Many purchasers rely immediately on Okta or different id suppliers (IdPs) to federate entry to their know-how stack and instruments. With federation, safety groups can centralize person administration in a single place, which helps simplify and brings agility to their day-to-day operations whereas maintaining highest safety requirements.
To assist develop a data-driven tradition, everybody inside a corporation can use Amazon DataZone. To comprehend the advantages of utilizing Amazon DataZone for governing information and making it discoverable and obtainable throughout totally different groups for collaboration, prospects combine it with their present know-how stack. Dealing with entry by means of their id supplier and preserving a well-known single sign-on (SSO) expertise permits prospects to increase using Amazon DataZone to customers throughout groups within the group with none friction whereas maintaining centralized management.
Amazon DataZone is a completely managed information administration service that makes it sooner and easier for patrons to catalog, uncover, share, and govern information saved throughout Amazon Net Companies (AWS), on premises, and third-party sources. It additionally makes it easier for information producers, analysts, and enterprise customers to entry information all through a corporation in order that they will uncover, use, and collaborate to derive data-driven insights.
You should utilize AWS IAM Id Heart to securely create and handle identities in your group’s workforce, or sync and use identities which are already arrange and obtainable in Okta or different id supplier, to maintain centralized management of them. With IAM Id Heart you may as well handle the SSO expertise of your group centrally, throughout your AWS accounts and functions.
This put up guides you thru the method of organising Okta as an id supplier for signing in customers to Amazon DataZone. The method makes use of IAM Id Heart and its native integration with Amazon DataZone to combine with exterior id suppliers. Notice that, despite the fact that this put up focuses on Okta, the offered sample depends on the SAML 2.0 customary and so could be replicated with different id suppliers.
Conditions
To construct the answer offered on this put up, you have to have:
Course of overview
All through this put up you’ll comply with these high-level steps:
- Set up a SAML connection between Okta and IAM Id Heart
- Arrange automated provisioning of customers and teams in IAM Id Heart in order that customers and teams within the Okta area are created in Id Heart.
- Assign customers and teams to your AWS accounts in IAM Id Heart by assuming an AWS Id and Entry Administration (IAM) function.
- Entry the AWS Administration Console and Amazon DataZone portal by means of Okta SSO.
- Handle Amazon DataZone particular permissions within the Amazon DataZone portal.
Establishing person federation with Okta and IAM Id Heart
This information follows the steps in Configure SAML and SCIM with Okta and IAM Id Heart.
Earlier than you get began, assessment the next objects in your Okta setup:
- Each Okta person should have a First identify, Final identify, Username and Show identify worth specified.
- Every Okta person has solely a single worth per information attribute, resembling e-mail deal with or telephone quantity. Customers which have a number of values will fail to synchronize. If there are customers which have a number of values of their attributes, take away the duplicate attributes earlier than making an attempt to provision the person in IAM Id Heart. For instance, just one telephone quantity attribute could be synchronized. As a result of the default telephone quantity attribute is work telephone, use the work telephone attribute to retailer the person’s telephone quantity, even when the telephone quantity for the person is a house telephone or a cell phone.
- When you replace a person’s deal with you have to have streetAddress, metropolis, state, zipCode and the countryCode worth specified. If any of those values aren’t specified for the Okta person on the time of synchronization, the person (or modifications to the person) received’t be provisioned.
1) Set up a SAML connection between Okta and AWS IAM Id Heart
Now, let’s set up a SAML connection between Okta and AWS IAM Id Heart. First, you’ll create an utility in Okta to ascertain the connection:
- Register to the Okta admin dashboard, increase Functions, then choose Functions.
- On the Functions web page, select Browse App Catalog.
- Within the search field, enter
AWS IAM Id Heart
, then choose the app so as to add the IAM Id Heart app.
- Select the Signal On tab.
- Beneath SAML Signing Certificates, choose Actions, after which choose View IdP Metadata. A brand new browser tab opens exhibiting the doc tree of an XML file. Choose all the XML from
<md:EntityDescriptor>
to</md:EntityDescriptor>
and duplicate it to a textual content file. - Save the textual content file as
metadata.xml
.
Depart the Okta admin dashboard open, you’ll proceed utilizing it within the later steps.
Second, you’re going to arrange Okta as an exterior id supplier in IAM Id Heart:
- Open the IAM Id Heart console as a person with administrative privileges.
- Select Settings within the navigation pane.
