Integrating your Okta identity provider
substrate setup will ask for several inputs, which this page will help you provide from your Okta identity provider.
Create a custom profile attribute
- Visit your Okta admin panel in a browser
- Click the hamburger menu
- Click Profile Editor in the Directory section
- Click User (default) (with type “Okta”)
- Click + Add Attribute
- Enter “AWS_RoleName” for both Display name and Variable name
- Click Save
Create and configure an OAuth OIDC client
- Visit your Okta admin panel in a browser
- Click the hamburger menu
- Click Applications in the Applications section
- Click Create App Integration
- Select “OAuth - OpenID Connect”
- Select “Web Application”
- Click Next
- Customize App integration name
- Change the first/only item in Sign-in redirect URIs to “https://intranet-dns-domain-name/login” (substituting your just-purchased or just-transferred Intranet DNS domain name)
- Remove all Sign-out redirect URIs
- Select “Limit access to selected groups” and select the groups that are authorized to use AWS (or choose another option; this can always be reconfigured)
- Click Save
- Paste the Client ID, Client secret, and Okta domain in response to
substrate setup’s prompts - Click Okta API Scopes
- Click Grant at the end of the “okta.users.read.self” line
Authorize users to use AWS
- Visit your Okta admin panel in a browser
- Click the hamburger menu
- Click People in the Directory section
- For every user authorized to use AWS:
- Click the user’s name
- Click Profile
- Click Edit
- In the AWS_RoleName input, enter the name (not the ARN) of the IAM role they should assume in your Substrate account (“Administrator” for yourself as you’re getting started; if for others it’s not “Administrator” or “Auditor”, ensure you’ve followed adding non-Administrator roles for humans first)
- Click Save
With your identity provider integrated, jump to finishing up in your management account.