Federating entry to Amazon DataZone with AWS IAM Identification Heart and Okta

Many purchasers rely right now on Okta or different id suppliers (IdPs) to federate entry to their know-how stack and instruments. With federation, safety groups can centralize person administration in a single place, which helps simplify and brings agility to their day-to-day operations whereas retaining highest safety requirements.

To assist develop a data-driven tradition, everybody inside a corporation can use Amazon DataZone. To appreciate the advantages of utilizing Amazon DataZone for governing knowledge and making it discoverable and obtainable throughout totally different groups for collaboration, clients combine it with their present know-how stack. Dealing with entry by their id supplier and preserving a well-known single sign-on (SSO) expertise permits clients to increase using Amazon DataZone to customers throughout groups within the group with none friction whereas retaining centralized management.

Amazon DataZone is a totally managed knowledge administration service that makes it sooner and easier for purchasers to catalog, uncover, share, and govern knowledge saved throughout Amazon Internet Companies (AWS), on premises, and third-party sources. It additionally makes it easier for knowledge producers, analysts, and enterprise customers to entry knowledge all through a corporation in order that they will uncover, use, and collaborate to derive data-driven insights.

You should utilize AWS IAM Identification Heart to securely create and handle identities on your group’s workforce, or sync and use identities which might be already arrange and obtainable in Okta or different id supplier, to maintain centralized management of them. With IAM Identification Heart you can too handle the SSO expertise of your group centrally, throughout your AWS accounts and functions.

This put up guides you thru the method of organising Okta as an id supplier for signing in customers to Amazon DataZone. The method makes use of IAM Identification Heart and its native integration with Amazon DataZone to combine with exterior id suppliers. Observe that, although this put up focuses on Okta, the offered sample depends on the SAML 2.0 commonplace and so could be replicated with different id suppliers.

Stipulations

To construct the answer offered on this put up, you have to have:

Course of overview

All through this put up you’ll observe these high-level steps:

1. Set up a SAML connection between Okta and IAM Identification Heart
2. Arrange computerized provisioning of customers and teams in IAM Identification Heart in order that customers and teams within the Okta area are created in Identification Heart.
3. Assign customers and teams to your AWS accounts in IAM Identification Heart by assuming an AWS Identification and Entry Administration (IAM) position.
4. Entry the AWS Administration Console and Amazon DataZone portal by Okta SSO.
5. Handle Amazon DataZone particular permissions within the Amazon DataZone portal.

Organising person federation with Okta and IAM Identification Heart

This information follows the steps in Configure SAML and SCIM with Okta and IAM Identification Heart.

Earlier than you get began, evaluation the next gadgets in your Okta setup:

• Each Okta person will need to have a First identify, Final identify, Username and Show identify worth specified.
• Every Okta person has solely a single worth per knowledge attribute, corresponding to e-mail deal with or cellphone quantity. Customers which have a number of values will fail to synchronize. If there are customers which have a number of values of their attributes, take away the duplicate attributes earlier than making an attempt to provision the person in IAM Identification Heart. For instance, just one cellphone quantity attribute could be synchronized. As a result of the default cellphone quantity attribute is work cellphone, use the work cellphone attribute to retailer the person’s cellphone quantity, even when the cellphone quantity for the person is a house cellphone or a cell phone.
• If you happen to replace a person’s deal with you have to have streetAddress, metropolis, state, zipCode and the countryCode worth specified. If any of those values aren’t specified for the Okta person on the time of synchronization, the person (or adjustments to the person) gained’t be provisioned.

1) Set up a SAML connection between Okta and AWS IAM Identification Heart

Now, let’s set up a SAML connection between Okta and AWS IAM Identification Heart. First, you’ll create an utility in Okta to ascertain the connection:

1. Register to the Okta admin dashboard, develop Functions, then choose Functions.
2. On the Functions web page, select Browse App Catalog.
3. Within the search field, enter AWS IAM Identification Heart, then choose the app so as to add the IAM Identification Heart app.

4. Select the Signal On tab.
   

5. Underneath SAML Signing Certificates, choose Actions, after which choose View IdP Metadata. A brand new browser tab opens displaying the doc tree of an XML file. Choose the entire XML from <md:EntityDescriptor> to </md:EntityDescriptor> and duplicate it to a textual content file.
6. Save the textual content file as metadata.xml.

Depart the Okta admin dashboard open, you’ll proceed utilizing it within the later steps.

