Desktop and Application Streaming

Enabling Federation with Azure AD Single Sign-On and Amazon AppStream 2.0

You can use single sign-on with Amazon AppStream 2.0 with many identity services that are compliant with Security Assertion Markup Language 2.0 (SAML 2.0). This post explains how to configure federated user access for Amazon AppStream 2.0 using Azure Active Directory Single Sign-On for Enterprise Apps.

Solution overview

This post shows configuring an SAML 2.0 federation, using Azure Single Sign-On, so users can access their assigned stacks via the MyApps portal and a direct link. The steps to proceed through this post are:

  1. Create an Azure AD Seamless SSO application
  2. Create the SAML identity provider (idP)
  3. Configure an IAM policy
  4. Create an IAM role
  5. Configure the Azure AD Seamless SSO application
  6. Add users and groups
  7. Assign an icon and verify your configuration

Prerequisites

This post assumes that you have the following:

  • An Azure AD membership
  • Familiarity with AppStream 2.0

Create an Azure AD Single Sign-On Application

  1. Open Azure AD, and in the navigation pane, choose Azure Active Directory, Enterprise applications.
  2. At the top of the Enterprise applications – All applications window, choose + New Application.
  3. In the Add your own app section, choose Non-gallery application.
  4. Name your application, for example, ExampleApp, and then choose Add.
  5. When the app is created, go to Manage, choose Single sign-on, and then set the Single Sign-on Mode to SAML-based Sign-on.
  6. On the bottom of the configuration page, download the metadata XML file for your application.

Create the SAML Identity provider

Next, create the SAML provider in the IAM console. You can also create it using the AWS Command Line Interface (AWS CLI). For more information, see the Setting Up SAML page in the AppStream 2.0 Developer Guide.

  1. In the IAM console, choose Identity providers, Create provider.
  2. On the Configure Provider page, for the Provider Type, choose SAML.
  3. For the Provider Name, type something meaningful to you, such as AzureSSO.
  4. Choose Choose File to upload the metadata document that you previously downloaded, and choose Next Step.
  5. Verify the provider information, and choose Create.
  6. Choose the identity provider (IdP) that you created to get the Amazon Resource Name (ARN) of the IdP. The ARN is required to configure claims rules later in this post.
  7. On the summary page, copy the value for the Provider ARN. The ARN is in the following format:

arn:aws:iam::AccountID:saml-provider/Provider Name

Configure an IAM Policy

Next, create a policy with permissions to the AppStream 2.0 stack. This makes sure that users have only the permission to stream applications from a specific stack.

1. In the IAM console, choose PoliciesCreate Policy, and choose to the JSON tab.

The following screenshot shows the policy that gives users permissions to an AppStream 2.0 stack, named ExampleStack. For more information, see the Setting Up SAML page in the AppStream 2.0 Admin Guide.

2. For Region Codes, use one of the following values based on the AWS Region your AppStream 2.0 stack is in.

3. After you’ve specified the policy, choose Review policy.

4. For the Policy Name, type a descriptive name, such as AppStream2_ExampleStack.

5. For the Description, type the level of permissions.

6. For the Policy Document, customize the Region-CodeAccountID (without hyphens), and the case-sensitive Stack-Name values.

7. Choose Create Policy and you should see the following notification:

Create an IAM Role

Next, create the role that your Azure AD users assume when federating to AppStream 2.0.

  1. In the IAM console, choose Roles, Create role.
  2. For the trusted entity type, choose SAML 2.0 federation.
  3. Under SAML provider, choose the SAML IdP that you created earlier.
  4. Do not choose either of the two SAML 2.0 access level methods for AppStream 2.0.
  5. For the Attribute, choose SAML:aud and type https://signin.aws.amazon.com/saml
  6. Do not add any conditions.
  7. Choose Next, Permissions.
  8. Choose the IAM policy you created in the previous step, and choose Next, Review.
  9. Type a Role Name and Role Description that identifies the role, and choose Create Role.
  10. In the IAM console, in the navigation pane, choose Roles. Locate the role that you created, and choose it to open the role properties.
  11. Choose the Trust Relationships tab, and then choose Edit Trust Relationship.
  12. Under Trusted Entities, verify that the IdP that you created is listed.
  13. Under Conditions, verify that SAML:Aud with a value of https://signin.aws.amazon.com/saml appears.

Configure the Azure AD Seamless SSO Application

With the IAM Role created, we can now complete the setup in Azure.

  1. Note the AWS Role ARN and the AWS SSO Provider ARN, and then go back to the Application settings in the Azure console.
  2. Make sure that the Show advanced URL settings, View and edit all other user attributes, and Show advanced certificate signing settings check boxes are selected.

Identifier: URN:AMAZON:WEBSERVICES

This is the entity ID passed during the SAML exchange. Azure requires that this value be unique for each application. For additional AppStream 2.0 stacks, you can append a number to the string; for example, URN:AMAZON:WEBSERVICES2.

Reply URL: https://signin.aws.amazon.com/saml

Sign on URL: <Blank>

Relay State: The Relay State is unique to your account, AWS Region, and AppStream 2.0 stack. The format is https://relay-state-region-endoint?stack=stackname&accountId=aws-account-id-without-hyphens. For a list of AppStream 2.0 Relay State Region Endpoints at https://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html

User Identifier: This is the key that is used to identify your users in the SAML assertion. If you are planning to take advantage of a domain-joined fleet, make sure this matches the domain user name of the user. Generally user.mail or user.userprincipalname works.

SAML Token Attributes: By default, Azure populates several SAML attributes for a new application. These attributes are not needed for the federation to AppStream 2.0. You can remove them by choosing the three dots next to each, and choosing Delete.

After removing the default attributes, choose the Add attribute link, and then add the following.

NAME: Role

VALUE: This is the Role ARN discussed earlier in this post, followed by a comma and then the Provider ARN. For our Example stack, this would look like “arn:aws:iam::01234567890:role/ExampleStack,arn:aws:iam::01234567890:saml-provider/AzureSSO1”

NAMESPACE: https://aws.amazon.com/SAML/Attributes

Repeat the same process for the following values.

NAME: RoleSessionName

VALUE: SomeString

NAMESPACE: https://aws.amazon.com/SAML/Attributes

NAME: SAML_SUBJECT

VALUE: SomeOtherString

NAMESPACE: https://aws.amazon.com/SAML/Attributes

Signing Option: Sign SAML assertion

Signing Algorithm: SHA-256

Save the configuration.

Add users and groups

  1. On the Enterprise Application menu, choose Users and groups, and on the next screen, choose the + Add user button.
  2. In the Add Assignment dialog box, choose Users and groups >.
  3. In the Users and groups dialog box, choose all of the users and groups you want to access your AppStream 2.0 stack.
  4. Choose the Select button, and then choose the Assign button.

Assign an icon and verify your configuration

  1. On the Enterprise Application menu, go to the Properties section.
  2. Choose a file to use as a logo and upload it using the text box.
  3. Note the User Access URL, which your users use to access the stack directly.
  4. Make sure that everything is working by opening separate browser or an Incognito or Private window in your current browser.
  5. Paste the User Access URL into the new browser and log in as a user assigned to the application.

That’s it! Your users are now able to access AppStream 2.0 through Azure AD Single Sign-On.