Desktop and Application Streaming

Enable federation with JumpCloud SSO and Amazon AppStream 2.0

Amazon AppStream 2.0 supports identity federation to AppStream 2.0 stacks through Security Assertion Markup Language 2.0 (SAML 2.0). This feature offers your users the convenience of access to their AppStream 2.0 applications using their existing identity credentials. You also have the security benefit of identity authentication by your IdP. By using your IdP, you can control which users have access to a particular AppStream 2.0 stack.

In this blog, I explain how to configure federated user access for Amazon AppStream 2.0 using JumpCloud SSO.

Solution Overview

This blog walks you through configuring a SAML 2.0 federation using JumpCloud SSO. Your users can access their assigned applications via the JumpCloud Applications console, or via a direct application URL. The steps to proceed through this blog are:

  • Create a JumpCloud SSO Application.
  • Create an AWS SAML Identify Provider within AWS SSO.
  • Configure an IAM policy.
  • Create an IAM role.
  • Configure the JumpCloud SSO Application.
  • Add user groups.
  • Test the configuration.

Walkthrough

Prerequisites

  • JumpCloud Account
  • An existing non-domain joined AppStream 2.0 Stack and Fleet
  • Familiarity with AppStream 2.0

Create a JumpCloud SSO Application

Your users will use JumpCloud to authenticate to your AppStream 2.0 resources.

  1. Logon to your JumpCloud console at https://console.jumpcloud.com/
  2. Browse to User Authentication, and then choose SSO
  3. Choose the Plus icon to add an application
  4. In the search box, search for Amazon AppStream, then choose configure.
  5. Type a name in the Display Label field. This name is what the user sees in their applications console.
  6. Upload a custom logo, if desired.
  7. Select the SSO tab and update the Default RelayState to the RelayState for your account. It follows this syntax https://appstream2.YOUR_REGION.aws.amazon.com/saml?stack=STACK_NAME&accountId=ACCOUNT_ID
    Review the external identity provider’s relay state guide for more information.
  8. Customize the IdP Entity ID, or keep it as the default. This must match in AWS when you create the SSO IdP. For this example, use JumpCloud2.
  9. JumpCloud requires you to select a unique IdP URL for every SSO application you create. If this application is your first AppStream 2.0 application setup within JumpCloud, keep the IdP URL as the default of https://sso.jumpcloud.com/saml2/amazaonappstream. You can’t use the same URL twice. Note: once configured, you can’t change the value.
  10. Keep the remaining settings as default, and choose activate.
  11. Select the new application within the SSO console.
  12. Expand the Single Sign-On Configuration section. Under JumpCloud Metadata, choose Export Metadata. Save this to your machine, you need this in the next section

Create the SAML Identity Provider

Create the SAML provider in the IAM console. You can also create it using the AWS Command Line Interface (AWS CLI). For more information, see the Setting Up SAML page in the AppStream 2.0 Developer Guide.

  1. In the IAM console, choose Identity providers->Create provider.
  2. On the Configure Provider page, for the Provider Type, choose SAML.
  3. For the Provider Name, match the IdP provider name you used in the preceding step 8. In this example, use JumpCloud2.
  4. Choose Choose File to upload the metadata document that you downloaded when completing the previous section. Choose Next Step.
  5. Verify the information you entered, and choose Add provider.
  6. Choose the identity provider (IdP) that you created to get the Amazon Resource Name (ARN) of the IdP. The ARN is required in a following step in the walkthrough.
    1. The ARN is in the following format arn:aws:iam::AccountID:saml-provider/Provider Name

Configure an IAM Policy

Create a policy with permissions to the AppStream 2.0 stack. This makes sure that users have only the permission to stream applications from a specific stack.

  1. In the IAM console, choose Policies, Create Policy, and choose to the JSON tab.

The following code block shows the policy that gives users permissions to an AppStream 2.0 stack, named ExampleStack. For more information, see the Setting Up SAML page in the AppStream 2.0 Admin Guide.