Second, you’re going to arrange Okta as an exterior id supplier in IAM Identification Heart:

1. Open the IAM Identification Heart console as a person with administrative privileges.
2. Select Settings within the navigation pane.
3. On the Settings web page, select Actions, after which choose Change id supply.

4. Underneath Select id supply, choose Exterior id supplier, after which select Subsequent.

5. Underneath Configure exterior id supplier, do the next:
   1. Underneath Service supplier metadata, select Obtain metadata file to obtain the IAM Identification Heart metadata file and reserve it in your system. You’ll present the Identification Heart SAML metadata file to Okta later on this tutorial.
      1. Copy the next gadgets to a textual content file for simple entry (you’ll want these values later):
         • IAM Identification Heart Assertion Client Service (ACS) URL
         • IAM Identification Heart issuer URL
   2. Underneath Identification supplier metadata, beneath IdP SAML metadata, select Select file after which choose the metadata.xml file you created within the earlier step.
   3. Select Subsequent.
6. After you learn the disclaimer and are able to proceed, enter settle for.
7. Select Change id supply.

Depart the AWS console open, as a result of you’ll use it within the subsequent process.

8. Return to the Okta admin dashboard and select the Signal On tab of the IAM Identification Heart app, then select Edit.
9. Underneath Superior Signal-on Settings enter the next:
   1. For ACS URL, enter the worth you copied for IAM Identification Heart Assertion Client Service (ACS) URL.
   2. For Issuer URL, enter the worth you copied for IAM Identification Heart issuer URL.
   3. For Utility username format, choose one of many choices from the drop-down menu.
      Be sure that the worth you choose is exclusive for every person. For this tutorial, choose Okta username.
10. Select Save.

2) Arrange computerized provisioning of customers and teams in AWS IAM Identification Heart

You are actually capable of arrange computerized provisioning of customers from Okta into IAM Identification Heart. Depart the Okta admin dashboard open and return to the IAM Identification Heart console for the subsequent step.

1. Within the IAM Identification Heart console, on the Settings web page, find the Computerized provisioning data field, after which select Allow. This allows computerized provisioning in IAM Identification Heart and shows the mandatory System for Cross-domain Identification Administration (SCIM) endpoint and entry token data.

2. Within the Inbound computerized provisioning dialog field, copy every of the values for the next choices:
   • SCIM endpoint
   • Entry token

You’ll use these values to configure provisioning in Okta later.

3. Select Shut.

4. Return to the Okta admin dashboard and navigate to the IAM Identification Heart app.
5. On the AWS IAM Identification Heart app web page, select the Provisioning tab, after which within the navigation pane, beneath Settings, select Integration.
6. Select Edit, after which choose the test field subsequent to Allow API integration to allow provisioning.
7. Configure Okta with the SCIM provisioning values from IAM Identification Heart that you just copied earlier:
   1. Within the Base URL subject, enter the SCIM endpoint Just remember to take away the trailing ahead slash on the finish of the URL.
   2. Within the API Token subject, enter the Entry token worth.
      
8. Select Check API Credentials to confirm the credentials entered are legitimate. The message AWS IAM Identification Heart was verified efficiently! shows.
   
9. Select Save. You’re taken to the Settings space, with Integration chosen.
   

10. Evaluation the next setup earlier than shifting ahead. Within the Provisioning tab, within the navigation pane beneath Settings, select To App. Examine that every one choices are enabled. They need to be enabled by default, but when not, allow them.

3) Assign customers and teams to your AWS accounts in AWS IAM Identification Heart by assuming an AWS IAM position

By default, no teams nor customers are assigned to your Okta IAM Identification Heart app. Full the next steps to synchronize customers with IAM Identification Heart.

1. Within the Okta IAM Identification Heart app web page, select the Assignments tab. You possibly can assign each folks and teams to the IAM Identification Heart app.
   1. To assign folks:
      1. Within the Assignments web page, select Assign, after which select Assign to folks.
      2. Choose the Okta customers that you just need to have entry to the IAM Identification Heart app. Select Assign, select Save and Go Again, after which select Achieved.
         This begins the method of provisioning the person customers into IAM Identification Heart.

      

   2. To assign teams:
      1. Select the Push Teams tab. You possibly can create guidelines to robotically provision Okta teams into IAM Identification Heart.

      

      2. Select the Push Teams drop-down checklist and choose Discover teams by rule.
      3. Within the By rule part, set a rule identify and a situation. For this put up we’re utilizing AWS SSO Rule as rule identify and begins with awssso as a bunch identify situation. This situation could be totally different relying on the identify of the group you need to sync.
      4. Select Create Rule

      

      5. (Optionally available) To create a brand new group select Listing within the navigation pane, after which select Teams.

