将Okta 作为权限集中管理的控制中心,整合AWS IAM Identity Center 来访问AWS
创建Okta账号
打开Okta注册页面,选择Try Workforce Identity Cloud,填写注册信息,注册一个账号
验证邮箱;
登录Okta账号。
添加AWS IAM Identity Center到Okta
在新的浏览器页面, 登录 Okta console.
在菜单选项中,选中 Applications.
在 Applications 页面,选择 Browse App Catalogue.
检索
AWS IAM Identity Center.点击 Add Integration, 然后选择 Done. 这一步添加 IAM Identity Center 到 Okta.
在应用菜单下,刚才创建的AWS IAM Identity Center, 选中 Sign On 页签。
选择 Edit. 你开始编辑 SAML 的设置。
在Advanced sign-on settings 下面,复制粘贴从IAM Identity Center 控制台获取到的值:
IAM Identity Center ACS URL
IAM Identity Center issuer URL
选择 Save.
从Okta 上传 SAML metadata 到 IAM Identity Center
还是刚才的Okta控制台页面, 选中 Sign On 页签。
在 SAML Signing Certificates, 选择 Action, 然后选择 View IdP metadata.
保存文件为
idp-saml.xml.在IAM Identity Center 控制台, 确保你在 Change Identity Source 页面。
打开Identity provider metadata,在 IdP SAML metadata,选择 Choose file.
上传
idp-saml.xml文件,然后选择 Next.复查一遍,然后确认。
在Okta添加SCIM 2.0 Test App (OAuth Bearer Token)
Enable SCIM to synchronize users and groups.
In the IAM Identity Center console, in the navigation pane, choose Settings.
Under Automatic provisioning, choose Enable.
Copy the SCIM endpoint and access token to a text editor. You use these values later in this pattern.
Create SCIM application to push users and groups to IAM Identity Center.
In the Okta console, on the Applications page, choose Browse App Catalogue.
Search for
SCIM 2.0 Test App (OAuth Bearer Token).Select SCIM 2.0 Test App (OAuth Bearer Token), and then choose Add Integration.
On the General Settings page, do the following:
In Application label, enter
SCIM 2.0 Test App (OAuth Bearer Token).Select Do not display application icon to users.
Select Do not display application icon in the Okta Mobile App.
Choose Next, and then choose Done.
On the Provisioning tab, choose Configure API Integration.
Select Enable API integration.
For SCIM 2.0 Base Url, enter the SCIM endpoint you copied previously.
For OAuth Bearer Token, enter the access token you copied previously.
Choose Save, and then choose Edit.
Choose Enable Create Users, and then choose Save.
Create a rule that pushes users and groups to IAM Identity Center.
In the Okta console, choose the Push Groups tab.
In the Push Groups menu, choose Find Groups by Rule.
Name the rule
AWS SSO rule.For Group name starts with, enter
awssso. You can use any prefix.Select Immediately push groups found by this rule, and then choose Create Rule.
In the navigation pane, choose Directory > Groups.
Choose Add Group.
On the Add Group dialog box, for Name, enter
AWS Users, and then choose Save.On the Groups page, choose the AWS Users group.
On the Applications tab, select Assign Applications. Select the AWS IAM Identity Center application, and then choose Assign. This is the application that users will launch in the AWS Management Console.
For the SCIM 2.0 Test App (OAuth Bearer Token) application, choose Assign. Choose Save and Go Back. Users don’t interact with this application, but this application makes sure that their account and groups are provisioned into IAM Identity Center.
Choose Done.
创建并关联Okta users 和 groups
Create a new group in Okta.
在 Okta 控制台,选择 Directory > Groups.
选择 Add Group.
在 Add Group 对话框,Name 输入
awsssoPowerUsers, 然后选择 Save.在菜单栏,选择 Applications.
打开 SCIM 2.0 Test App (OAuth Bearer Token) application, 然后选择 Push Groups. You should see that awsssoPowerUsers is listed and marked as Active.
In the IAM Identity Center console, in the navigation pane, choose Groups. You should see that awsssoPowerUsers is listed with No users.
验证效果
Assign a permission set in IAM Identity Center.
In the IAM Identity Center console, in the navigation pane, choose AWS accounts, and then select your organization.
Select all of the accounts in the organization. The users belonging to the operations team will have access to all accounts.
Choose Assign users or groups.
On the Assign users and groups page, choose Groups.
Select awsssoPowerUsers, and then choose Next.
On the Select permission sets page, select AWSPowerUsersAccess.
Choose Finish.
Choose Proceed to AWS accounts.
Create a user in the Okta portal.
In the Okta console, in the top navigation bar, choose Directory, and then choose People.
Choose Add Person.
On the Add Person page, enter the following information:
For User type, choose User.
For First name, enter the user’s first name.
For Last name, enter the user’s last name.
For User name, enter the user’s email address.
For Primary email, enter the user’s email address.
For Groups, enter awsssoPowerUsers and AWS Users.
For Password, choose Set by admin, and then enter a password.
Clear User must change password on first login, and then choose Save.
In the IAM Identity Center console, in the navigation pane, choose Users. You should see the user that you created in the list.
Choose the user name to open General information.
Confirm that the user appears as Created By: SCIM.
In the IAM Identity Center console, in the navigation pane, choose Dashboard.
Copy the user portal URL.
Open a browser window in private or incognito mode, and then paste the user portal URL into the address bar. The browser should redirect to the Okta login page.
Enter the following information:
For username, enter the user’s email address.
For password, enter the user password that you created previously.
Provide additional security questions based on your Okta configuration. When you’re logged in, you should be returned to the IAM Identity Center console.
Verify the new user has access to the AWS account.
In the IAM Identity Center console, choose AWS accounts.
Choose your organization’s management account.
On the AWSPowerUsersAccess line, choose Management Console.
Confirm that the AWS Management Console launches.
参考资料
最后更新于