Okta is a leading identity provider, enabling organizations to manage secure user access to applications and devices seamlessly. For organizations relying on Okta’s services, downtime or performance issues can have significant impacts. That’s where AWS Canaries, a feature in Amazon CloudWatch Synthetics, comes into play. AWS Canaries allows you to create automated scripts that run periodically to test and monitor the health and performance of services like Okta.

In this blog, we’ll explore how to set up AWS Canary to monitor the availability and response time of Okta login functionality, detect issues early, and ensure a smooth experience for end-users.

Why Use AWS Canary for Okta Monitoring?

With AWS Canaries, you can simulate user behavior on your Okta instance by making synthetic API calls. This is particularly useful for:

Monitoring Availability: Ensuring Okta’s login services are accessible.
Detecting Latency: Measuring response times for Okta endpoints to detect slowdowns.
Early Issue Detection: Alerting teams on potential issues before they impact end-users

Prerequisites

AWS Account: Access to AWS CloudWatch and AWS CloudWatch Synthetics.
Okta Developer Account: Access to Okta API, ideally with a test user.
IAM Role for Canary: Permissions for AWS Canary to perform necessary actions in your AWS account.

Step 1: Setting Up the AWS Canary Role

To get started, create an IAM role with the necessary permissions to run AWS Canaries. This role will need access to AWS CloudWatch, CloudWatch Logs, and S3 (for storing Canary artifacts).

Navigate to IAM in the AWS Console.
Create a new role for AWS services.
Select CloudWatch Synthetics as the service that will use this role.
Attach the following permissions:
- CloudWatchSyntheticsFullAccess
- CloudWatchLogsFullAccess
- AmazonS3FullAccess

Step 2: Configuring an S3 Bucket for Canary Artifacts

AWS Canaries store logs, screenshots, and other artifacts in S3. Set up an S3 bucket to hold these artifacts.

Go to S3 in your AWS Console.
Create a new bucket with a name like okta-monitoring-canary-logs.
Configure permissions to allow the CloudWatch Canary role access to this bucket.

Step 3: Create the AWS Canary

Go to CloudWatch Synthetics in your AWS Console.
Click on Create Canary.
Name the Canary something descriptive, like OktaLoginCheck.
Choose a Canary Blueprint:
- Select Heartbeat monitoring. This is the best choice for simple HTTP GET requests or authentication requests.
Set the Script:
- Customize the blueprint with a Node.js script to test Okta login API endpoint.

Here's an example script for checking Okta's /api/v1/authn endpoint:

const synthetics = require('Synthetics');
const log = require('SyntheticsLogger');

const oktaCanary = async function () {
    const loginUrl = "https://YOUR_OKTA_DOMAIN/api/v1/authn";
    const payload = JSON.stringify({
        "username": "testUser",
        "password": "testPassword"
    });

    let headers = {
        'Content-Type': 'application/json',
        'Accept': 'application/json'
    };

    const requestOptions = {
        headers: headers,
        body: payload
    };

    let response = await synthetics.executeHttpStep('Okta Login Check', loginUrl, 'POST', requestOptions);

    // Optional: Add a check for status code and response time
    if (response.statusCode !== 200) {
        throw `Failed to authenticate user - Status code: ${response.statusCode}`;
    }

    log.info("Login request successful");
};

exports.handler = async () => {
    return await oktaCanary();
};

Environment Variables:
- Set username and password securely via AWS Secrets Manager or as encrypted environment variables if they’re sensitive data.
Specify the Schedule:
- Choose a frequency based on how often you want the Canary to check Okta’s status. For critical applications, 5 minutes is ideal.
Specify Data Retention:
- Set up data retention for the Canary results. Keeping data for at least 30 days is recommended to analyze trends over time.
Review and Create:
- Review the settings and click Create Canary.

Step 4: Setting Up Alerts

After your Canary is created, set up CloudWatch Alarms to notify your team of any failures.

Go to CloudWatch Alarms.
Click Create Alarm.
Select the Canary Metrics you want to monitor, such as Failed or SuccessPercentage.
Configure thresholds for triggering the alarm. For instance:
- Trigger an alarm if the success rate falls below 95%.
Set up notifications by selecting an SNS topic or email to alert your team.

Step 5: Testing the Canary

Once your Canary is live, manually trigger it by selecting Run Canary.
Verify the logs in CloudWatch Logs and check the S3 bucket for any artifacts or screenshots.
Ensure your alarms trigger correctly if the Canary encounters failures.

Step 6: Analyze and Optimize

Analyze Latency Trends: CloudWatch allows you to monitor response time metrics and trends, which can help identify latency issues.
Error Insights: Look at failure patterns in the logs. For example, if authentication fails frequently, investigate any network issues or API rate limits.
Fine-Tune Canary Schedule: Based on usage patterns and criticality, adjust the frequency of your canary runs.

Conclusion

AWS Canary provides a robust, automated way to monitor the health of your Okta services. By continuously simulating user logins and tracking response times, you can gain insights into Okta’s performance and quickly detect issues, helping maintain a secure and reliable authentication experience for your users. Leveraging these insights enables proactive issue resolution and strengthens the reliability of your identity and access management infrastructure.

Happy monitoring!

Monitoring Okta Health with AWS Canary: A Step-by-Step Guide