Okta

How to Configure SAML 2.0 for Amazon AppStream 2.0

Contents


Supported Features

The Okta/Amazon AppStream 2.0 SAML integration currently supports the following features:


Configuration Steps

Overview

Okta’s Amazon AppStream 2.0 integration allows end-users to authenticate AWS AppStream applications using single sign-on with SAML. Okta admins can also set the duration of the authenticated session of users via Okta.


Configuring SAML 2.0 for Amazon AppStream 2.0 consists of the following three steps:


Step 1: Setting up Okta as your Identity Provider in AWS

In order to use SAML for AWS, you need to set up Okta as an identity provider in AWS and establish the SAML connection, as follows:

  1. Log in to your AWS Console, and select Services.

  2. Select IAM under Security and Identity Compliance:

    appstream1.png

  3. Select Identity Providers from the left menu:

    appstream2.png

  4. Select Create Provider:

    appstream3.png

  5. On the Configure Provider page:

    • Provider Type: Select SAML from the dropdown.

    • Provider Name: Enter a user-friendly name.

    • Metadata Document: Copy and save the following as metadata.xml, then click Choose File and upload this file.

      Sign in to Okta Admin app to have this variable generated for you.
    • Click Create.

    appstream4.png

  6. Locate the Identity Provider you just created by the Provider Name in the list of Identity Providers. Click on the name, and copy and store the identity Provider ARN value as shown below. You will need it later during this configuration.

    appstream4a.png


Step 2: Setting up a SAML Role for Identity Provider Access

The next step is to create an IAM role to create a trust relationship between IAM and Okta that identifies Okta as a trusted entity for the purposes of federation. The role also defines which users authenticated by Okta are allowed to access an AppStream 2.0 stack.

  1. Select Roles from the list on the left, then select Create New Role at the top.

  2. Provide a friendly name for your role. For Role Type, select Role For Identity Provider Access, and then select Grant Web Single Sign-On (web SSO) access to SAML provider.

    Note: If you already have an existing role with the type Grant Web Single Sign-On (web SSO) access to SAML providers, you can modify it to work with the SAML provider you just created in the previous step.

  3. Verify the role trust policy. Choose the access policy, such as permissions, that federated users will inherit when using this role.

  4. Review your settings, and then select Create Role. You should be able to see the new role, as shown below:

    appstream5.png

    After you have created the role, you can limit the role to have permissions only to one or more AppStream 2.0 stacks by attaching an inline policy to the role.

    Refer to Amazon’s documentation for steps: http://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-grantperms

  5. Copy the Role ARN and store it, as you will need it later during this configuration.

    appstream6.png


Step 3: Configure the Amazon AppStream 2.0 integration in Okta

Now that you have finished the required steps to be performed in the AWS console, open the Amazon AppStream 2.0 app integration configuration in Okta and perform the following steps:

  1. In Okta, go to the the Sign On tab for the Amazon AppStream 2.0 app and click Edit. Enter the Role ARN and the Provider ARN values that you stored earlier during this configuration in the Role ARN and Idp ARN field, as comma separated values.

    For example if your Role ARN is: arn:aws:iam::123456789012:role/okta-access-role and your IDP ARN is arn:aws:iam::123456789012:saml-provider/okta, enter (no white spaces): arn:aws:iam::123456789012:role/okta-access-role,arn:aws:iam::123456789012:saml-provider/okta

    AWS_new_1a.png

  2. Set the user’s desired session duration in seconds in the Session Duration field.

  3. (Optional) If the AppStream 2.0 stack has a domain-joined fleet, select the AD user principal name for Application username format (otherwise leave as Okta username).

  4. The last step is to configure the Relay State parameter for the application. It should follow the following format:

    https://relay-state-region-endoint?stack={stackname}&accountId={aws-account-id-without-hyphens}

    For details, see Amazon’s documentation on How to Configure the Relay State for your Federation.

  5. Click Save.

  6. You are now ready to assign users to the application and test SAML.


Notes

The following SAML attributes are supported: