Integrating your Okta identity provider
substrate setup
will ask for several inputs, which this page will help you provide from your Okta identity provider.
Create a custom profile attribute
Visit your Okta admin panel in a browser
Click the hamburger menu
Click Profile Editor in the Directory section
Click User (default) (with type “Okta”)
Click + Add Attribute
Enter “AWS_RoleName” for both Display name and Variable name
Click Save
Create and configure an OAuth OIDC client
Visit your Okta admin panel in a browser
Click the hamburger menu
Click Applications in the Applications section
Click Create App Integration
Select “OAuth - OpenID Connect”
Select “Web Application”
Click Next
Customize App integration name
Change the first/only item in Sign-in redirect URIs to “https://intranet-dns-domain-name/login” (substituting your just-purchased or just-transferred Intranet DNS domain name)
Remove all Sign-out redirect URIs
Select “Limit access to selected groups” and select the groups that are authorized to use AWS (or choose another option; this can always be reconfigured)
Click Save
Paste the Client ID, Client secret, and Okta domain in response to
substrate setup
's promptsClick Okta API Scopes
Click Grant at the end of the “okta.users.read.self” line
Authorize users to use AWS
Visit your Okta admin panel in a browser
Click the hamburger menu
Click People in the Directory section
For every user authorized to use AWS:
Click the user's name
Click Profile
Click Edit
In the AWS_RoleName input, enter the name (not the ARN) of the IAM role they should assume in your Substrate account (“Administrator” for yourself as you're getting started; if for others it's not “Administrator” or “Auditor”, ensure you've followed adding non-Administrator roles for humans first)
Click Save
With your identity provider integrated, jump to finishing up in your management account.
Last updated