Desktop and Application Streaming

Enabling federation with Entra single sign-on and Amazon AppStream 2.0

This post was updated in August 2020 by Jeremy Schiefer and July 2024 by Michael Spence. Entra ID was previously named Azure AD.

You can use single sign-on with Amazon AppStream 2.0 with many identity services that are compliant with SAML 2.0. This post explains how to configure federated user access for AppStream 2.0 using Microsoft Entra single sign-on (SSO) for Enterprise applications.

Solution overview

This post illustrates configuring a SAML 2.0 federation, using Entra ID single sign-on, so users can access their assigned applications via the My Apps portal or a direct link. The steps to proceed through this post are:

  1. Create an Entra ID Enterprise application using seamless SSO.
  2. Create the SAML identity provider (IdP).
  3. Configure an IAM policy.
  4. Create an IAM role.
  5. Configure the Entra ID SSO application.
  6. Add users and groups.
  7. Assign an icon and verify your configuration.

Prerequisites

This post assumes that you have the following:

  • An Entra user account with the Cloud Application Administrator or Application Administrator role.
  • Familiarity with AppStream 2.0

Create an Entra ID single sign-on Enterprise application

  1. Open the Azure portal navigation pane, choose or search for Enterprise applications.
  2. At the top of the Enterprise applications | All applications window, choose + New application.
  3. In the Browse Microsoft Entra Gallery section, select + Create your own application.
  4. Name your application, for example, ExampleApp, select Integrate any other application you don’t find in the gallery (Non-gallery) and select Create.
  5. When the application is created, go to Manage, and select Single sign-on.
  6. In the Select a single sign-on method section, select SAML.
  7. In the SAML Certificates section (Figure 1), download the Federation Metadata XML file for your application. If there is no download link, create a certificate by selecting the pencil icon and New Certificate. If there is a certificate with a status of Active, select the drop-down menu and select, Download federated certificate XML.
Screenshot of SAML Certificates.

Figure 1 – SAML Certificates.

Create the SAML Identity provider

Next, create the SAML provider in the AWS Identity and Access Management (IAM) console. You can also create it using the AWS Command Line Interface (AWS CLI). For more information, see Setting Up SAML.

  1. In the IAM console, choose Identity providers, and select Add provider.
  2. On the Configure Provider page, for the Provider Type, choose SAML.
  3. For the Provider Name, enter something meaningful to you, such as EntraSSO.
  4. In the Metadata document, select Choose file and upload the metadata document that you previously downloaded, and select Add provider.
  5. Choose the identity provider (IdP) that you created to get the Amazon Resource Name (ARN) of the IdP. The ARN is required to configure claims rules later in this post.

On the summary page, copy the value for the provider ARN. In commercial AWS Regions, the ARN is in the following format: arn:aws:iam::account-id:saml-provider/provider-name. In AWS GovCloud (US) Regions, the ARN is in the following format: arn:aws-us-gov:iam::account-id:saml-provider/provider-name.

Configure an IAM Policy

Next, create a policy with permissions to stream the AppStream 2.0 stack. This makes sure that users have only the permission to stream applications from a specific stack.

  1. In the IAM console, choose PoliciesCreate Policy, and select JSON. Figure 2 shows the policy that gives users permissions to an AppStream 2.0 stack, named ExampleStack.
Screenshot of IAM policy.

Figure 2 – IAM policy.

  1. For Region Codes, use one of the following values based on the AWS Region your AppStream 2.0 stack is in.
  2. After you’ve specified the policy, choose Review policy.
  3. For the Policy Name, enter a descriptive name, such as AppStream2_ExampleStack.
  4. For the Description, enter the level of permissions.
  5. Choose Create Policy and you should see the notification as shown in Figure 3.
Screenshot showing successful creation of an IAM policy.

Figure 3 – IAM policy successful creation.

Create an IAM Role

Next, create the role that your Entra ID users assume when federating to AppStream 2.0.

  1. In the IAM console, choose Roles, Create role.
  2. For the trusted entity type, choose SAML 2.0 federation.
  3. Under SAML provider, choose the SAML IdP that you created earlier.
  4. Do not choose either of the two SAML access level methods for AppStream 2.0.
  5. For the Attribute, choose SAML:aud and enter https://signin.aws.amazon.com/saml.
  6. Do not add any conditions.
  7. Choose Next, Permissions.
  8. Choose the IAM policy you created in the previous step, and choose Next, Tags.
  9. Add any optional tags. Choose Next: Review.
  10. Enter a Role Name and Role Description that identifies the role, and choose Create Role.
  11. In the IAM console, in the navigation pane, choose Roles. Locate the role that you created, and choose it to open the role properties.
  12. Choose the Trust Relationships tab, and then choose Edit Trust Relationship.
  13. Under Trusted Entities, verify that the IdP that you created is listed.
  14. Copy the Role ARN. The ARN is required to configure claims rules later in this post. In commercial AWS Regions, the ARN is in the following format: arn:aws:iam::account-id:role/role-name. In AWS GovCloud (US) Regions, the ARN is in the following format: arn:aws-us-gov:iam::account-id:role/role-name.

