<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UrvSAFOkta Classic EngineLifecycle ManagementAnswered2018-09-05T01:27:38.000Z2016-02-23T20:32:15.000Z2017-07-27T20:04:58.000Z

Rocky (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Has anyone successfully provisioned accounts in Amazon Web Services?
We are setting up SAML for our AWS environment. We have been able to get a user account to log in to AWS using SAML, however an account is not created in AWS even with provisioning turned on in the app settings.

 

We have been through two long support calls already but have not been able to successfully provision accounts after logging in through Okta. We still have an open support ticket, but I'm just putting feelers out there to see if anyone has been able to acheive this, and what the magic bullet is to get this working.

 

Thanks in advance,

 

Thanks in advance.
  • 5 answers
  • 675 views

  • Raja Nejem - 1 (Okta, Inc.)

    That is the expected behaviour.  It creates the user for that session, you can also look at the logs and will have logs for that specific user.

  • Rocky (Customer)

    So what is the purpose of enabling provisioning in the app? Is it not to create a user account the first time a user clicks on the app in Okta?

  • Chris Dodds (Customer)

    The integration is using the concept of SAML role assertion rather than traditional user accounts. It's an AWS best practice to use roles instead of classic credentials where possible. If you don't have user accounts in IAM, there aren't any user accounts to compromise (other than your root account, which should be MFA-ed, locked away, etc).

  • Rocky (Customer)

    Thanks Chris for the insight.

  • eric.karlinsky1.4147731941881877E12 (Okta, Inc.)

    Hey Rocky,

    To add to Chris' explanation, the reason Provisioning is required as part of the Okta setup is: we need an API token to pull the roles from the AWS service so that end users can be assigned specific roles in the Okta app configuration. This function is dependent on the API validation step, which is performed by the admin on the Provisioning tab.

    Thanks,

    Eric

    Expand Post
This question is closed.
Loading
Has anyone successfully provisioned accounts in Amazon Web Services?