Federating entry to Amazon DataZone with AWS IAM Identification Heart and Okta

Many shoppers rely immediately on Okta or different id suppliers (IdPs) to federate entry to their know-how stack and instruments. With federation, safety groups can centralize person administration in a single place, which helps simplify and brings agility to their day-to-day operations whereas maintaining highest safety requirements.

To assist develop a data-driven tradition, everybody inside a company can use Amazon DataZone. To comprehend the advantages of utilizing Amazon DataZone for governing information and making it discoverable and obtainable throughout completely different groups for collaboration, prospects combine it with their present know-how stack. Dealing with entry by means of their id supplier and preserving a well-recognized single sign-on (SSO) expertise permits prospects to increase using Amazon DataZone to customers throughout groups within the group with none friction whereas maintaining centralized management.

Amazon DataZone is a completely managed information administration service that makes it quicker and less complicated for purchasers to catalog, uncover, share, and govern information saved throughout Amazon Internet Providers (AWS), on premises, and third-party sources. It additionally makes it less complicated for information producers, analysts, and enterprise customers to entry information all through a company in order that they will uncover, use, and collaborate to derive data-driven insights.

You should utilize AWS IAM Identification Heart to securely create and handle identities on your group’s workforce, or sync and use identities which are already arrange and obtainable in Okta or different id supplier, to maintain centralized management of them. With IAM Identification Heart it’s also possible to handle the SSO expertise of your group centrally, throughout your AWS accounts and purposes.

This put up guides you thru the method of establishing Okta as an id supplier for signing in customers to Amazon DataZone. The method makes use of IAM Identification Heart and its native integration with Amazon DataZone to combine with exterior id suppliers. Be aware that, although this put up focuses on Okta, the offered sample depends on the SAML 2.0 normal and so may be replicated with different id suppliers.

Conditions

To construct the answer offered on this put up, it’s essential to have:

Course of overview

All through this put up you’ll observe these high-level steps:

1. Set up a SAML connection between Okta and IAM Identification Heart
2. Arrange computerized provisioning of customers and teams in IAM Identification Heart in order that customers and teams within the Okta area are created in Identification Heart.
3. Assign customers and teams to your AWS accounts in IAM Identification Heart by assuming an AWS Identification and Entry Administration (IAM) function.
4. Entry the AWS Administration Console and Amazon DataZone portal by means of Okta SSO.
5. Handle Amazon DataZone particular permissions within the Amazon DataZone portal.

Establishing person federation with Okta and IAM Identification Heart

This information follows the steps in Configure SAML and SCIM with Okta and IAM Identification Heart.

Earlier than you get began, overview the next objects in your Okta setup:

• Each Okta person should have a First title, Final title, Username and Show title worth specified.
• Every Okta person has solely a single worth per information attribute, comparable to e-mail deal with or telephone quantity. Customers which have a number of values will fail to synchronize. If there are customers which have a number of values of their attributes, take away the duplicate attributes earlier than making an attempt to provision the person in IAM Identification Heart. For instance, just one telephone quantity attribute may be synchronized. As a result of the default telephone quantity attribute is work telephone, use the work telephone attribute to retailer the person’s telephone quantity, even when the telephone quantity for the person is a house telephone or a cell phone.
• If you happen to replace a person’s deal with it’s essential to have streetAddress, metropolis, state, zipCode and the countryCode worth specified. If any of those values aren’t specified for the Okta person on the time of synchronization, the person (or modifications to the person) gained’t be provisioned.

1) Set up a SAML connection between Okta and AWS IAM Identification Heart

Now, let’s set up a SAML connection between Okta and AWS IAM Identification Heart. First, you’ll create an software in Okta to ascertain the connection:

1. Register to the Okta admin dashboard, develop Functions, then choose Functions.
2. On the Functions web page, select Browse App Catalog.
3. Within the search field, enter AWS IAM Identification Heart, then choose the app so as to add the IAM Identification Heart app.

4. Select the Signal On tab.
   

5. Beneath SAML Signing Certificates, choose Actions, after which choose View IdP Metadata. A brand new browser tab opens exhibiting the doc tree of an XML file. Choose the entire XML from <md:EntityDescriptor> to </md:EntityDescriptor> and replica it to a textual content file.
6. Save the textual content file as metadata.xml.

Depart the Okta admin dashboard open, you’ll proceed utilizing it within the later steps.