      

      6. Select Add group and enter a reputation, after which select Save.

      

      7. After you could have created the group, you possibly can assign folks to it. Choose the group identify to handle the group’s customers.

      

      8. Select Assign folks and choose the customers that you just need to assign to the group.

      

      9. You will note the customers which might be assigned to the group.

      

      10. Going again to Functions within the navigation pane, choose the AWS IAM Identification Heart app and select the Push Teams tab. You must have the teams that match the rule synchronized between Okta and IAM Identification Heart. The group standing ought to be set to Lively after the group and its members are up to date in Identification Heart.

      

2. Return to the IAM Identification Heart console. Within the navigation pane, select Customers. You must see the person checklist that was up to date by Okta.

3. Within the left navigation, choose Teams, you must see the group checklist that was up to date by Okta.

Congratulations! You may have efficiently arrange a SAML connection between Okta and AWS and have verified that computerized provisioning is working.

OPTIONAL: If it is advisable to present Amazon DataZone console entry to the Okta customers and teams, you possibly can handle these permissions by the IAM Identification Heart console.

1. Within the IAM Identification Heart navigation pane, beneath Multi-account permissions, select AWS accounts.
2. On the AWS accounts web page, the Organizational construction shows your organizational root along with your accounts beneath it within the hierarchy. Choose the checkbox on your administration account, then select Assign customers or teams.

3. The Assign customers and teams workflow shows. It consists of three steps:
   1. For Step 1: Choose customers and teams select the person that will probably be performing the administrator job operate. Then select Subsequent.
   2. For Step 2: Choose permission units select Create permission set to open a brand new tab that steps you thru the three sub-steps concerned in making a permission set.
      1. For Step 1: Choose permission set kind full the next:
         • In Permission set kind, select Predefined permission set.
         • In Coverage for predefined permission set, select AdministratorAccess.
      2. Select Subsequent.
      3. For Step 2: Specify permission set particulars, preserve the default settings, and select Subsequent.
         The default settings create a permission set named AdministratorAccess with session length set to 1 hour. You can even specify decreased permissions with a customized coverage simply to permit Amazon DataZone console entry.
      4. For Step 3: Evaluation and create, confirm that the Permission set kind makes use of the AWS managed coverage AdministratorAccess or your customized coverage. Select Create. On the Permission units web page, a notification seems informing you that the permission set was created. You possibly can shut this tab in your internet browser now.
4. On the Assign customers and teams browser tab, you might be nonetheless on Step 2: Choose permission units from which you began the create permission set workflow.
5. Within the Permissions units space, Refresh. The AdministratorAccess permission or your customized coverage set you created seems within the checklist. Choose the checkbox for that permission set, after which select Subsequent.

1. 1. For Step 3: Evaluation and submit evaluation the chosen person and permission set, then select Submit.
      The web page updates with a message that your AWS account is being configured. Wait till the method completes.
   2. You’re returned to the AWS accounts web page. A notification message informs you that your AWS account has been re-provisioned, and the up to date permission set is utilized. When a person indicators in, they’ll have the choice of selecting the AdministratorAccess position or a customized coverage position.

4) Entry the AWS console and Amazon DataZone portal by Okta SSO

Now, you possibly can check your person entry into the console and Amazon DataZone portal utilizing the Okta exterior id utility.

1. Register to the Okta dashboard utilizing a check person account.
2. Underneath My Apps, choose the AWS IAM Identification Heart icon.

3. Full the authentication course of utilizing your Okta credentials.

4.1) For administrative customers

1. You’re signed in to the portal and may see the AWS account icon. Increase that icon to see the checklist of AWS accounts that the person can entry. On this tutorial, you labored with a single account, so increasing the icon solely reveals one account.
2. Choose the account to show the permission units obtainable to the person. On this tutorial you created the AdministratorAccess permission set.
3. Subsequent to the permission set are hyperlinks for the kind of entry obtainable for that permission set. Once you created the permission set, you specified each administration console and programmatic entry be enabled, so these two choices are current. Choose Administration console to open the console.

4. The person is signed in to the console. Utilizing the search bar, search for Amazon DataZone service and open it.
5. Open the Amazon DataZone console and ensure you have enabled SSO customers by IAM Identification Heart. In case you haven’t, you possibly can observe the steps in Allow IAM Identification Heart for Amazon DataZone.

