Introduction
Many organizations are using an external identity provider to manage user identities. With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your AWS accounts. External identity providers (IdP), such as Okta Universal Directory, can integrate with AWS IAM Identity Center (successor to AWS Single Sign-On) to be the source of truth for AWS IoT SiteWise and Fleet Hub for AWS IoT Device Management (Fleet Hub).
AWS IoT SiteWise Monitor and Fleet Hub support a single sign-on (SSO) experience with AWS IAM Identity Center authentication. Users can access AWS IoT SiteWise Monitor and Fleet Hub with their existing corporate credentials. Identity provider administrators can continue to manage users and groups in their existing identity systems which can then be synchronized with AWS IAM Identity Center. AWS IAM Identity Center enables administrators to connect their existing external identity providers.
In this post, we show you step-by-step guidance to set up SSO with AWS IoT SiteWise Monitor and Fleet Hub with Okta Universal Directory.
Pre-requisites
You need to set up AWS IAM Identity Center and connect to Okta Universal Directory to use the same Okta user login for AWS IoT SiteWise Monitor and Fleet Hub. For instructions, see Single Sign-On between Okta Universal Directory and AWS
The high-level steps are as follows:
Enable IAM Identity Center on the AWS Management Console. Create this IAM Identity Center account in the same AWS Region as AWS IoT SiteWise.
Add IAM Identity Center as an application Okta users can connect to.
Configure the mutual agreement between IAM Identity Center and Okta, download IdP metadata in Okta, and configure an external IdP in IAM Identity Center.
Enable identity synchronization between Okta and IAM Identity Center.
This setup ensures that when a new account is added to Okta and connected to the IAM Identity Center, a corresponding IAM Identity Center user is created automatically.
After you complete these steps, you can see the users assigned on the Okta console as shown below.
You can also see the users on the IAM Identity Center console, on the users page as shown below.
Configure AWS IoT SiteWise Monitor with IAM Identity Center authentication
Follow the steps below to complete the AWS SiteWise Monitor with IAM Identity Center as the authentication method.
1.From the AWS IoT SiteWise console, choose Monitor from the left navigation and then choose Portals. Click on Create portal button to create a IoT SiteWise portal.
2.For Portal configuration, enter the following:
Under Portal details for Portal name, enter okta-iot-sitewise
Under User authentication, choose AWS IAM Identity Center
Under Support contact email, enter your email ID
Under Permissions, choose Create and use a new service role
3.Under Additional features – optional screen, choose only Enable alarms and then, choose Create to complete the portal creation.
4.Under Invite administrators, choose users from your Okta identity store and then choose Assign Users to complete the portal configuration.
5.Once you complete all above steps, the system will create a unique URL for your AWS IoT SiteWise Monitor access through an external identity provider like Okta.
Configure Fleet Hub for AWS IoT Device Management with IAM Identity Center authentication
Follow the steps below to complete the Fleet Hub for AWS IoT Device Management with IAM Identity Center as the authentication method.
1.From the Fleet Hub for AWS IoT Device Management console, choose Create application. It will redirect to set up access in IAM Identity Center screen as shown below and then choose Next.
2.For Index AWS IoT data, keep all default options and then,choose Next.
3.For Configure application:
Under Application role, choose Create a new service role
Under Role name, Enter Fleethubrole
Under Application details, for Application name enter Fleethub-Okta
Click on Add users and choose your external identity provider users as shown below
Choose Add selected users to complete the access assignments. Now the Fleet Hub application is ready for use and you can use your external identity provider Okta credentials to access Fleet Hub.
Accessing AWS IoT SiteWise Monitor and Fleet Hub via IAM Identity Center
As a user, you can start in one of three ways:
AWS IoT SiteWise
1.Start from the Okta user portal page, select IAM Identity Center application and choose AWS IoT SiteWise Monitor.
2.Start from the IAM Identity Center user portal and it will redirect to the Okta login page for authentication and then,choose Fleet Hub.
3.Use the AWS IoT SiteWise Monitor Portal URL as shown above and it will redirect to the Okta login page for authentication.
Fleet Hub
1.Start from the Okta user portal page, select IAM Identity Center application and choose Fleet Hub.
2.Start from the AWS Identity Center user portal and it will redirect to the Okta login page for authentication and then, choose Fleet Hub.
3.Use the Fleet Hub Portal URL as shown above and it will redirect to the Okta login page for authentication.
Cleanup
If you followed along with this solution, we suggest that you complete the following steps to avoid incurring charges to your AWS account once you have completed the walk through.
Deleting AWS IoT SiteWise
Deleting Fleet Hub
Deleting your okta account (if needed)
Deleting IAM Identity Center
Conclusion
AWS IoT SiteWise Monitor and Fleet Hub support a single sign-on experience with IAM Identity Center authentication. Industrial customers use many different security tools and need an easy way to integrate with AWS services. When implementing IIoT solutions, AWS recommends following the Ten security golden rules. Golden rule #3 discusses the need for having unique identities and managing user identities for IIoT web and mobile apps using Amazon Cognito or third party identity providers like Okta.
In this post, we showed how you can take advantage of the new IAM Identity Center capabilities to use Okta identities to access AWS IoT SiteWise Monitor and Fleet Hub for AWS IoT Device Management. Administrators can now use a single source of truth to manage their users, and users no longer need to manage an additional identity and password to sign in to their AWS accounts and applications.
IAM Identity Center with Okta is free to use and available in all Regions where AWS Identity Center is available. Please read the product documentation to learn more about AWS IoT SiteWise and the Fleet Hub product documentation to learn more about Fleet Hub.
Authors
Raghavarao Sodabathina is a Principal Solutions Architect at AWS, focusing on Data Analytics, AI/ML and Serverless platform. He engages with customers to create innovative solutions that address customer business problems and accelerate the adoption of AWS services. In his spare time, Raghavarao enjoys spending time with his family, reading books, and watching movies.
Krupanidhi Jay is a Boston-based Enterprise Solutions Architect at AWS. He is a seasoned architect with over 20 years of experience in helping customers with digital transformation and delivering seamless digital user experiences. He enjoys working with customers to help them build scalable, cost-effective solutions in AWS. Outside of work, Jay enjoys spending time with family and traveling.
Leave a Reply
You must be logged in to post a comment.