Second, you’re going to arrange Okta as an exterior id supplier in IAM Identification Heart:

1. Open the IAM Identification Heart console as a person with administrative privileges.
2. Select Settings within the navigation pane.
3. On the Settings web page, select Actions, after which choose Change id supply.

4. Beneath Select id supply, choose Exterior id supplier, after which select Subsequent.

5. Beneath Configure exterior id supplier, do the next:
   1. Beneath Service supplier metadata, select Obtain metadata file to obtain the IAM Identification Heart metadata file and reserve it in your system. You’ll present the Identification Heart SAML metadata file to Okta later on this tutorial.
      1. Copy the next objects to a textual content file for straightforward entry (you’ll want these values later):
         • IAM Identification Heart Assertion Client Service (ACS) URL
         • IAM Identification Heart issuer URL
   2. Beneath Identification supplier metadata, underneath IdP SAML metadata, select Select file after which choose the metadata.xml file you created within the earlier step.
   3. Select Subsequent.
6. After you learn the disclaimer and are able to proceed, enter settle for.
7. Select Change id supply.

Depart the AWS console open, as a result of you’ll use it within the subsequent process.

8. Return to the Okta admin dashboard and select the Signal On tab of the IAM Identification Heart app, then select Edit.
9. Beneath Superior Signal-on Settings enter the next:
   1. For ACS URL, enter the worth you copied for IAM Identification Heart Assertion Client Service (ACS) URL.
   2. For Issuer URL, enter the worth you copied for IAM Identification Heart issuer URL.
   3. For Software username format, choose one of many choices from the drop-down menu.
      Be sure that the worth you choose is exclusive for every person. For this tutorial, choose Okta username.
10. Select Save.

2) Arrange computerized provisioning of customers and teams in AWS IAM Identification Heart

You are actually in a position to arrange computerized provisioning of customers from Okta into IAM Identification Heart. Depart the Okta admin dashboard open and return to the IAM Identification Heart console for the following step.

1. Within the IAM Identification Heart console, on the Settings web page, find the Automated provisioning info field, after which select Allow. This allows computerized provisioning in IAM Identification Heart and shows the required System for Cross-domain Identification Administration (SCIM) endpoint and entry token info.

2. Within the Inbound computerized provisioning dialog field, copy every of the values for the next choices:
   • SCIM endpoint
   • Entry token

You’ll use these values to configure provisioning in Okta later.

3. Select Shut.

4. Return to the Okta admin dashboard and navigate to the IAM Identification Heart app.
5. On the AWS IAM Identification Heart app web page, select the Provisioning tab, after which within the navigation pane, underneath Settings, select Integration.
6. Select Edit, after which choose the test field subsequent to Allow API integration to allow provisioning.
7. Configure Okta with the SCIM provisioning values from IAM Identification Heart that you just copied earlier:
   1. Within the Base URL discipline, enter the SCIM endpoint Just be sure you take away the trailing ahead slash on the finish of the URL.
   2. Within the API Token discipline, enter the Entry token worth.
      
8. Select Take a look at API Credentials to confirm the credentials entered are legitimate. The message AWS IAM Identification Heart was verified efficiently! shows.
   
9. Select Save. You’re taken to the Settings space, with Integration chosen.
   

10. Evaluate the next setup earlier than transferring ahead. Within the Provisioning tab, within the navigation pane underneath Settings, select To App. Examine that each one choices are enabled. They need to be enabled by default, but when not, allow them.

3) Assign customers and teams to your AWS accounts in AWS IAM Identification Heart by assuming an AWS IAM function

By default, no teams nor customers are assigned to your Okta IAM Identification Heart app. Full the next steps to synchronize customers with IAM Identification Heart.

1. Within the Okta IAM Identification Heart app web page, select the Assignments tab. You possibly can assign each folks and teams to the IAM Identification Heart app.
   1. To assign folks:
      1. Within the Assignments web page, select Assign, after which select Assign to folks.
      2. Choose the Okta customers that you just wish to have entry to the IAM Identification Heart app. Select Assign, select Save and Go Again, after which select Executed.
         This begins the method of provisioning the person customers into IAM Identification Heart.

      

   2. To assign teams:
      1. Select the Push Teams tab. You possibly can create guidelines to routinely provision Okta teams into IAM Identification Heart.

