Loading image...Kiro
  • CLI
  • Powers
  • Autonomous agent
  • Enterprise
  • Pricing
  • Docs
SIGN INDOWNLOADS
Loading image...Kiro
Loading image...Kiro
Product
  • About Kiro
  • CLI
  • Powers
  • Autonomous agent
  • Pricing
  • Downloads
For
  • Enterprise
  • Startups
  • Students
Resources
  • Documentation
  • Blog
  • Changelog
  • FAQs
  • Report a bug
  • Suggest an idea
  • Billing support
Social
Site TermsLicenseResponsible AI PolicyLegalPrivacy PolicyCookie Preferences
  1. Docs
  3. IDE
  5. Enterprise
  7. Connecting your identity provider
  9. Okta

Connect your Okta IdP

On this page
  • Why two applications
  • Step 1: Create OIDC application
  • Create new app integration
  • Add users and groups
  • Step 2: Set up custom scopes
  • Create Kiro specific scopes
  • Scope authorization
  • Add access policies
  • Step 3: Set up Kiro Profile
  • Create Kiro Profile
  • Add and verify domain
  • Add SCIM access token
  • Step 4: Create SCIM provisioning application
  • Create app integration
  • Configure SCIM provisioning
  • Synchronizing Groups
  • Security considerations
  • Troubleshooting

To connect Okta with your Kiro Profile, you need to:

  1. Create the OIDC Okta application
  2. Set up custom scopes for OIDC application
  3. Set up Kiro Profile
  4. Create the SCIM provisioning application
Important configuration requirement

To connect your Okta with Kiro, you have to verify ownership of your company domain by adding a TXT record in your DNS provider. This ensures that no unauthorized party can associate your domain with their own Kiro profile and intercept user sign-ins.

Why two applications

When using Okta, you need to create two applications: one OIDC application for user login, and one SCIM provisioning application (using the AWS IAM Identity Center integration from the Okta App Catalog) for synchronizing users and groups to Kiro.

Step 1: Create OIDC application

Create new app integration

In the Okta Admin Console, navigate to the Applications -> Applications section and select "Create App integration". Select "OIDC - OpenID Connect" for "Sign-in method", and "Native Application" as the Application type.

Loading image...create app integration

Provide a descriptive name, example Kiro-OIDC, for your application and check the "Refresh Token" checkbox in the "Grant type" field. Leave the default values for all other fields.

First, add kiro://kiro.oauth/callback as a Sign-in redirect URI. This is one of the URIs that Kiro clients will listen to when Okta returns the user after they successfully sign in with Okta.

Next, add 10 additional entries as Sign-in redirect URIs in the following format: http://localhost:{port-number}/oauth/callback, where the port-number is one of the following port numbers - 3128, 4649, 6588, 8008, 9091, 49153, 50153, 51153, 52153 and 53153.

Example:

Loading image...set application name

Ensure that "Skip group assignment for now" is selected and select "Save" to complete creating the application. This will show the details of the newly created application.

Loading image...OIDC application details

Add users and groups

Next, you will add the users and groups that will be part of the application. Select the "Assignments" tab. Select the "Assign" button and follow the instructions to add users and groups that should have access to Kiro.

Loading image...OIDC application assignments

You have completed creating the OIDC application.

Step 2: Set up custom scopes

Create Kiro specific scopes

Now that the OIDC application has been created, you have to set up the scopes to allow user identities to present the right authorization to access Kiro. You will set up two scopes - completions and conversations.

Scope authorization

  • codewhisperer:completions — Authorizes the user to access the inline code completion feature in Kiro.
  • codewhisperer:conversations — Authorizes the user to access the chat and conversation feature in Kiro.

Only grant the scopes that your organization requires. You should understand the impact of each scope when configuring access policies.

In the Okta Admin console, navigate to the Security -> API section. In the "Authorization Servers" tab, select "Add Authorization Server" button.

Loading image...Okta API Security

Enter a name and description for the Authorization Server.

Loading image...Okta add authorization server

Select "Save" to complete adding the server.

Loading image...Okta add authorization server

Select the "Scopes" tab and select the "Add Scope" button to add a scope that authorizes user identities to access a Kiro feature.

First, add a scope for codewhisperer:completions with "User content" value set to "Implicit". Leave all other fields as default. Select "Create" to add the scope.

Loading image...Okta add completions scope

Follow the same steps to add a scope for codewhisperer:conversations.

