Enable SAML

  1. Login into Okta account using assigned the domain name of your account. You can find your Okta domain name from the activation email (for my case, it was: https://dev-580341.okta.com/login/login.htm). you may have to click on the Admin button depending on how Okta authenticates.
  2. If you are using the Developer Console, you need to first switch to the Classic UI console. If you see Developer Console on the top left of the page, click on it and select Classic UI to switch.
  3. Select People from the Directory menu, and then click on Add Person button.
  4. Fill up the form based on the below picture. Enter emr-developer@somecompany.com for the username field. Go to the Password option and select Set by admin from the drop-down and enter Password1! as a password. Uncheck the option User must change password on first login and click on Save button. We will use to authenticate and authorize AWS Lake Formation tables and columns for fine-grain access.
  5. Go to Applications from the menu and click on Add Application button. Select Create New App from the left.
  6. In the Create a New Application Integration dialog box, select Web as the platform and select SAML 2.0 as the Sign on method and click Create.
  7. On the General Settings page, enter a name Lake-Formation as the App name and then click Next.
  8. On the Configure SAML page, fill up the form based on the following information:
    • Copy and paste the following URL into the Single sign on URL field:
      https://public-dns:8442/gateway/knoxsso/api/v1/websso?pac4jCallback=true&client_name=SAML2Client
    • For the Audience URI (SP Entity ID) field, enter the following value:
      urn:amazon:webservices
    • Now, go to the Attribute Statements section and add these three attribute statements as shown below. Make sure to replace account-id with your AWS AccountId.
      1. Name: https://aws.amazon.com/SAML/Attributes/Role
        Value: arn:aws:iam::account-id:role/LF-SAML-Role-Okta,arn:aws:iam::account-id:saml-provider/oktaSAMLProvider
      2. Name: https://aws.amazon.com/SAML/Attributes/RoleSessionName
        Value: user.firstName
      3. Name: https://lakeformation.amazon.com/SAML/Attributes/Username
        Value: user.firstName
  9. Click Next. In the Feedback tab, select I'm an Okta customer adding an internal app. The section expands and displays more options. Select This is an internal app that we have created as the App type. Click on Finish.
  10. Click on the Assignments tab.
  11. Click Assign and then select Assign to People.
  12. Click on Assign button next to the user emr-developer you created earlier.
  13. On the next screen, change the username to just emr-developer only and click Save and Go Back button.
  14. Verify all the information for the Lake-Formation application.
  15. Go to the Sign On tab on the Lake-Formation application. In the SIGN ON METHODS section, locate the Identity Provider metadata link. Download the metadata file using the link and store it in your laptop.