redirect URIs and paste the Sign out link there.

15. Click Save in Okta to finalize these configurations.

    

16. Now you can log in through the newly created Federated authentication method in Team Edition, using the Configuration name you assigned during the setup.

    

17. Verify the Integration of AWS OpenID and Okta

    1. Once logged in, click on your username in Team Edition and navigate to the User Info tab.
    2. Here, you should see two tokens. Their presence indicates that the integration of AWS OpenID and Okta has been successfully completed, and Team Edition has access to the necessary credentials.

    

18. Following successful login, you can access the databases listed in Cloud Explorer that are integrated with your AWS account.