substrate create-admin-account -quality <quality> will ask for several inputs, which this page will help you provide from your Okta identity provider.

1. Visit your Okta admin panel in a browser

2. Click the hamburger menu

3. Click Applications in the Applications section

4. Click Create App Integration

5. Select “OAuth - OpenID Connect”

6. Select “Web Application”

7. Click Next

8. Customize App integration name

9. Change the first/only item in Sign-in redirect URIs to “https://intranet-dns-domain-name/login” (substituting your just-purchased or just-transferred Intranet DNS domain name)

10. Remove all Sign-out redirect URIs

11. Select “Limit access to selected groups” and select the groups that are authorized to use AWS (or choose another option; this can always be reconfigured)

12. Click Save

13. Paste the Client ID, Client secret, and Okta domain in response to substrate create-admin-account's prompts

With your identity provider integrated, jump to deleting unnecessary root access keys.