This article explains how to establish an OIDC connection between Okta and AWS IAM, in order to use Okta as an enterprise identity provider for accessing an AWS app.

• OpenID Connect (OIDC) 
• Amazon Web Service (AWS)

Before beginning

Make sure to have the following: 

• An Okta org that has the "API Access Management" enabled for access to Custom Authorization Servers. 
• An Amazon Web Service account that has access to the Identity and Access Management dashboard (AWS IAM).

On the Okta side

1. Log in to Okta and navigate to the Admin Dashboard. 
2. On the left side of the screen, go to Applications > Applications > Create App Integration.
3. For the Sign-in method click on OIDC. The options for Application Type should be visible. Select Web Application and then click Next.

4. In the application settings, provide a name for the app and a Sign-in Redirect URI for the AWS-protected resource to which access should be provided and add it to the Trusted Origins section.
5. Then, for the Assignments section, choose who should be assigned to the app automatically. When done, click Save.

6. After that, make a note of the Client ID from the General tab. This will be needed later in AWS:

7. Make a note of the OIDC discovery endpoint for the org and authorization server that is used. It should have this format: "https://example.okta.com/oauth2/<auth_server_id>/.well-known/openid-configuration"
   So, if using the "default" server, it will be "https://example.okta.com/oauth2/default/.well-known/openid-configuration".

On the AWS side

Follow the steps provided in their support article Create an OpenID Connect (OIDC) identity provider in IAM, under the Prepare Smartsheet for the Okta/SCIM integration section.