AWS SSO to AWS Directory Service

Question

My goal is to use Okta SSO integrated with AWS SSO to integrate all user Sign-in and permission management for AWS resources from the Okta, using accounts configured on Okta.

I also want it so that each user on Okta has their own Amazon Workspace Windows instance using their Okta credentials.

I currently have a Simple AD (Directory Service) configured on the AWS account, exclusively for Amazon Workspaces access.

Is this a possible goal that can be achieved using OKta, AWS SSO and Directory Service? After going through each of their documentations I am still not clear if these services have the capability to integrate this way.

Any Advice would be appreciated.

Answer 1

There are two topics in this question.

AWS SSO: There is a standard integration in the AWS Documentation. https://docs.aws.amazon.com/singlesignon/latest/userguide/okta-idp.html

AWS WorkSpaces: You mentioned that you use currently SimpleAD, in case you want to switch the IdP for your WorkSpaces you should be aware that you need to re-provision the WorkSpaces. I've not as much experience with OKTA, but I think there are two options.

1. In case you've already a Active Directory you should be able to integrate it with WorkSpaces (AD Connector or AWS Managed AD with forest trust) https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust.html https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html

2. In case there is no pre-existing AD, you should be able to sync the users with a AWS Managed AD. https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-integrate-existing.htm

OKTA MFA integration for WorkSpaces: https://aws.amazon.com/blogs/desktop-and-application-streaming/integrating-okta-mfa-with-amazon-workspaces/