AWS quicksuite documentation change
Summary
Updated Slack extension documentation to support both Entra ID and Okta identity providers with IAM Identity Center. Removed Entra ID-specific references, added Okta configuration steps, restructured content into provider-specific sections, and updated terminology.
Security assessment
The changes enhance security documentation by adding Okta integration steps and clarifying OIDC configuration requirements. However, there's no evidence of addressing a specific vulnerability. The updates improve authentication documentation (security feature) but don't reference any security incidents or patches.
Diff
diff --git a/quicksuite/latest/userguide/slack-extension.md b/quicksuite/latest/userguide/slack-extension.md index b6a85b42b..6d23aea4d 100644 --- a//quicksuite/latest/userguide/slack-extension.md +++ b//quicksuite/latest/userguide/slack-extension.md @@ -89 +89 @@ These default mappings ensure secure and accurate user identification across bot - * Add Slack extension access for accounts using IAM Identity Center and Entra ID + * Add Slack extension access for accounts using IAM Identity Center @@ -100 +100 @@ These default mappings ensure secure and accurate user identification across bot -### Add Slack extension access for accounts using IAM Identity Center and Entra ID +### Add Slack extension access for accounts using IAM Identity Center @@ -102 +102,5 @@ These default mappings ensure secure and accurate user identification across bot -Follow these steps to set up and configure an Azure tenant on your Microsoft Azure portal: +Configuring extension access with IAM Identity Center requires completing steps specific to your identity provider (Entra ID or Okta) followed by common setup steps in AWS. + +#### Configure IAM Identity Center with Entra ID + +Follow these steps only if you are using IAM Identity Center with Entra ID to set up and configure an Azure tenant on your Microsoft Azure portal: @@ -149 +153 @@ Follow these steps to configure a Trusted Token Issuer on your IAM Identity Cent -The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See [Trusted token issuer configuration settings](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html). +The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See Trusted token issuer configuration settings. @@ -155,0 +160,72 @@ The issuer URL should be the OIDC discovery endpoint of your identity without th +After completing these Entra ID-specific steps, proceed to the Complete AWS Configuration (all providers) section below. + +#### Configure IAM Identity Center with Okta + +Follow these steps only if you are using IAM Identity Center with Okta to set up and configure your App Integration in the Okta Admin console: + +###### To set up an Okta Application + + 1. In your Okta account, create a new Okta App Integration. + + 1. In your Okta Admin console, navigate to **Applications** > **Applications**. + + 2. Click on **Create App Integration**. + + 3. For the Sign-in method, select **OIDC - OpenID Connect**. + + 4. For the Application type, select **Web Application**. + + 5. Click on **Next**. + + 6. Provide an App integration name. + + 7. Under **Grant type** > **Core grants** , ensure **Authorization Code** and **Refresh Token** are selected. + + 8. Under **Grant type** > **Advanced** > **Other grants** , ensure **Implicit (hybrid)** is selected. + + 2. Add callback URIs for each Region in which your Slack extension will be installed + + 1. Compose a callback URI using the following format, replacing `your-region` with your Amazon Quick Suite instance Region for each region where you wish to configure the extension. The Slack extension supports the following Regions: `ap-southeast-2`, `eu-west-1`, `us-west-2`, and `us-east-1`. + + qbs-cell001.dp.appintegrations.your-region.prod.plato.ai.aws.dev/auth/idc-tti/callback + + 2. Under **Sign-in redirect URIs** , click on **Add URI** and paste each of the URIs you generated from the previous step. + + 3. Provide your organization access to the app: + + 1. Under **Assignments** > **Controlled access** , select the groups in your organization that need to have access. + + 2. Under **Assignments** > **Enable immediate access** , select **Enable immediate access with Federation Broker Mode**. + + 3. Click on **Save**. + + 4. Note down the **Client ID** and **Client Secret** for the app integration you just created. You will need this in the next steps. + + + + +###### To configure a Trusted Token Issuer + + 1. Go to your AWS account and navigate to your IAM Identity Center instance. + + 2. Navigate to **Settings** > **Authentication**. + + 3. Choose **Create trusted token issuer**. + + 4. Add the issuer URL, which should follow this template, where `yourOktaDomain` refers to the okta URL for your organization, which may look like `your-organization.okta.com`: + + https://{yourOktaDomain}/oauth2/default + +###### Note + +The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See Trusted token issuer configuration settings. + + 5. Choose **Email** as the Identity Provider attribute and IAM Identity Center attribute. + + + + +After completing these Okta-specific steps, proceed to the Complete AWS Configuration (all providers) section below. + +#### Complete AWS Configuration (all providers) + @@ -183 +259 @@ Follow these steps to set up permissions on AWS Console: - 10. Configure the role to trust our service principal for the relevant Region that you selected when configuring your Azure app registration by adding the following statement replacing `your-region` with the Region you chose when creating the Azure app registration: + 10. Configure the role to trust our service principal for the relevant Region that you selected when configuring your identity provider app integration by adding the following statement replacing `your-region` with the Region you chose when creating your identity provider app integration: @@ -274 +350 @@ You can also navigate to the installation screen from **Connections** > **Extens -Once created, this extension access configuration enables authors and other admins in your organization to deploy Amazon Quick Suite Slack extensions in their workspace. +Once created, this extension access configuration enables authors and other admin in your organization to create and deploy Amazon Quick Suite extensions within your Slack environment. @@ -278 +354 @@ Once created, this extension access configuration enables authors and other admi -For your end users to begin using your Slack extension, an admin or author must finish deploying a extension after you configure extension access. Notify your authors that they can view, edit, and complete installation of this extension under **Extensions** in the left navigation once it has been shared. To learn how to do this see [Installing your Slack extension in the Slack extension author guide](https://docs.aws.amazon.com/quicksuite/latest/userguide/slack-extension-author-guide.html#add-extensions-slack). +For your end users to begin using your Slack extension, an admin or author must finish deploying a extension after you configure extension access. Notify your authors that they can view, edit, and complete installation of this extension under **Extensions** in the left navigation once it has been shared. To learn how to do this see Installing your Slack extension in the Slack extension author guide.