AWS Security ChangesHomeSearch

AWS quicksuite documentation change

Service: quicksuite · 2026-01-28 · Documentation low

File: quicksuite/latest/userguide/slack-extension.md

Summary

Updated Slack extension documentation to support both Entra ID and Okta identity providers with IAM Identity Center. Removed Entra ID-specific references, added Okta configuration steps, restructured content into provider-specific sections, and updated terminology.

Security assessment

The changes enhance security documentation by adding Okta integration steps and clarifying OIDC configuration requirements. However, there's no evidence of addressing a specific vulnerability. The updates improve authentication documentation (security feature) but don't reference any security incidents or patches.

Diff

diff --git a/quicksuite/latest/userguide/slack-extension.md b/quicksuite/latest/userguide/slack-extension.md
index b6a85b42b..6d23aea4d 100644
--- a//quicksuite/latest/userguide/slack-extension.md
+++ b//quicksuite/latest/userguide/slack-extension.md
@@ -89 +89 @@ These default mappings ensure secure and accurate user identification across bot
-  * Add Slack extension access for accounts using IAM Identity Center and Entra ID
+  * Add Slack extension access for accounts using IAM Identity Center
@@ -100 +100 @@ These default mappings ensure secure and accurate user identification across bot
-### Add Slack extension access for accounts using IAM Identity Center and Entra ID
+### Add Slack extension access for accounts using IAM Identity Center
@@ -102 +102,5 @@ These default mappings ensure secure and accurate user identification across bot
-Follow these steps to set up and configure an Azure tenant on your Microsoft Azure portal:
+Configuring extension access with IAM Identity Center requires completing steps specific to your identity provider (Entra ID or Okta) followed by common setup steps in AWS.
+
+#### Configure IAM Identity Center with Entra ID
+
+Follow these steps only if you are using IAM Identity Center with Entra ID to set up and configure an Azure tenant on your Microsoft Azure portal:
@@ -149 +153 @@ Follow these steps to configure a Trusted Token Issuer on your IAM Identity Cent
-The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See [Trusted token issuer configuration settings](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html).
+The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See Trusted token issuer configuration settings.
@@ -155,0 +160,72 @@ The issuer URL should be the OIDC discovery endpoint of your identity without th
+After completing these Entra ID-specific steps, proceed to the Complete AWS Configuration (all providers) section below.
+
+#### Configure IAM Identity Center with Okta
+
+Follow these steps only if you are using IAM Identity Center with Okta to set up and configure your App Integration in the Okta Admin console:
+
+###### To set up an Okta Application
+
+  1. In your Okta account, create a new Okta App Integration.
+
+    1. In your Okta Admin console, navigate to **Applications** > **Applications**.
+
+    2. Click on **Create App Integration**.
+
+    3. For the Sign-in method, select **OIDC - OpenID Connect**.
+
+    4. For the Application type, select **Web Application**.
+
+    5. Click on **Next**.
+
+    6. Provide an App integration name.
+
+    7. Under **Grant type** > **Core grants** , ensure **Authorization Code** and **Refresh Token** are selected.
+
+    8. Under **Grant type** > **Advanced** > **Other grants** , ensure **Implicit (hybrid)** is selected.
+
+  2. Add callback URIs for each Region in which your Slack extension will be installed
+
+    1. Compose a callback URI using the following format, replacing `your-region` with your Amazon Quick Suite instance Region for each region where you wish to configure the extension. The Slack extension supports the following Regions: `ap-southeast-2`, `eu-west-1`, `us-west-2`, and `us-east-1`.
+        
+                qbs-cell001.dp.appintegrations.your-region.prod.plato.ai.aws.dev/auth/idc-tti/callback
+
+    2. Under **Sign-in redirect URIs** , click on **Add URI** and paste each of the URIs you generated from the previous step.
+
+  3. Provide your organization access to the app:
+
+    1. Under **Assignments** > **Controlled access** , select the groups in your organization that need to have access.
+
+    2. Under **Assignments** > **Enable immediate access** , select **Enable immediate access with Federation Broker Mode**.
+
+    3. Click on **Save**.
+
+  4. Note down the **Client ID** and **Client Secret** for the app integration you just created. You will need this in the next steps.
+
+
+
+
+###### To configure a Trusted Token Issuer
+
+  1. Go to your AWS account and navigate to your IAM Identity Center instance.
+
+  2. Navigate to **Settings** > **Authentication**.
+
+  3. Choose **Create trusted token issuer**.
+
+  4. Add the issuer URL, which should follow this template, where `yourOktaDomain` refers to the okta URL for your organization, which may look like `your-organization.okta.com`:
+    
+        https://{yourOktaDomain}/oauth2/default
+
+###### Note
+
+The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See Trusted token issuer configuration settings.
+
+  5. Choose **Email** as the Identity Provider attribute and IAM Identity Center attribute.
+
+
+
+
+After completing these Okta-specific steps, proceed to the Complete AWS Configuration (all providers) section below.
+
+#### Complete AWS Configuration (all providers)
+
@@ -183 +259 @@ Follow these steps to set up permissions on AWS Console:
-  10. Configure the role to trust our service principal for the relevant Region that you selected when configuring your Azure app registration by adding the following statement replacing `your-region` with the Region you chose when creating the Azure app registration:
+  10. Configure the role to trust our service principal for the relevant Region that you selected when configuring your identity provider app integration by adding the following statement replacing `your-region` with the Region you chose when creating your identity provider app integration:
@@ -274 +350 @@ You can also navigate to the installation screen from **Connections** > **Extens
-Once created, this extension access configuration enables authors and other admins in your organization to deploy Amazon Quick Suite Slack extensions in their workspace.
+Once created, this extension access configuration enables authors and other admin in your organization to create and deploy Amazon Quick Suite extensions within your Slack environment.
@@ -278 +354 @@ Once created, this extension access configuration enables authors and other admi
-For your end users to begin using your Slack extension, an admin or author must finish deploying a extension after you configure extension access. Notify your authors that they can view, edit, and complete installation of this extension under **Extensions** in the left navigation once it has been shared. To learn how to do this see [Installing your Slack extension in the Slack extension author guide](https://docs.aws.amazon.com/quicksuite/latest/userguide/slack-extension-author-guide.html#add-extensions-slack).
+For your end users to begin using your Slack extension, an admin or author must finish deploying a extension after you configure extension access. Notify your authors that they can view, edit, and complete installation of this extension under **Extensions** in the left navigation once it has been shared. To learn how to do this see Installing your Slack extension in the Slack extension author guide.