AWS Security ChangesHomeSearch

AWS quicksuite documentation change

Service: quicksuite · 2026-01-28 · Documentation low

File: quicksuite/latest/userguide/word-extension.md

Summary

Expanded Microsoft Word extension setup documentation to include Okta as an identity provider alongside Entra ID, restructured content into provider-specific sections, and added a common AWS configuration section.

Security assessment

The changes add detailed Okta configuration steps for secure authentication integration but show no evidence of addressing a specific vulnerability. Security documentation is enhanced through new OIDC/OAuth setup instructions, callback URI configuration, and trusted token issuer guidance.

Diff

diff --git a/quicksuite/latest/userguide/word-extension.md b/quicksuite/latest/userguide/word-extension.md
index 6a3533bf2..b8d461fc1 100644
--- a//quicksuite/latest/userguide/word-extension.md
+++ b//quicksuite/latest/userguide/word-extension.md
@@ -87 +87 @@ These default mappings ensure secure and accurate user identification across bot
-  * Add Microsoft Word extension access for accounts using IAM Identity Center and Entra ID
+  * Add Microsoft Word extension access for accounts using IAM Identity Center
@@ -98 +98 @@ These default mappings ensure secure and accurate user identification across bot
-### Add Microsoft Word extension access for accounts using IAM Identity Center and Entra ID
+### Add Microsoft Word extension access for accounts using IAM Identity Center
@@ -100 +100,5 @@ These default mappings ensure secure and accurate user identification across bot
-Follow these steps to set up and configure an Azure tenant on your Microsoft Azure portal:
+Configuring extension access with IAM Identity Center requires completing steps specific to your identity provider (Entra ID or Okta) followed by common setup steps in AWS.
+
+#### Configure IAM Identity Center with Entra ID
+
+Follow these steps only if you are using IAM Identity Center with Entra ID to set up and configure an Azure tenant on your Microsoft Azure portal:
@@ -147 +151 @@ Follow these steps to configure a Trusted Token Issuer on your IAM Identity Cent
-The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See [Trusted token issuer configuration settings](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html).
+The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See Trusted token issuer configuration settings.
@@ -153,0 +158,72 @@ The issuer URL should be the OIDC discovery endpoint of your identity without th
+After completing these Entra ID-specific steps, proceed to the Complete AWS Configuration (all providers) section below.
+
+#### Configure IAM Identity Center with Okta
+
+Follow these steps only if you are using IAM Identity Center with Okta to set up and configure your App Integration in the Okta Admin console:
+
+###### To set up an Okta Application
+
+  1. In your Okta account, create a new Okta App Integration.
+
+    1. In your Okta Admin console, navigate to **Applications** > **Applications**.
+
+    2. Click on **Create App Integration**.
+
+    3. For the Sign-in method, select **OIDC - OpenID Connect**.
+
+    4. For the Application type, select **Web Application**.
+
+    5. Click on **Next**.
+
+    6. Provide an App integration name.
+
+    7. Under **Grant type** > **Core grants** , ensure **Authorization Code** and **Refresh Token** are selected.
+
+    8. Under **Grant type** > **Advanced** > **Other grants** , ensure **Implicit (hybrid)** is selected.
+
+  2. Add callback URIs for each Region in which your Word extension will be installed
+
+    1. Compose a callback URI using the following format, replacing `your-region` with your Amazon Quick Suite instance Region for each region where you wish to configure the extension. The Word extension supports the following Regions: `ap-southeast-2`, `eu-west-1`, `us-west-2`, and `us-east-1`.
+        
+                qbs-cell001.dp.appintegrations.your-region.prod.plato.ai.aws.dev/auth/idc-tti/callback
+
+    2. Under **Sign-in redirect URIs** , click on **Add URI** and paste each of the URIs you generated from the previous step.
+
+  3. Provide your organization access to the app:
+
+    1. Under **Assignments** > **Controlled access** , select the groups in your organization that need to have access.
+
+    2. Under **Assignments** > **Enable immediate access** , select **Enable immediate access with Federation Broker Mode**.
+
+    3. Click on **Save**.
+
+  4. Note down the **Client ID** and **Client Secret** for the app integration you just created. You will need this in the next steps.
+
+
+
+
+###### To configure a Trusted Token Issuer
+
+  1. Go to your AWS account and navigate to your IAM Identity Center instance.
+
+  2. Navigate to **Settings** > **Authentication**.
+
+  3. Choose **Create trusted token issuer**.
+
+  4. Add the issuer URL, which should follow this template, where `yourOktaDomain` refers to the okta URL for your organization, which may look like `your-organization.okta.com`:
+    
+        https://{yourOktaDomain}/oauth2/default
+
+###### Note
+
+The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See Trusted token issuer configuration settings.
+
+  5. Choose **Email** as the Identity Provider attribute and IAM Identity Center attribute.
+
+
+
+
+After completing these Okta-specific steps, proceed to the Complete AWS Configuration (all providers) section below.
+
+#### Complete AWS Configuration (all providers)
+
@@ -181 +257 @@ Follow these steps to set up permissions on AWS Console:
-  10. Configure the role to trust our service principal for the relevant Region that you selected when configuring your Azure app registration by adding the following statement replacing `your-region` with the Region you chose when creating the Azure app registration:
+  10. Configure the role to trust our service principal for the relevant Region that you selected when configuring your identity provider app integration by adding the following statement replacing `your-region` with the Region you chose when creating your identity provider app integration:
@@ -276 +352 @@ Once created, this extension access configuration enables authors and other admi
-For your end users to begin using your Microsoft Word extension, an admin or author must finish deploying a extension after you configure extension access. Notify your authors that they can view, edit, and complete installation of this extension under **Extensions** in the left navigation once it has been shared. To learn how to do this see [Installing your Microsoft Word extension in the Microsoft Word extension author guide](https://docs.aws.amazon.com/quicksuite/latest/userguide/word-extension-author-guide.html#add-extensions-word).
+For your end users to begin using your Microsoft Word extension, an admin or author must finish deploying a extension after you configure extension access. Notify your authors that they can view, edit, and complete installation of this extension under **Extensions** in the left navigation once it has been shared. To learn how to do this see Installing your Microsoft Word extension in the Microsoft Word extension author guide.