Add access policies

Next, you have to add access policies and rules to the Authorization Server to control what Kiro can access through the Kiro OIDC application.

Select the "Access Policies" tab and select the "Add Policy" button.

Loading image...Okta access policies

Set a descriptive name for the policy and assign the policy to the Kiro OIDC application you created - Kiro-OIDC.

Loading image...Okta add policy

After the policy is created, select "Add rule" for the newly created policy.

Loading image...Okta policy rules

Leave the default values for all the fields except for "Scopes requested". Select "The following scopes:" option and add the "codewhisperer:completions", "codewhisperer:conversations" and "offline_access" scopes. Select "Create rule" to complete adding the rule.

About offline_access

The offline_access scope allows Kiro to use refresh tokens to maintain user sessions without requiring users to re-authenticate each time their access token expires.

Loading image...Okta policy add rule

Lastly, test the configuration. To test, select the "Token Preview" tab. Select the OIDC application you created for Kiro (ex: Kiro-OIDC) in the "OAuth/OIDC client" field, select "Authorization Code" as the "Grant type", and select the two codewhisperer scopes, and "offline_access" in the "Scopes" field. Select the "Preview Token" button and if the configuration is valid, the Payload section in the "Preview" panel will contain a "iss" attribute with value, and the "scp" attribute will contain the three scopes you selected.

Loading image...Okta token preview

You have completed all the steps required to configure the applications in Okta. Now you can create the Kiro Profile and subscribe your users and groups.

Step 3: Set up Kiro Profile

Create Kiro Profile

In the Kiro console, select "Sign up for Kiro" and select "Set up application as Admin". Select the "Connect an existing external Identity provider" option.

Loading image...Kiro Profile configuration

From the Okta Admin Console, navigate to Security -> API section and select the Authorization Server that you created for Kiro.

Loading image...Okta authorization server URI

Copy the Issuer URI value for the application you just set up and paste it in the Issuer URI field of the Kiro Profile.

In the Okta Admin Console, navigate to the Applications section, and open the OIDC application that you created for Kiro integration, for example Kiro-OIDC. Copy the Client ID value and paste it in the Client ID field of the Kiro Profile.

Loading image...Okta OIDC application details

Select "Enable" to complete creating the Kiro Profile.

Add and verify domain

In the Kiro console, select the "Settings" button and in the Identity management -> Domains section, select "Add domain" to add your company domain.

Loading image...Add company domain

Selecting "Add" will add the domain and show you a verification token. Copy the verification token. The domain added will show up in the Domains list with "Pending" status.

In your DNS Provider like Amazon Route53, create TXT record with that verification token.

Loading image...Add DNS record

If the configuration is valid, after a few minutes the status will be "Verified".

Loading image...Domain verified
Privacy consideration

Kiro does not allow a domain to be associated with more than one profile, regardless of verification status. This means a third party could attempt to add your domain to their own profile and, based on the rejection, infer that the domain is already associated with another Kiro profile. This does not grant them any access, but it does reveal that the domain has been onboarded to Kiro.

Add SCIM access token

In the Kiro console, navigate to Settings → Identity Management → Access Tokens and select "Generate Token" to create an access token for SCIM provisioning. Copy this token — you will need it when configuring the SCIM provisioning application in Step 4.

SCIM token security
  • The access token generated for SCIM provisioning is a long-lived credential. Treat it with the same care as a password.
  • SCIM tokens are not automatically rotated. You must manually rotate them according to your organization's credential rotation policy.
  • If a token is compromised, revoke it immediately using the revoke button in the Kiro admin console (Settings → Identity Management → Access Tokens), then generate a new token and update it in Okta's provisioning configuration.
Loading image...Application provisioning success

Step 4: Create SCIM provisioning application

Create app integration

Next, you have to create the SCIM provisioning application and configure users and groups.

In the Okta Admin Console, navigate to the Applications -> Applications section and select "Browse App Catalog". Search for "AWS IAM Identity Center" and select "Add Integration".

Loading image...Select IAM Identity Center integration

This will add a new application with the "General Settings" tab open having "Application label" value of "AWS IAM Identity Center". You can choose to accept the default or change the label and select "Done".

Now you will see the details of the newly created application. In the "Sign On" tab, the SAML settings (ACS URL, Issuer URL) can be left as defaults — Kiro uses the OIDC app for login, not SAML.

