Has anyone successfully provisioned accounts in Amazon Web Services? Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Rocky ReyesRocky Reyes 

Has anyone successfully provisioned accounts in Amazon Web Services?

We are setting up SAML for our AWS environment. We have been able to get a user account to log in to AWS using SAML, however an account is not created in AWS even with provisioning turned on in the app settings.

We have been through two long support calls already but have not been able to successfully provision accounts after logging in through Okta. We still have an open support ticket, but I'm just putting feelers out there to see if anyone has been able to acheive this, and what the magic bullet is to get this working.

Thanks in advance,

Thanks in advance.
Raja NejemRaja Nejem (Okta, Inc.)
That is the expected behaviour.  It creates the user for that session, you can also look at the logs and will have logs for that specific user.
Rocky ReyesRocky Reyes
So what is the purpose of enabling provisioning in the app? Is it not to create a user account the first time a user clicks on the app in Okta?
Chris DoddsChris Dodds
The integration is using the concept of SAML role assertion rather than traditional user accounts. It's an AWS best practice to use roles instead of classic credentials where possible. If you don't have user accounts in IAM, there aren't any user accounts to compromise (other than your root account, which should be MFA-ed, locked away, etc).
Rocky ReyesRocky Reyes
Thanks Chris for the insight.
Eric KarlinskyEric Karlinsky (Okta, Inc.)

Hey Rocky,
To add to Chris' explanation, the reason Provisioning is required as part of the Okta setup is: we need an API token to pull the roles from the AWS service so that end users can be assigned specific roles in the Okta app configuration. This function is dependent on the API validation step, which is performed by the admin on the Provisioning tab.