Posted On: Nov 18, 2022

Starting today, you can use certificate-based authentication with Amazon WorkSpaces SAML 2.0 integration to remove the logon prompt for the Active Directory domain password.

By using certificate-based authentication, you can rely on the security and logon experience features of your SAML 2.0 identity provider, such as passwordless authentication, to access WorkSpaces. Certificate-based authentication with WorkSpaces enables a single sign-on logon experience to access domain-joined desktop sessions without separate password prompts for Active Directory. 

WorkSpaces certificate-based authentication integrates with AWS Private Certificate Authority (AWS Private CA) to automatically issue short-lived certificates when users sign in to their sessions. AWS Private CA is a highly available, pay-as-you-go private CA service without the upfront investment and ongoing maintenance costs of operating your own public key infrastructure (PKI) in the cloud. When you configure your private CA as a third-party root CA in Active Directory or as a subordinate to your Active Directory Certificate Services enterprise CA, WorkSpaces with AWS Private CA can enable rapid deployment of end user certificates to seamlessly authenticate users.

There are no additional WorkSpaces charges for using certificate-based authentication. AWS Private CA now offers separate pricing for short-lived certificate use cases, which can help lower the monthly cost of the CA and the price per certificate. See AWS Private CA Pricing for more information, or review the announcement for AWS Private CA short-lived certificate usage mode. Certificate-based authentication is available in all AWS Regions where WorkSpaces and AWS Private CA are offered. Learn more about how to get started with WorkSpaces certificate-based authentication by visiting the WorkSpaces Administration Guide.