Configure SCIM provisioning

Next, you have to configure provisioning. Select the "Provisioning" tab and then the "Integration" section. You will see a message that provisioning is not enabled. Select the "Configure API integration" button to start the provisioning process.

Check "Enable API integration". This will display additional fields to configure.

Loading image...Okta application use SCIM
  • Set Base URL → paste the SCIM endpoint from Kiro console (Settings → Identity Management → SCIM Endpoint)
  • Set API Token → paste the access token from Kiro console (Settings → Identity Management → Access Tokens → Generate Token)
  • Select Test API Credentials — should show success
  • Select Save
  • Under the Provisioning tab → To App → Edit, enable:
    • Create Users
    • Update User Attributes
  • Select Save
Loading image...Okta IdC application provisioning

Synchronizing Groups

If you want to push groups from Okta to Kiro, then follow these instructions.

Pre-requisite

Before adding groups, remove the two attributes - "department" and "employeeNumber". Select the "AWS IAM Identity Center" app that you created, and in the "Provisioning" tab, select "To App". Scroll down to the AWS IAM Identity Center Attribute Mappings section and remove the two attributes.

Loading image...Okta IAM Identity Center attribute mappings with department and employeeNumber Loading image...Okta Attributes list

First, assign the groups to be synchronized. Select the "Assignments" tab and select the "Assign" button and choose "Assign to Groups" option. From the list of available groups, select "Assign" on each group you want synchronized and follow the steps.

Loading image...Okta Assign groups 1 Loading image...Okta Assign groups 2

Next, set up the synchronization of groups.

  • Select the Push Groups tab. Select the Push Groups button and choose the Find groups by name option.
  • Select the group(s) to push, and select Save.
  • Group status should show Active, if the configuration is correct.
Loading image...Okta IdC application push groups
Sync delay

If you add users to a group that already has a Kiro subscription, allow up to 24 hours for the new group membership to propagate. There may be a delay between the time a user is added to the group and the time their subscription becomes active in the Kiro subscription console.

You have now completed all the steps required to configure an application in Okta, connect the application with a Kiro Profile, and add users/groups to the Profile.

Subscribe your team to Kiro

Users can sign in after completing the steps above, but they will not be able to use Kiro models until you subscribe them. Follow the Subscribe your team to Kiro guide to activate subscriptions for your team members.

Security considerations

Session management

  • Kiro uses OIDC refresh tokens to maintain user sessions. When a session expires, the refresh token keeps the Kiro session alive independently until the refresh token itself expires.
  • You cannot force-revoke active user sessions from the Kiro console. To remove access, you have to remove the user from the Okta application — access will be revoked at the next token refresh attempt.
  • Removing users from the Kiro OIDC application will prevent users from logging in (Applications → Kiro OIDC application → Assignments) → Select x next to user

Redirect URI security

  • Add only the redirect URIs specified in this guide.

Profile deletion warning

If you delete a Kiro profile after provisioning and create a new profile with the same Okta application, group membership will not be synced. You must re-provision the application completely.

Preventing unauthorized access

  • Do not add any user to the Kiro application in Okta.
  • Verify the user is not a member of any group that is assigned to the Kiro application.
  • After creating a group-based subscription, review the Subscriptions tab in the Kiro console to confirm that no unintended users received a subscription.

Removing a user and deprovisioning behavior

  • Remove the user's assignment from your Kiro application in Okta. This blocks all future login attempts.
  • Existing sessions remain active until the next token refresh is attempted, at which point access is revoked. Active sessions are not immediately terminated.
  • Subscription removal is not automatic. After removing a user from the Okta application, you must also manually delete the user's subscription in the Kiro console to release the seat.

Group membership sync behavior

  • Kiro relies entirely on push-based SCIM sync from Okta. Kiro cannot request a pull from Okta.
  • Group membership changes are pushed to Kiro as they occur.

Troubleshooting

Missed stepHow will this manifestHow to fixNotes
User was not added to the OIDC appUser will not be able to log inAdd the user to the OIDC application's Assignments tabUser must be in both OIDC and SCIM provisioning applications
Did not enable provisioning to create usersUsers are not synced to KiroIn the SCIM provisioning app, go to Provisioning > To App and enable "Create Users"Also enable "Update User Attributes"
Page updated: April 14, 2026
IAM Identity Center
Microsoft Entra