Observe: On this put up, we adopted the default IAM Identification Heart for Amazon DataZone configuration, which has implicit person task mode enabled. With this feature, any person added to your Identification Heart listing can entry your Amazon DataZone area robotically. If you happen to go for utilizing specific person task as an alternative, do not forget that it is advisable to manually add customers to your Amazon DataZone area within the Amazon DataZone console for them to have entry.
To study extra about the right way to handle person entry to an Amazon DataZone area, see Handle customers within the Amazon DataZone console.

6. Select the Open knowledge portal to entry the Amazon DataZone Portal.

4.2) For all different customers

1. Select the Functions tab within the AWS entry portal window and select the Amazon DataZone knowledge portal utility hyperlink.

2. Within the Amazon DataZone knowledge portal, select SIGN IN WITH SSO to proceed

Congratulations! Now you’re signed in to the Amazon DataZone knowledge portal utilizing your person that’s managed by Okta.

5) Handle Amazon DataZone particular permissions within the Amazon DataZone portal

After you could have entry to the Amazon DataZone portal, you possibly can work with tasks, the information belongings inside, environments, and different constructs which might be particular to Amazon DataZone. A undertaking is the overarching assemble that brings collectively folks, knowledge, and analytics instruments. A undertaking has two roles: proprietor and contributor. Subsequent, you’ll learn the way a person could be made an proprietor or contributor of present tasks.

These steps have to be accomplished by the present undertaking proprietor within the Amazon DataZone portal:

1. Open the Amazon DataZone portal, choose the undertaking within the drop-down checklist on the left prime of the portal and select the undertaking you personal

2. Within the undertaking window, select the Members tab to see the present customers within the undertaking and add a brand new one.

3. Select Add Members so as to add a brand new person. Be sure that the Consumer kind is SSO Consumer so as to add an Okta person. Search for the Okta person within the identify drop-down checklist, choose it, and choose a undertaking position for it. Lastly, select Add Members so as to add the person.

4. The Okta person has been granted the chosen undertaking position and may work together with the undertaking, belongings, and instruments.

5. You can even grant permissions to SSO Teams. Select Add members, then choose SSO group within the drop-down checklist, subsequent choose the Group identify, set the assigned undertaking position, and select Add Members.

6. The Okta group has been granted the undertaking position and may work together with the undertaking, belongings, and instruments.

You can even handle SSO person and group entry to the Amazon DataZone knowledge portal from the console. See Handle customers within the Amazon DataZone console for added particulars.

Clear up

To make sure a seamless expertise and keep away from any future expenses, we kindly request that you just observe these steps:

By following these steps, you possibly can successfully clear up the assets utilized on this weblog put up and stop any pointless expenses from accruing.

Abstract

On this put up, you adopted a step-by-step information to arrange and use Okta to federate entry to Amazon DataZone with AWS IAM Identification Heart. You additionally realized the right way to group customers and handle their permission in Amazon DataZone. As a closing thought, now that you just’re conversant in the weather concerned within the integration of an exterior id supplier corresponding to Okta to federate entry to Amazon DataZone, you’re able to attempt it with different id suppliers.

To study extra about, see Managing Amazon DataZone domains and person entry.

---

Concerning the Authors

Carlos Gallegos is a Senior Analytics Specialist Options Architect at AWS. Based mostly in Austin, TX, US. He’s an skilled and motivated skilled with a confirmed observe report of delivering outcomes worldwide. He makes a speciality of structure, design, migrations, and modernization methods for advanced knowledge and analytics options, each on-premises and on the AWS Cloud. Carlos helps clients speed up their knowledge journey by offering experience in these areas. Join with him on LinkedIn.

Jose Romero is a Senior Options Architect for Startups at AWS. Based mostly in Austin, TX, US. He’s obsessed with serving to clients architect fashionable platforms at scale for knowledge, AI, and ML. As a former senior architect in AWS Skilled Companies, he enjoys constructing and sharing options for frequent advanced issues in order that clients can speed up their cloud journey and undertake finest practices. Join with him on LinkedIn.

Arun Pradeep Selvaraj is a Senior Options Architect at AWS. Arun is obsessed with working together with his clients and stakeholders on digital transformations and innovation within the cloud whereas persevering with to study, construct, and reinvent. He’s inventive, fast-paced, deeply customer-obsessed and makes use of the working backwards course of to construct fashionable architectures to assist clients clear up their distinctive challenges. Join with him on LinkedIn.