Posted On: Jan 7, 2022

Starting today, you can control access to specific applications within your Amazon AppStream 2.0 stacks based on SAML 2.0 attribute assertions. In addition, your SAML 2.0 federated user identities can access multiple AppStream 2.0 stacks from a single SAML 2.0 service provider (SP) application. Previously, each stack required a separate service provider application configured in your SAML 2.0 identity provider (IdP). These features will allow you to streamline access control to your AppStream stacks and reduce the number of fleets and images that need to be maintained due to application access restrictions. For example, from a single SAML 2.0 SP application in your IdP relaying to a single AppStream 2.0 stack, you can entitle users belonging to one group to one set of applications, and another group to a different set of applications.

Application entitlements work by matching a supported SAML 2.0 attribute name, such as roles, groups, title, or cost center to a value when a SAML 2.0 user identity federates to an Amazon AppStream 2.0 service provider application. If the entitlement is true (i.e. there is an attribute name and value match), access is entitled to one or more applications in a stack.

To get started with Amazon AppStream 2.0 application entitlements, launch the new AppStream 2.0 console experience to manage your AppStream 2.0 stacks. View details on a stack, and configure an application entitlement with a name and description. Define the attribute name and value pair for your entitlement to be true. Then, configure application settings in your stack to entitle all applications, or selected applications. Review your settings and create your entitlement. You can repeat the process and create additional entitlements for different attribute name and value pairs. Finally, using your SAML 2.0 IdP, configure your AppStream 2.0 SAML service provider application relay state URL and attribute mappings to send the attribute and value defined in your entitlement for authorized users. When users federate and are redirected to the AppStream 2.0 application portal, they will be presented with only the stacks and applications that they are entitled to. To learn more, see Manage Application Entitlements in the Amazon AppStream 2.0 Administration Guide.

Application entitlements is available when using SAML 2.0 federation to AppStream 2.0 stacks. You can create application entitlements in all AWS Regions where AppStream 2.0 is offered, at no additional charge. AppStream 2.0 offers pay-as-you-go pricing. Please see Amazon AppStream 2.0 Pricing for more information, and try our sample applications.