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": "appstream:Stream",
             "Resource": [
                 "arn:aws:appstream:us-east-1:01234567890:stack/ExampleStack"
             ],
             "Condition": {
                 "StringEquals": {
                     "appstream:userId": "${saml:sub}"
                 }
             }
         }
     ]
 }

2. For Region Codes, use one of the following values based on the AWS Region your AppStream 2.0 stack is in.

3. After you’ve entered the policy, choose Review policy.

4. For the Policy Name, type a descriptive name, such as AppStream2_ExampleStack.

5. For the Description, enter details about the use and permission level.

6. Choose Create Policy.

Create an IAM Role

Create an IAM role that your JumpCloud users will assume when federating to AppStream 2.0 resources.

  1. In the IAM console, choose Roles->Create role.
  2. For the trusted entity type, select SAML 2.0 federation.
  3. Under SAML provider, choose the SAML IdP that you created.
  4. Keep the access level methods for AppStream 2.0 unselected.
  5. For the Attribute, choose SAML:aud and type https://signin.aws.amazon.com/saml
  6. Choose Next, Permissions.
  7. Select the IAM policy you created in the previous step, and choose Next, Tags.
  8. Add any optional tags. Choose Next: Review.
  9. Type a Role Name and Role Description that identifies the role, and choose Create Role.
  10. In the IAM console, in the navigation pane, choose Roles. Locate the role that you created, and choose it to open the role properties.
  11. Choose the Trust Relationships tab.
  12. Under Trusted Entities, verify that the IdP that you created is listed.
  13. Copy the Role ARN. The ARN is required to configure claims rules in a following step. The ARN is in the following format:
    arn:aws:iam::AccountID:role/Role Name

Configure the JumpCloud Application

Make the final configuration changes on the JumpCloud Application.

  1. Open your JumpCloud console.
  2. Open the custom application you created
  3. Expand the Single Sign-On Configuration section
  4. Scroll to the Constant Attributes section. Edit the value for the https://aws.amazon.com/SAML/Attributes/Role Attribute.
    1. You will need to update the value. The ROLE ARN is from the Create an IAM Role step, followed by a comma, and then the Identity Provider ARN. For our Example stack, this is arn:aws:iam::01234567890:role/ExampleStack,arn:aws:iam::01234567890:saml-provider/JumpCloud2
  5. Optionally, update the Session Duration Constant Attribute. This value is the duration of a session, in seconds. This can be between 900 (15 minutes) and 43200 (12 hours).
  6. Select Save.

Add User Groups

Add the application to the appropriate User Group so users can access the application. Create a custom user group for your application.

  1. In the JumpCloud Console, choose User Management->User Groups
  2. Select the + icon to create a new user group.
  3. Specify a group name and description. In this example, use AppStream2.0
  4. On the users tab, select the users to add to the group. These are the users that will have access to the application.
  5. On the Applications tab, select the new application you created.
  6. Choose save.

Test Configuration

You can test using the JumpCloud Console, or by using a direct URL.

JumpCloud Console Testing.

  1. As a user assigned to the application, browse to the JumpCloud Console https://console.jumpcloud.com/ and login.
  2. Choose the application you created.
  3. Select the application to run.

Direct URL Testing

  1. Logon to the JumpCloud Console as an administrator, select SSO from the left navigation page. Select the application, and then select the SSO tab. The direct application URL is listed under “IDP URL:”
  2. Provide a user assigned to the application the direct application URL
  3. Ensure the user is authenticated into AppStream 2.0 after logging into JumpCloud

Cleaning up

To avoid incurring future charges, perform the following steps:

  1. In the AppStream 2.0 Console, choose the fleets tab, select the fleet, choose actions, and then stop.
  2. In the AWS IAM Console, find the IAM role you created, select the role and choose delete.
  3. Proceed to the Policies section. Locate the policy you created. Select the policy and choose Policy actions and then Delete.
  4. In the Identity providers tab, select the Identity provider you created and choose Delete
  5. In the JumpCloud Console, delete the application you created.

Conclusion

In this post, I walked you through setting up JumpCloud as your SAML provider for AppStream 2.0. Your users are now able to access AppStream 2.0 through JumpCloud Single Sign-On.