Amazon Chime
Administration Guide

Connect to Okta SSO

If you have an enterprise account, you can connect to Okta SSO to authenticate and assign user permissions.

Note

If you need to create an enterprise account, which allows you to manage all users within a given set of email address domains, see Create an Amazon Chime Account.

To connect to Okta SSO

  1. Create the Amazon Chime application (OpenID Connect) in the Okta Administration Console:

    1. Sign in to the Okta Administration Dashboard, then choose Add Application. In the Create New Application dialog box, choose Web, Next.

    2. Configure the Application Settings:

      1. Name the application Amazon Chime.

      2. Type the following for the Login Redirect URI: https://signin.id.ue1.app.chime.aws/auth/okta/callback

      3. In the Allowed Grant Types section, select all of the options to enable them.

      4. On the Login initiated by drop-down menu, choose Either (Okta or App), select all the related options, and choose Save.

      5. Keep this page open, because you'll need the Client ID, Client secret, and Issuer URI information for Step 2.

  2. In the Amazon Chime console, follow these steps:

    1. On the Okta single-sign on configuration page, at the top of the page, choose Set up incoming keys.

    2. In the Setup incoming Okta keys dialog box:

      1. Paste the Client ID and Client secret information from the Okta Application Settings page.

      2. Paste the appropriate Issuer URI from the Okta API page.

  3. Set up the Amazon Chime SCIM Provisioning application in the Okta Administration Console to exchange select identity and group membership information with Amazon Chime:

    1. In the Okta Administration Console, choose Applications, Add Application, search for Amazon Chime SCIM Provisioning, and add the application.

      Important

      During the initial setup, choose both Do not display application to users and Do not display application icon in the Okta Mobile App, then choose Done.

    2. On the Provisioning tab, choose Configure API Integration, and select Enable API Integration. Keep this page open, because you'll need to copy an API access key to it for the following step.

    3. In the Amazon Chime console, choose Create access key to create an API access key. Copy it to the Okta API Token field in the Configure API Integration dialog box, choose Test the Integration, then choose Save.

    4. Configure the actions and attributes that Okta will use to update Amazon Chime. On the Provisioning tab, under the To App section, choose Edit, choose from Enable Users, Update User Attributes, and Deactivate Users, and choose Save.

    5. On the Assignments tab, grant users permissions to the new SCIM app.

      Important

      We recommend granting permissions through a group that contains all the users who should have access to Amazon Chime, regardless of license. The group must be the same as the group used to assign the user-facing OIDC application in step 1 previously. Otherwise, end users will not be able to sign in.

    6. On the Push Groups tab, configure which groups and memberships are synced to Amazon Chime. These groups are used to differentiate between Basic and Pro users.

  4. Configure directory groups in Amazon Chime:

    1. In the Amazon Chime console, navigate to the Okta single-sign on configuration page.

    2. Under Directory groups, choose Add new groups.

    3. Type the name of a directory group to add to Amazon Chime. The name must be an exact match of one of the Push Groups configured previously in step 3-f.

    4. Choose whether users in this group should receive Basic or Pro capabilities, and choose Save. Repeat this process to configure additional groups.

      Note

      If you receive an error message stating that the group is not found, the two systems might not have completed the sync. Wait for a few minutes, and choose Add new groups again.

Choosing Basic or Pro capabilities for the users in your directory group affects the license, capabilities, and cost of those users in your Amazon Chime Enterprise Account. For more information, see Pricing.