- On the Settings web page, select Actions, after which choose Change id supply.
- Beneath Select id supply, choose Exterior id supplier, after which select Subsequent.
- Beneath Configure exterior id supplier, do the next:
- Beneath Service supplier metadata, select Obtain metadata file to obtain the IAM Id Heart metadata file and put it aside in your system. You’ll present the Id Heart SAML metadata file to Okta later on this tutorial.
- Copy the next objects to a textual content file for simple entry (you’ll want these values later):
- IAM Id Heart Assertion Client Service (ACS) URL
- IAM Id Heart issuer URL
- Copy the next objects to a textual content file for simple entry (you’ll want these values later):
- Beneath Id supplier metadata, below IdP SAML metadata, select Select file after which choose the metadata.xml file you created within the earlier step.
- Select Subsequent.
- Beneath Service supplier metadata, select Obtain metadata file to obtain the IAM Id Heart metadata file and put it aside in your system. You’ll present the Id Heart SAML metadata file to Okta later on this tutorial.
- After you learn the disclaimer and are able to proceed, enter
settle for
. - Select Change id supply.
Depart the AWS console open, as a result of you’ll use it within the subsequent process.
- Return to the Okta admin dashboard and select the Signal On tab of the IAM Id Heart app, then select Edit.
- Beneath Superior Signal-on Settings enter the next:
- For ACS URL, enter the worth you copied for IAM Id Heart Assertion Client Service (ACS) URL.
- For Issuer URL, enter the worth you copied for IAM Id Heart issuer URL.
- For Utility username format, choose one of many choices from the drop-down menu.
Ensure the worth you choose is exclusive for every person. For this tutorial, choose Okta username.
- Select Save.
2) Arrange automated provisioning of customers and teams in AWS IAM Id Heart
You at the moment are in a position to arrange automated provisioning of customers from Okta into IAM Id Heart. Depart the Okta admin dashboard open and return to the IAM Id Heart console for the following step.
- Within the IAM Id Heart console, on the Settings web page, find the Automated provisioning info field, after which select Allow. This allows automated provisioning in IAM Id Heart and shows the required System for Cross-domain Id Administration (SCIM) endpoint and entry token info.
- Within the Inbound automated provisioning dialog field, copy every of the values for the next choices:
- SCIM endpoint
- Entry token
You’ll use these values to configure provisioning in Okta later.
- Select Shut.
- Return to the Okta admin dashboard and navigate to the IAM Id Heart app.
- On the AWS IAM Id Heart app web page, select the Provisioning tab, after which within the navigation pane, below Settings, select Integration.
- Select Edit, after which choose the test field subsequent to Allow API integration to allow provisioning.
- Configure Okta with the SCIM provisioning values from IAM Id Heart that you just copied earlier:
- Within the Base URL subject, enter the SCIM endpoint Just be sure you take away the trailing ahead slash on the finish of the URL.
- Within the API Token subject, enter the Entry token worth.
- Select Check API Credentials to confirm the credentials entered are legitimate. The message AWS IAM Id Heart was verified efficiently! shows.
- Select Save. You’re taken to the Settings space, with Integration chosen.
- Assessment the next setup earlier than shifting ahead. Within the Provisioning tab, within the navigation pane below Settings, select To App. Examine that each one choices are enabled. They need to be enabled by default, but when not, allow them.
3) Assign customers and teams to your AWS accounts in AWS IAM Id Heart by assuming an AWS IAM function
By default, no teams nor customers are assigned to your Okta IAM Id Heart app. Full the next steps to synchronize customers with IAM Id Heart.
- Within the Okta IAM Id Heart app web page, select the Assignments tab. You’ll be able to assign each individuals and teams to the IAM Id Heart app.
- To assign individuals:
- Within the Assignments web page, select Assign, after which select Assign to individuals.
- Choose the Okta customers that you just wish to have entry to the IAM Id Heart app. Select Assign, select Save and Go Again, after which select Accomplished.
This begins the method of provisioning the person customers into IAM Id Heart.
- To assign teams:
- Select the Push Teams tab. You’ll be able to create guidelines to robotically provision Okta teams into IAM Id Heart.
- Select the Push Teams drop-down checklist and choose Discover teams by rule.
