Closed epierce closed 1 year ago
For multi-region failover, Okta may send region-specific ACS Urls instead of https://signin.aws.amazon.com/saml. Handle that case and use the same region for the STS endpoint
The standard SAML sign-in endpoint (https://signin.aws.amazon.com) points at US-East-1 and does not have any type of regional failover if US-East-1 fails. Amazon currently has no plans to make this endpoint failover automatically between regions, so everyone has to handle regional failures by manually pointing Okta to a working region when US-East-1 is not available. Details here: https://aws.amazon.com/blogs/apn/improve-the-availability-of-existing-okta-iam-federation-setup-using-multi-region-saml-endpoints
Description
For multi-region failover, Okta may send region-specific ACS Urls instead of https://signin.aws.amazon.com/saml. Handle that case and use the same region for the STS endpoint
Related Issue
413
Motivation and Context
The standard SAML sign-in endpoint (https://signin.aws.amazon.com) points at US-East-1 and does not have any type of regional failover if US-East-1 fails. Amazon currently has no plans to make this endpoint failover automatically between regions, so everyone has to handle regional failures by manually pointing Okta to a working region when US-East-1 is not available. Details here: https://aws.amazon.com/blogs/apn/improve-the-availability-of-existing-okta-iam-federation-setup-using-multi-region-saml-endpoints
How Has This Been Tested?
Types of changes
Checklist: