• Okta Classic Engine
• Amazon Web Services SAML 2.0
• AWS China
• User Groups

To use the Amazon Web Services Application from Okta Integration Network for AWS China via user groups, follow these steps:

1. Go to the Okta Admin panel and then Application > Amazon Web Services App > Sign On >  ACS URL (optional and only relevant to SAML SSO).

2. Insert the following link in the field https://signin.amazonaws.cn/saml.

3. Click Save. 

4. Enable Use Group Mapping.

5. Make sure that the Role Value Pattern is set in the following format: 

   arn:aws-cn:iam::${accountid}:saml-provider/OKTA,arn:aws-cn:iam::${accountid}:role/${role}
   

6. Click Save.
    

• Here can find more details regarding Amazon Web Service integration with Okta: How to Configure SAML 2.0 for Amazon Web Service. 

• For more details regarding Amazon Web Services China and the SAML configuration, check the following AWS documentation: Configuring SAML Assertions for the Authentication Response.

NOTE: Please note the extra -cn that was added to:

arn:aws:iam::${accountid}:saml-provider/OKTA,arn:aws:iam::${accountid}:role/${role}
 

AWS services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with AWS services in China.

Related References

• How to Configure SAML 2.0 for Amazon Web Service
• Configuring SAML Assertions for the Authentication Response
• Getting Started with AWS services in China.