- Within the By rule part, set a rule identify and a situation. For this put up we’re utilizing
AWS SSO Rule
as rule identify andbegins with awssso
as a gaggle identify situation. This situation could be totally different relying on the identify of the group you wish to sync. - Select Create Rule
- (Elective) To create a brand new group select Listing within the navigation pane, after which select Teams.
- Select Add group and enter a reputation, after which select Save.
- After you’ve got created the group, you may assign individuals to it. Choose the group identify to handle the group’s customers.
- Select Assign individuals and choose the customers that you just wish to assign to the group.
- You will notice the customers which are assigned to the group.
- Going again to Functions within the navigation pane, choose the AWS IAM Id Heart app and select the Push Teams tab. It is best to have the teams that match the rule synchronized between Okta and IAM Id Heart. The group standing must be set to Lively after the group and its members are up to date in Id Heart.
- To assign individuals:
- Return to the IAM Id Heart console. Within the navigation pane, select Customers. It is best to see the person checklist that was up to date by Okta.
- Within the left navigation, choose Teams, you need to see the group checklist that was up to date by Okta.
Congratulations! You’ve efficiently arrange a SAML connection between Okta and AWS and have verified that automated provisioning is working.
OPTIONAL: If you’ll want to present Amazon DataZone console entry to the Okta customers and teams, you may handle these permissions by means of the IAM Id Heart console.
- Within the IAM Id Heart navigation pane, below Multi-account permissions, select AWS accounts.
- On the AWS accounts web page, the Organizational construction shows your organizational root together with your accounts beneath it within the hierarchy. Choose the checkbox in your administration account, then select Assign customers or teams.
- The Assign customers and teams workflow shows. It consists of three steps:
- For Step 1: Choose customers and teams select the person that might be performing the administrator job perform. Then select Subsequent.
- For Step 2: Choose permission units select Create permission set to open a brand new tab that steps you thru the three sub-steps concerned in making a permission set.
- For Step 1: Choose permission set kind full the next:
- In Permission set kind, select Predefined permission set.
- In Coverage for predefined permission set, select AdministratorAccess.
- Select Subsequent.
- For Step 2: Specify permission set particulars, preserve the default settings, and select Subsequent.
The default settings create a permission set named AdministratorAccess with session period set to 1 hour. You too can specify diminished permissions with a customized coverage simply to permit Amazon DataZone console entry. - For Step 3: Assessment and create, confirm that the Permission set kind makes use of the AWS managed coverage AdministratorAccess or your customized coverage. Select Create. On the Permission units web page, a notification seems informing you that the permission set was created. You’ll be able to shut this tab in your internet browser now.
- For Step 1: Choose permission set kind full the next:
- On the Assign customers and teams browser tab, you might be nonetheless on Step 2: Choose permission units from which you began the create permission set workflow.
- Within the Permissions units space, Refresh. The AdministratorAccess permission or your customized coverage set you created seems within the checklist. Choose the checkbox for that permission set, after which select Subsequent.
- For Step 3: Assessment and submit assessment the chosen person and permission set, then select Submit.
The web page updates with a message that your AWS account is being configured. Wait till the method completes. - You’re returned to the AWS accounts web page. A notification message informs you that your AWS account has been re-provisioned, and the up to date permission set is utilized. When a person indicators in, they may have the choice of selecting the AdministratorAccess function or a customized coverage function.
- For Step 3: Assessment and submit assessment the chosen person and permission set, then select Submit.
4) Entry the AWS console and Amazon DataZone portal by means of Okta SSO
Now, you may take a look at your person entry into the console and Amazon DataZone portal utilizing the Okta exterior id utility.
- Register to the Okta dashboard utilizing a take a look at person account.
- Beneath My Apps, choose the AWS IAM Id Heart icon.
- Full the authentication course of utilizing your Okta credentials.
4.1) For administrative customers
- You’re signed in to the portal and might see the AWS account icon. Develop that icon to see the checklist of AWS accounts that the person can entry. On this tutorial, you labored with a single account, so increasing the icon solely reveals one account.
- Choose the account to show the permission units obtainable to the person. On this tutorial you created the AdministratorAccess permission set.
- Subsequent to the permission set are hyperlinks for the kind of entry obtainable for that permission set. While you created the permission set, you specified each administration console and programmatic entry be enabled, so these two choices are current. Choose Administration console to open the console.
- The person is signed in to the console. Utilizing the search bar, search for
Amazon DataZone service
and open it. - Open the Amazon DataZone console and be sure to have enabled SSO customers by means of IAM Id Heart. In case you haven’t, you may comply with the steps in Allow IAM Id Heart for Amazon DataZone.