      

      2. Select the Push Teams drop-down listing and choose Discover teams by rule.
      3. Within the By rule part, set a rule title and a situation. For this put up we’re utilizing AWS SSO Rule as rule title and begins with awssso as a gaggle title situation. This situation may be completely different relying on the title of the group you wish to sync.
      4. Select Create Rule

      

      5. (Optionally available) To create a brand new group select Listing within the navigation pane, after which select Teams.

      

      6. Select Add group and enter a reputation, after which select Save.

      

      7. After you may have created the group, you possibly can assign folks to it. Choose the group title to handle the group’s customers.

      

      8. Select Assign folks and choose the customers that you just wish to assign to the group.

      

      9. You will note the customers which are assigned to the group.

      

      10. Going again to Functions within the navigation pane, choose the AWS IAM Identification Heart app and select the Push Teams tab. It is best to have the teams that match the rule synchronized between Okta and IAM Identification Heart. The group standing must be set to Lively after the group and its members are up to date in Identification Heart.

      

2. Return to the IAM Identification Heart console. Within the navigation pane, select Customers. It is best to see the person listing that was up to date by Okta.

3. Within the left navigation, choose Teams, you need to see the group listing that was up to date by Okta.

Congratulations! You’ve efficiently arrange a SAML connection between Okta and AWS and have verified that computerized provisioning is working.

OPTIONAL: If it is advisable present Amazon DataZone console entry to the Okta customers and teams, you possibly can handle these permissions by means of the IAM Identification Heart console.

1. Within the IAM Identification Heart navigation pane, underneath Multi-account permissions, select AWS accounts.
2. On the AWS accounts web page, the Organizational construction shows your organizational root together with your accounts beneath it within the hierarchy. Choose the checkbox on your administration account, then select Assign customers or teams.

3. The Assign customers and teams workflow shows. It consists of three steps:
   1. For Step 1: Choose customers and teams select the person that will likely be performing the administrator job operate. Then select Subsequent.
   2. For Step 2: Choose permission units select Create permission set to open a brand new tab that steps you thru the three sub-steps concerned in making a permission set.
      1. For Step 1: Choose permission set kind full the next:
         • In Permission set kind, select Predefined permission set.
         • In Coverage for predefined permission set, select AdministratorAccess.
      2. Select Subsequent.
      3. For Step 2: Specify permission set particulars, preserve the default settings, and select Subsequent.
         The default settings create a permission set named AdministratorAccess with session length set to 1 hour. You can even specify decreased permissions with a customized coverage simply to permit Amazon DataZone console entry.
      4. For Step 3: Evaluate and create, confirm that the Permission set kind makes use of the AWS managed coverage AdministratorAccess or your customized coverage. Select Create. On the Permission units web page, a notification seems informing you that the permission set was created. You possibly can shut this tab in your net browser now.
4. On the Assign customers and teams browser tab, you’re nonetheless on Step 2: Choose permission units from which you began the create permission set workflow.
5. Within the Permissions units space, Refresh. The AdministratorAccess permission or your customized coverage set you created seems within the listing. Choose the checkbox for that permission set, after which select Subsequent.

1. 1. For Step 3: Evaluate and submit overview the chosen person and permission set, then select Submit.
      The web page updates with a message that your AWS account is being configured. Wait till the method completes.
   2. You’re returned to the AWS accounts web page. A notification message informs you that your AWS account has been re-provisioned, and the up to date permission set is utilized. When a person indicators in, they may have the choice of selecting the AdministratorAccess function or a customized coverage function.

4) Entry the AWS console and Amazon DataZone portal by means of Okta SSO

Now, you possibly can check your person entry into the console and Amazon DataZone portal utilizing the Okta exterior id software.

1. Register to the Okta dashboard utilizing a check person account.
2. Beneath My Apps, choose the AWS IAM Identification Heart icon.

3. Full the authentication course of utilizing your Okta credentials.

4.1) For administrative customers

1. You’re signed in to the portal and may see the AWS account icon. Broaden that icon to see the listing of AWS accounts that the person can entry. On this tutorial, you labored with a single account, so increasing the icon solely reveals one account.
2. Choose the account to show the permission units obtainable to the person. On this tutorial you created the AdministratorAccess permission set.
3. Subsequent to the permission set are hyperlinks for the kind of entry obtainable for that permission set. While you created the permission set, you specified each administration console and programmatic entry be enabled, so these two choices are current. Choose Administration console to open the console.

4. The person is signed in to the console. Utilizing the search bar, search for Amazon DataZone service and open it.
5. Open the Amazon DataZone console and be sure to have enabled SSO customers by means of IAM Identification Heart. In case you haven’t, you possibly can observe the steps in Allow IAM Identification Heart for Amazon DataZone.

