The following tutorial walks you through how Amazon FinSpace environment can be created using Okta as an Identity provider (IdP).
Prerequisites
Ensure that a user exists in Okta for each person who will need access to FinSpace. When creating users, make sure to include an email address for each user. Email addresses are required to connect the users in AD FS with their corresponding users in FinSpace.
Setting up SAML based single sign-on
Step 1: Creating an Okta application
Note
You need to have administrator privileges in Okta for this tutorial.
The following steps guide you through the process of creating an Okta application.
1. Sign in to your Okta admin dashboard.
If you don't have an account, you can create a free Okta developer edition account.
2. Choose Applications.
3. Choose Add Application.
4. Choose Create New App.
5. Choose Platform as Web from the drop down menu.
6. Choose SAML 2.0.
7. Specify an App name. For example, FinSpace.
8. Choose Next.
9. Set Single sign on URL as http://placeholder.okta.com Note, this is just a placeholder url to generate the SAML meta data doc. You will get the actual Single sign on URL once FinSpace environment is created.
Setting up SAML based single sign-on
10.Set Audience URI (SP Entity ID) as placeholder. Note, this is just a placeholder Uniform Resource Name (URN) to generate the SAML meta data doc. You will get the actual URN once FinSpace environment is created.
11.Set the following in the ATTRIBUTE STATEMENTS section
a. Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Setting up SAML based single sign-on
b. Value: user.email
12.Choose Next.
13.Select I'm an Okta customer adding an internal app.
14.Choose Finish.
15.Choose Identity Provider metadata (right-click) and choose Copy Link Address.
16.Save the link to a notepad. Please note, you can also choose to save SAML metadata document instead of the link.
Now that you have the SAML metadata document or its URL, let's create a FinSpace environment.
Step 2: Creating a FinSpace environment
Use the following procedure to create a FinSpace environment.
1. Sign in to your AWS account and open FinSpace from the AWS Management Console.
2. Choose Create FinSpace Environment.
3. Enter a name for your FinSpace environment under Environment name. For example, finspace-saml-okta
4. (Optional) Add Environment description.
5. Add a KMS key to encrypt data in your FinSpace environment.
6. Select an Authentication method. Choose Single Sign On (SSO).
7. Specify your Identity provider name. For example, Okta in this scenario.
8. Choose Provide a metadata document URL. Paste the SAML metadata document URL.
9. Set Attribute mapping matching the attribute set for email in Okta. Since you set email attribute as http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress the same value should be set in this field.
Setting up SAML based single sign-on
10.Choose Create FinSpace Environment. The environment creation process has now begun and it will take 50-60 minutes to finish in the background. User can return to other activities while the environment is being created.
11.Once the FinSpace environment is ready, copy and save the Redirect / Sign-in url and Urn.
Your FinSpace is now created. Finish configuration in Okta.
Step 3: Finish application configuration in Okta
Finish configuration of your FinSpace Okta app with the Redirect / Sign-in URL and URN.
1. Login to your Okta console.
2. Choose the Admin button on the top-right corner.
3. Choose Applications on the top bar menu.
4. Choose the FinSpace app that you had setup with placeholders.
5. Under the General tab, choose Edit on SAML settings.
6. Choose Next.
7. Set the copied redirect/Sign-on URL from FinSpace environment and paste it in the text box of Single sign on URL.
8. Check Use this for Recipient URL and Destination URL.
9. Paste the copied Urn from the FinSpace environment in the Audience URI (SP Entity ID) text box.
10.Choose Next.
11.Choose Finish.
Step 4: Assign user to the FinSpace application in Okta
Now that the application is setup. Assign at least one user to the FinSpace app in Okta who can be created as a Superuser for FinSpace.
1. Login to your Okta console.
2. Choose the Admin button on the top-right corner.
3. Choose Applications on the top bar menu.
4. Choose the FinSpace app.
5. Choose the Assignments tab.
6. Choose the Assign drop down menu. A list of users will open.
Setting up SAML based single sign-on
7. Choose Assign next to the username of the user you would like to designate as the Superuser in FinSpace. You may add multiple users at this point too.
8. Choose Save and Go back.
Step 5: Create superuser in your FinSpace environment
Now that a user is assigned, they can be created as a Superuser in FinSpace.
1. Sign in to your AWS account and open FinSpace from the AWS Management Console.
2. Choose finspace-saml-okta from the list of environments.
3. Choose Add Superuser.
4. Set the email that was used when assigning the user in Okta. The email must match the email of the user that was assigned in the Okta app.
5. Set First Name, Last Name.
6. Choose Create and view credentials. You will not receive a password as you will use the credentials for Okta Idp for authentication.
Step 6: Sign in to FinSpace with Okta IdP credentials
1. Sign in to your AWS account and open FinSpace from the AWS Management Console.
2. Choose finspace-saml-okta from the list of environments.
3. Copy the link under Domain and paste it in your web browser.
4. You will be re-directed to your Okta Idp authentication page.
5. Enter your SSO credentials to log into FinSpace.