Notice: On this put up, we adopted the default IAM Id Heart for Amazon DataZone configuration, which has implicit person project mode enabled. With this selection, any person added to your Id Heart listing can entry your Amazon DataZone area robotically. When you go for utilizing specific person project as an alternative, do not forget that you’ll want to manually add customers to your Amazon DataZone area within the Amazon DataZone console for them to have entry.
To study extra about handle person entry to an Amazon DataZone area, see Handle customers within the Amazon DataZone console.
- Select the Open information portal to entry the Amazon DataZone Portal.
4.2) For all different customers
- Select the Functions tab within the AWS entry portal window and select the Amazon DataZone information portal utility hyperlink.
- Within the Amazon DataZone information portal, select SIGN IN WITH SSO to proceed
Congratulations! Now you’re signed in to the Amazon DataZone information portal utilizing your person that’s managed by Okta.
5) Handle Amazon DataZone particular permissions within the Amazon DataZone portal
After you’ve got entry to the Amazon DataZone portal, you may work with initiatives, the information property inside, environments, and different constructs which are particular to Amazon DataZone. A challenge is the overarching assemble that brings collectively individuals, information, and analytics instruments. A challenge has two roles: proprietor and contributor. Subsequent, you’ll find out how a person could be made an proprietor or contributor of current initiatives.
These steps should be accomplished by the prevailing challenge proprietor within the Amazon DataZone portal:
- Open the Amazon DataZone portal, choose the challenge within the drop-down checklist on the left high of the portal and select the challenge you personal
- Within the challenge window, select the Members tab to see the present customers within the challenge and add a brand new one.
- Select Add Members so as to add a brand new person. Ensure the Consumer kind is SSO Consumer so as to add an Okta person. Search for the Okta person within the identify drop-down checklist, choose it, and choose a challenge function for it. Lastly, select Add Members so as to add the person.
- The Okta person has been granted the chosen challenge function and might work together with the challenge, property, and instruments.
- You too can grant permissions to SSO Teams. Select Add members, then choose SSO group within the drop-down checklist, subsequent choose the Group identify, set the assigned challenge function, and select Add Members.
- The Okta group has been granted the challenge function and might work together with the challenge, property, and instruments.
You too can handle SSO person and group entry to the Amazon DataZone information portal from the console. See Handle customers within the Amazon DataZone console for extra particulars.
Clear up
To make sure a seamless expertise and keep away from any future expenses, we kindly request that you just comply with these steps:
By following these steps, you may successfully clear up the sources utilized on this weblog put up and forestall any pointless expenses from accruing.
Abstract
On this put up, you adopted a step-by-step information to arrange and use Okta to federate entry to Amazon DataZone with AWS IAM Id Heart. You additionally realized group customers and handle their permission in Amazon DataZone. As a last thought, now that you just’re aware of the weather concerned within the integration of an exterior id supplier resembling Okta to federate entry to Amazon DataZone, you’re able to strive it with different id suppliers.
To study extra about, see Managing Amazon DataZone domains and person entry.
In regards to the Authors
Carlos Gallegos is a Senior Analytics Specialist Options Architect at AWS. Based mostly in Austin, TX, US. He’s an skilled and motivated skilled with a confirmed observe document of delivering outcomes worldwide. He focuses on structure, design, migrations, and modernization methods for advanced information and analytics options, each on-premises and on the AWS Cloud. Carlos helps prospects speed up their information journey by offering experience in these areas. Join with him on LinkedIn.
Jose Romero is a Senior Options Architect for Startups at AWS. Based mostly in Austin, TX, US. He’s captivated with serving to prospects architect trendy platforms at scale for information, AI, and ML. As a former senior architect in AWS Skilled Companies, he enjoys constructing and sharing options for frequent advanced issues in order that prospects can speed up their cloud journey and undertake finest practices. Join with him on LinkedIn.
Arun Pradeep Selvaraj is a Senior Options Architect at AWS. Arun is captivated with working along with his prospects and stakeholders on digital transformations and innovation within the cloud whereas persevering with to study, construct, and reinvent. He’s inventive, fast-paced, deeply customer-obsessed and makes use of the working backwards course of to construct trendy architectures to assist prospects resolve their distinctive challenges. Join with him on LinkedIn.