AWS Security ChangesHomeSearch

AWS quicksuite documentation change

Service: quicksuite · 2026-01-28 · Documentation low

File: quicksuite/latest/userguide/outlook-extension.md

Summary

Restructured documentation to support both Entra ID and Okta identity providers for IAM Identity Center integration. Added detailed Okta configuration steps including app integration setup, callback URIs, and trusted token issuer configuration. Updated terminology from Azure-specific to generic identity provider references.

Security assessment

The changes enhance security documentation by adding OAuth/OIDC configuration guidance for Okta integration, including proper client secret management, callback URI validation, and trusted token issuer setup. However, there's no evidence these changes address a specific security vulnerability. The updates improve authentication documentation but don't reference any security incidents or patches.

Diff

diff --git a/quicksuite/latest/userguide/outlook-extension.md b/quicksuite/latest/userguide/outlook-extension.md
index 4077da504..fc4933e3c 100644
--- a//quicksuite/latest/userguide/outlook-extension.md
+++ b//quicksuite/latest/userguide/outlook-extension.md
@@ -85 +85 @@ These default mappings ensure secure and accurate user identification across bot
-  * Add Microsoft Outlook extension access for accounts using IAM Identity Center and Entra ID
+  * Add Microsoft Outlook extension access for accounts using IAM Identity Center
@@ -96 +96 @@ These default mappings ensure secure and accurate user identification across bot
-### Add Microsoft Outlook extension access for accounts using IAM Identity Center and Entra ID
+### Add Microsoft Outlook extension access for accounts using IAM Identity Center
@@ -98 +98,5 @@ These default mappings ensure secure and accurate user identification across bot
-Follow these steps to set up and configure an Azure tenant on your Microsoft Azure portal:
+Configuring extension access with IAM Identity Center requires completing steps specific to your identity provider (Entra ID or Okta) followed by common setup steps in AWS.
+
+#### Configure IAM Identity Center with Entra ID
+
+Follow these steps only if you are using IAM Identity Center with Entra ID to set up and configure an Azure tenant on your Microsoft Azure portal:
@@ -145 +149 @@ Follow these steps to configure a Trusted Token Issuer on your IAM Identity Cent
-The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See [Trusted token issuer configuration settings](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html).
+The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See Trusted token issuer configuration settings.
@@ -151,0 +156,72 @@ The issuer URL should be the OIDC discovery endpoint of your identity without th
+After completing these Entra ID-specific steps, proceed to the Complete AWS Configuration (all providers) section below.
+
+#### Configure IAM Identity Center with Okta
+
+Follow these steps only if you are using IAM Identity Center with Okta to set up and configure your App Integration in the Okta Admin console:
+
+###### To set up an Okta Application
+
+  1. In your Okta account, create a new Okta App Integration.
+
+    1. In your Okta Admin console, navigate to **Applications** > **Applications**.
+
+    2. Click on **Create App Integration**.
+
+    3. For the Sign-in method, select **OIDC - OpenID Connect**.
+
+    4. For the Application type, select **Web Application**.
+
+    5. Click on **Next**.
+
+    6. Provide an App integration name.
+
+    7. Under **Grant type** > **Core grants** , ensure **Authorization Code** and **Refresh Token** are selected.
+
+    8. Under **Grant type** > **Advanced** > **Other grants** , ensure **Implicit (hybrid)** is selected.
+
+  2. Add callback URIs for each Region in which your Outlook extension will be installed
+
+    1. Compose a callback URI using the following format, replacing `your-region` with your Amazon Quick Suite instance Region for each region where you wish to configure the extension. The Outlook extension supports the following Regions: `ap-southeast-2`, `eu-west-1`, `us-west-2`, and `us-east-1`.
+        
+                qbs-cell001.dp.appintegrations.your-region.prod.plato.ai.aws.dev/auth/idc-tti/callback
+
+    2. Under **Sign-in redirect URIs** , click on **Add URI** and paste each of the URIs you generated from the previous step.
+
+  3. Provide your organization access to the app:
+
+    1. Under **Assignments** > **Controlled access** , select the groups in your organization that need to have access.
+
+    2. Under **Assignments** > **Enable immediate access** , select **Enable immediate access with Federation Broker Mode**.
+
+    3. Click on **Save**.
+
+  4. Note down the **Client ID** and **Client Secret** for the app integration you just created. You will need this in the next steps.
+
+
+
+
+###### To configure a Trusted Token Issuer
+
+  1. Go to your AWS account and navigate to your IAM Identity Center instance.
+
+  2. Navigate to **Settings** > **Authentication**.
+
+  3. Choose **Create trusted token issuer**.
+
+  4. Add the issuer URL, which should follow this template, where `yourOktaDomain` refers to the okta URL for your organization, which may look like `your-organization.okta.com`:
+    
+        https://{yourOktaDomain}/oauth2/default
+
+###### Note
+
+The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See Trusted token issuer configuration settings.
+
+  5. Choose **Email** as the Identity Provider attribute and IAM Identity Center attribute.
+
+
+
+
+After completing these Okta-specific steps, proceed to the Complete AWS Configuration (all providers) section below.
+
+#### Complete AWS Configuration (all providers)
+
@@ -179 +255 @@ Follow these steps to set up permissions on AWS Console:
-  10. Configure the role to trust our service principal for the relevant Region that you selected when configuring your Azure app registration by adding the following statement replacing `your-region` with the Region you chose when creating the Azure app registration:
+  10. Configure the role to trust our service principal for the relevant Region that you selected when configuring your identity provider app integration by adding the following statement replacing `your-region` with the Region you chose when creating your identity provider app integration:
@@ -274 +350 @@ Once created, this extension access configuration enables authors and other admi
-For your end users to begin using your Microsoft Outlook extension, an admin or author must finish deploying a extension after you configure extension access. Notify your authors that they can view, edit, and complete installation of this extension under **Extensions** in the left navigation once it has been shared. To learn how to do this see [Installing your Microsoft Outlook extension in the Microsoft Outlook extension author guide](https://docs.aws.amazon.com/quicksuite/latest/userguide/outlook-extension-author-guide.html#add-extensions-outlook).
+For your end users to begin using your Microsoft Outlook extension, an admin or author must finish deploying a extension after you configure extension access. Notify your authors that they can view, edit, and complete installation of this extension under **Extensions** in the left navigation once it has been shared. To learn how to do this see Installing your Microsoft Outlook extension in the Microsoft Outlook extension author guide.