Be aware: On this put up, we adopted the default IAM Identification Heart for Amazon DataZone configuration, which has implicit person project mode enabled. With this feature, any person added to your Identification Heart listing can entry your Amazon DataZone area routinely. If you happen to go for utilizing specific person project as an alternative, keep in mind that it is advisable manually add customers to your Amazon DataZone area within the Amazon DataZone console for them to have entry.
To be taught extra about learn how to handle person entry to an Amazon DataZone area, see Handle customers within the Amazon DataZone console.

6. Select the Open information portal to entry the Amazon DataZone Portal.

4.2) For all different customers

1. Select the Functions tab within the AWS entry portal window and select the Amazon DataZone information portal software hyperlink.

2. Within the Amazon DataZone information portal, select SIGN IN WITH SSO to proceed

Congratulations! Now you’re signed in to the Amazon DataZone information portal utilizing your person that’s managed by Okta.

5) Handle Amazon DataZone particular permissions within the Amazon DataZone portal

After you may have entry to the Amazon DataZone portal, you possibly can work with initiatives, the info belongings inside, environments, and different constructs which are particular to Amazon DataZone. A venture is the overarching assemble that brings collectively folks, information, and analytics instruments. A venture has two roles: proprietor and contributor. Subsequent, you’ll find out how a person may be made an proprietor or contributor of current initiatives.

These steps have to be accomplished by the prevailing venture proprietor within the Amazon DataZone portal:

1. Open the Amazon DataZone portal, choose the venture within the drop-down listing on the left high of the portal and select the venture you personal

2. Within the venture window, select the Members tab to see the present customers within the venture and add a brand new one.

3. Select Add Members so as to add a brand new person. Be sure that the Person kind is SSO Person so as to add an Okta person. Search for the Okta person within the title drop-down listing, choose it, and choose a venture function for it. Lastly, select Add Members so as to add the person.

4. The Okta person has been granted the chosen venture function and may work together with the venture, belongings, and instruments.

5. You can even grant permissions to SSO Teams. Select Add members, then choose SSO group within the drop-down listing, subsequent choose the Group title, set the assigned venture function, and select Add Members.

6. The Okta group has been granted the venture function and may work together with the venture, belongings, and instruments.

You can even handle SSO person and group entry to the Amazon DataZone information portal from the console. See Handle customers within the Amazon DataZone console for extra particulars.

Clear up

To make sure a seamless expertise and keep away from any future expenses, we kindly request that you just observe these steps:

By following these steps, you possibly can successfully clear up the sources utilized on this weblog put up and forestall any pointless expenses from accruing.

Abstract

On this put up, you adopted a step-by-step information to arrange and use Okta to federate entry to Amazon DataZone with AWS IAM Identification Heart. You additionally realized learn how to group customers and handle their permission in Amazon DataZone. As a remaining thought, now that you just’re acquainted with the weather concerned within the integration of an exterior id supplier comparable to Okta to federate entry to Amazon DataZone, you’re able to strive it with different id suppliers.

To be taught extra about, see Managing Amazon DataZone domains and person entry.

---

In regards to the Authors

Carlos Gallegos is a Senior Analytics Specialist Options Architect at AWS. Based mostly in Austin, TX, US. He’s an skilled and motivated skilled with a confirmed observe report of delivering outcomes worldwide. He focuses on structure, design, migrations, and modernization methods for complicated information and analytics options, each on-premises and on the AWS Cloud. Carlos helps prospects speed up their information journey by offering experience in these areas. Join with him on LinkedIn.

Jose Romero is a Senior Options Architect for Startups at AWS. Based mostly in Austin, TX, US. He’s keen about serving to prospects architect trendy platforms at scale for information, AI, and ML. As a former senior architect in AWS Skilled Providers, he enjoys constructing and sharing options for frequent complicated issues in order that prospects can speed up their cloud journey and undertake finest practices. Join with him on LinkedIn.

Arun Pradeep Selvaraj is a Senior Options Architect at AWS. Arun is keen about working together with his prospects and stakeholders on digital transformations and innovation within the cloud whereas persevering with to be taught, construct, and reinvent. He’s inventive, fast-paced, deeply customer-obsessed and makes use of the working backwards course of to construct trendy architectures to assist prospects remedy their distinctive challenges. Join with him on LinkedIn.