Overview
In this post, we’ll look at how we can integrate Amazon AppStream and Okta? Why do this? I’m doing it because I’m looking for one place to go to gain access to ALL of the AppStream stacks I have access to. As you build out an AppStream infrastructure, a single user could have access to stacks spread throughout multiple regions of a single account or multiple regions in multiple accounts.
Let’s assume that within my AWS Organization, I created “Prod” and “Dev” accounts. I could have access to stacks within Prod’s us-east-1 and us-east-2 regions while also having access to a stack within Dev’s eu-central-1 region. If I assigned access using AppStream User Pools, I’d have a separate logon URL (and maybe a different password) for each stack. Over time, this is not the most efficient way to manage access to AppStream stacks that are widely dispersed in terms of physical geography and AWS accounts.
In this post, I’ll be setting up AppStream and Okta integration using a free Okta Developer Account. Now, in full disclosure, I’m no Okta expert. I know just enough to setup this integration and I write that to say that to date, I have not been able to get an Okta Developer account integrated with Active Directory. Thus, for this post, I’ll will be assigning Okta applications to an Okta user as opposed to an Active Directory user….whenever I try to install the Okta AD Agent and connect it to my test domain, it fails and after a quick look, I’ve operated under the assumption that an Okta Developer account cannot integrate with AD. If this assumption is wrong, please let me know. 🙂
High-Level Steps
To complete the task at hand, we’ll perform the following steps over the course of (3) posts:
- Post 1: Sign-up for an Okta Developer account
- Post 1: Create Okta applications and retrieve the Identity Provider metadata
- Post 2: Setup an AWS Identity Provider and IAM SAML Role
- Post 3: Update the Okta application(s) with the appropriate SAML Relay State and the ARNs of the AWS Okta IDP and SAML Roles
- Post 3: Assign access to the Okta applications and test
Create an Okta Developer Account and Applications
The steps below show you how to create an Okta Developer account and an Okta application. Once the application is created, we’ll retrieve the IDP metadata needed by AWS to create an IAM Identity Provider. You will need to create an Okta application for every AppStream stack you wish to make available through the Okta login page. If you want to provide access to 3 stacks, you’ll need to create 3 Okta applications, retrieve 3 IDP metadata files, and ultimately create 3 IDPs in IAM.
- To create an Okta Developer account, open your browser and connect to https://developer.okta.com/signup/
2. Enter you email address, name, and click Sign Up. You should receive an email from Okta pretty quickly which prompts you to Activate your account. Click Activate to enable you developer account.
3. When you sign in, it may launch the Developer Console UI. To be honest, there may be a way to configure AppStream applications from here but at this stage of my Okta experience, I need the simplicity of the Classic UI. The steps and screenshots displayed on this post were completed using the Classic UI.
4. Within the Classic UI, click Applications | Applications.
5. On the Applications page, click Add Application
6. On the Add Application page, search for AppStream and then select Amazon AppStream 2.0.
7. On the Amazon AppStream 2.0 Overview page, click Add.
8. On the General Settings page, specify an Application label and click Done. Though it may be best to match the Okta application label to the AppStream stack name, it’s not required.
9. Once the Okta application is created, the Assignments page will likely be displayed. You could go add users now but I’m going to perform user assignments later. Click Sign On.
10. On the Sign On page, click Identity Provider metadata link to retrieve the IDP metadata required to create IAM IDPs in AWS.
11. Copy the metadata presented within the browser, paste it into your preferred editor (for example, Notepad ++) and save it as metadata.xml. If you’re adding multiple Okta applications / AppStream stacks, I suggest you save the file into a folder with a name matching that of the Okta application and AppStream stack.
12. If you want to access multiple AppStream stacks from Okta, repeat steps #5-11 to create additional Okta applications (one for each AppStream stack)
Coming up in Part 2….
On the next post, we’ll continue integrating Okta and AppStream and use the Okta application IDP metadata files to setup an AWS Identity Providers. We’ll also create an IAM Role to establish the trust relationship between Okta and AppStream/AWS.
