> ## Documentation Index > Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt > Use this file to discover all available pages before exploring further. # Set up an Okta AWS Federation connector > C1 provides identity governance and just-in-time provisioning for Okta for AWS federation. Integrate your Okta instance with C1 to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access. **This connector integrates with Okta for AWS federation through Okta groups.** It's useful for organizations that use the SAML to AWS app config in Okta, wherein Okta mints a SAML cert with correct group memberships to drive IAM roles for the federated user. ## Capabilities | Resource | Sync | Provision | | :-------------------------------------- | :------------------------------------------------------------ | :------------------------------------------------------------ | | Accounts | | | | Groups assigned to the AWS app | | | | Application assignments for the AWS app | | | ## Gather Okta credentials Configuring the connector requires you to pass in credentials generated in Okta. Gather these credentials before you move on. ### API token permissions and C1 capabilities C1's capabilities depend on the permissions of the API token used to set up the connector: | C1 capability | Custom read-only token | Read-only + app admin + group admin token | Super admin token | | | :------------------------------- | :------------------------------------------------------------ | :------------------------------------------------------------ | :------------------------------------------------------------ | - | | Review group membership | | | | | | Provision group membership | | | | | | Review application assignment | | | | | | Provision application assignment | | | | | | Review admin roles | | | | | Instead of generating a new API token, you can use an existing API token generated with **Super Admin** or a combination of **Read Only/App Admin/Group Admin** privileges. To learn more about Okta roles, visit [https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm](https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm) ### (Optional) Create a custom read-only admin role To give the C1 integration limited read-only admin permissions, you'll need to create a custom Okta admin role and resource set and assign them to the admin you'll use to generate the API key. In Okta, log in to the Admin Dashboards and navigate to **Security** > **Administrators** > **Roles**. Click **Create new role**. Give the new role a name and description, such as "C1 integration read-only admin". Give the role the **View roles, resources, and admin assignments** permission (this is found in the **Identity and access management permissions** section). Click **Save role**. Next, navigate to **Security** > **Administrators** > **Resources**. Click **Create new resource set**. Give the new resource set a name and description, such as "Read-only admin for C1 integration". Click **Add resources**. Find the **Identity and access management** resource type and select **View roles, resources, and admin assignments**. Click **Save selection**, then click **Create**. The resource set is now shown on the **Resources** tab. Now we'll assign the resource set to an admin. (If you need to do so, make a service account following the instructions below, then return to finish this process.) Click **Edit** on the new resource set and select **View or edit assignments**. In the **Complete the assignment** section of the page, select the role and resource set you just created. Click **Save changes**. Now you can skip ahead to the instructions to create an API token. ### (Optional) Create a service account for the API token If desired, you can create a service account user in Okta that has the permissions for the API token. Navigate to **Directory > People** and click **Add person**. Enter the necessary user details to create a user. You might want to use identifiers that make it easily recognizable as a service account, such as First Name: ReadOnly, Last Name: ServiceUser. Set the **Password** for the account and carefully save it somewhere secure. Click **Save**. At this point, if you've created a custom read-only role, stop here and return to the instructions above. If you're using a standard Okta admin role, continue on. Navigate to **Security > Administrator** and click **Add administrator**. Enter the email address for your newly created Service Account to select the user. Select the administrator roles to grant: Super Administrator or a combination of Read Only + Application Admin + Group Admin. Click **Add Administrator**. ### Create an API token When **creating** an API token, Okta assigns the permissions of the *currently logged-in user* to the token. If, for example, you wish to use a Read Only Admin-scoped API token, you must log in to Okta as a user with the Read Only Admin role assigned. Log into Okta with the account you'll use to generate the API token. The account must have **Super Administrator,** the custom read-only role you created above, or a combination of **Read Only/App Admin/Group Admin** privileges. The permissions on the API token affects what features and functionality are available from C1. Before you begin, review the chart in [API permissions and C1 capabilities](/baton/okta#api-token-permissions-and-conductorone-capabilities) to make sure you're creating a token with the right permissions for your needs. In the Okta console, navigate to **Security** > **API** and click **Tokens**. Click **Create Token**. Give your token a name, such as **C1**, and click **Create Token**. Copy and save the new API token. **Done.** Next, move on to the connector configuration instructions. ## Configure the Okta AWS Federation connector To complete this task, you'll need: * The **Connector Administrator** or **Super Administrator** role in C1 * Access to the set of Okta credentials generated by following the instructions above **Follow these instructions to use a built-in, no-code connector hosted by C1.** In C1, navigate to **Integrations** > **Connectors** and click **Add connector**. Search for **Okta AWS Federation** and click **Add**. Choose how to set up the new Okta AWS Federation connector: * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1) * Add the connector to a managed app (select from the list of existing managed apps) * Create a new managed app Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed. If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process. Click **Next**. Find the **Settings** area of the page and click **Edit**. Enter your Okta domain (the URL of your Okta instance is `.okta.com`) into the **Okta domain** field. Paste your API token into the **API token** field. Enter your AWS Okta app ID in the **AWS Okta app ID** field. **Optional.** If desired, click the checkbox to **Allow group to direct assignment conversion for provisioning**. When this setting is enabled, when AWS roles are requested directly and the user is assigned to the AWS app in Okta via group membership, C1 will convert the user assignment to a direct assignment. Click **Save**. Finally, set an Okta connector as the source of identities for this connector. This significantly improves the connector's performance. In the **Shared identity source** area of the page, click **Edit**. Select the Okta connector from which you want to pull identities. Click **Save**. The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing. **Done.** Your Okta AWS Federation connector is now pulling access data into C1. **Follow these instructions to use a connector, hosted and run in your own environment.** *Self-hosted connector not currently available.*