Configure the Entra ID SSO Application

With the IAM role created, you can now complete the setup in the Azure portal.

  1. Open the Azure portal, and in the navigation pane, choose or search for Enterprise applications.
  2. Choose the name of the Enterprise application you created in the first step.
  3. Under Manage choose Single sign-on, SAML-based Sign-on.
  4. In the Basic SAML Configuration section click the pencil and set the following fields:
    1. Identifier (Entity ID): urn:amazon:webservices. This is the entity ID passed during the SAML exchange. Azure requires that this value be unique for each application. For additional AppStream 2.0 stacks, you can append a number to the string; for example, urn:amazon:webservices2.
    2. Reply URL: https://signin.aws.amazon.com/saml.
    3. Sign on URL: <Blank>
    4. Relay State: The Relay State is unique to your account, AWS Region, and AppStream 2.0 stack. The format is https://relay-state-region-endpoint?accountId=aws-account-id-without-hyphens&stack=stack-name. For a list of AppStream 2.0 relay state region endpoints, see Step 6: Configure the Relay State of Your Federation.
  5. In the Attributes & Claims section select the pencil to edit. Under Required claim – Claim name, select Unique User Identifier (Name ID) . This is the key that is used to identify your users in the SAML assertion. If you are planning to take advantage of a domain-joined fleet, make sure this matches the domain username of the user. Generally user.mail or user.userprincipalname works.
  6. Remove Additional claims. By default, Azure populates several SAML attributes for a new application. These attributes are not needed for the federation to AppStream 2.0. You can remove them by choosing the three dots next to each and choosing Delete.
  7. After removing the default attributes, add the following claims. select + Add new claim and add the following claims:
    Name Namespace Source Source attribute
    Role https://aws.amazon.com/SAML/Attributes Attribute This is the role ARN discussed earlier in this post, followed by a comma and then the provider ARN. For the example stack, this would be the following: arn:aws:iam::01234567890:role/ExampleStack,arn:aws:iam::01234567890:saml-provider/EntraSSO.
    RoleSessionName https://aws.amazon.com/SAML/Attributes Attribute SomeString. Note: you can provide any string value in place of SomeString.
    SAML_SUBJECT https://aws.amazon.com/SAML/Attributes Attribute SomeString. Note: you can provide any string value in place of SomeString.
    SessionDuration https://aws.amazon.com/SAML/Attributes Attribute Enter the number of seconds the session should be valid for. This can be between 900 (15 minutes) and 43200 (12 hours).

Add users and groups

  1. On the Enterprise application menu for the new application, choose Manage and then Users and groups, and on the next screen, choose the + Add user/group button.
  2. In the Add Assignment dialog box, choose Users and groups.
  3. In the Users and groups dialog box, select all of the users and groups you want to access your AppStream 2.0 stack.
  4. Choose the Select button, and then select the Assign button.

Assign an icon and verify your configuration

  1. On the Enterprise application menu, go to the Properties section.
  2. Choose a file to use as a logo and upload it using the text box.
  3. Note the User access URL, which your users use to access the stack directly.
  4. Make sure that everything is working by opening a separate browser or an Incognito or Private window in your current browser.
  5. Paste the User access URL into the new browser and log in as a user assigned to the application.

That’s it! Your users are now able to access AppStream 2.0 through Azure AD Single Sign-On.

Jeremy Schiefer Jeremy Schiefer is a Principal Security SA with Amazon Web Services. He is a member of the End User Computing community and has authored several blogs and workshops. Jeremy is passionate about security, 3D printing, and Internet of things (IoT).
Michael Spence Michael is a Senior Solutions Architect based out of Tennessee. He has extensive experience in enterprise cloud migrations. He is currently working with AWS partners in the WWPS focused on migrations. He has a Master of Science degree in Software Engineering from East Tenn. State University and believes in the quote: “The most damaging phrase in the language is ‘We’ve always done it this way’.” – Adm. Grace Hopper