Desktop and Application Streaming

Enabling Federation with Azure AD Single Sign-On and Amazon AppStream 2.0

(Updated August 2020 by Jeremy Schiefer)

You can use single sign-on with Amazon AppStream 2.0 with many identity services that are compliant with Security Assertion Markup Language 2.0 (SAML 2.0). This post explains how to configure federated user access for Amazon AppStream 2.0 using Azure Active Directory Single Sign-On for Enterprise Apps.

Solution overview

This post shows configuring an SAML 2.0 federation, using Azure Single Sign-On, so users can access their assigned stacks via the MyApps portal and a direct link. The steps to proceed through this post are:

  1. Create an Azure AD Seamless SSO application
  2. Create the SAML identity provider (idP)
  3. Configure an IAM policy
  4. Create an IAM role
  5. Configure the Azure AD Seamless SSO application
  6. Add users and groups
  7. Assign an icon and verify your configuration

Prerequisites

This post assumes that you have the following:

  • An Azure AD membership
  • Familiarity with AppStream 2.0

Create an Azure AD Single Sign-On Application

  1. Open Azure AD, and in the navigation pane, choose Azure Active Directory, Enterprise applications.
  2. At the top of the Enterprise applications – All applications window, choose + New Application.
  3. In the Add your own app section, choose Non-gallery application.
  4. Name your application, for example, ExampleApp, and then choose Add.
  5. When the app is created, go to Manage, choose Single sign-on, and then set the Single Sign-on Mode to SAML.
  6. In the SAML Signing Certificate section, download the Federation Metadata XML file for your application. If there is no download link, create a certificate by clicking the pencil icon and New Certificate.

Create the SAML Identity provider

Next, create the SAML provider in the IAM console. You can also create it using the AWS Command Line Interface (AWS CLI). For more information, see the Setting Up SAML page in the AppStream 2.0 Developer Guide.

  1. In the IAM console, choose Identity providersCreate provider.
  2. On the Configure Provider page, for the Provider Type, choose SAML.
  3. For the Provider Name, type something meaningful to you, such as AzureSSO.
  4. Choose Choose File to upload the metadata document that you previously downloaded, and choose Next Step.
  5. Verify the provider information, and choose Create.
  6. Choose the identity provider (IdP) that you created to get the Amazon Resource Name (ARN) of the IdP. The ARN is required to configure claims rules later in this post.
  7. On the summary page, copy the value for the Provider ARN. The ARN is in the following format:

arn:aws:iam::AccountID:saml-provider/Provider Name

Configure an IAM Policy

Next, create a policy with permissions to the AppStream 2.0 stack. This makes sure that users have only the permission to stream applications from a specific stack.

1. In the IAM console, choose PoliciesCreate Policy, and choose to the JSON tab.

The following screenshot shows the policy that gives users permissions to an AppStream 2.0 stack, named ExampleStack. For more information, see the Setting Up SAML page in the AppStream 2.0 Admin Guide.

2. For Region Codes, use one of the following values based on the AWS Region your AppStream 2.0 stack is in.

3. After you’ve specified the policy, choose Review policy.

4. For the Policy Name, type a descriptive name, such as AppStream2_ExampleStack.

5. For the Description, type the level of permissions.

6. Choose Create Policy and you should see the following notification:

Create an IAM Role

Next, create the role that your Azure AD users assume when federating to AppStream 2.0.

  1. In the IAM console, choose Roles, Create role.
  2. For the trusted entity type, choose SAML 2.0 federation.
  3. Under SAML provider, choose the SAML IdP that you created earlier.
  4. Do not choose either of the two SAML 2.0 access level methods for AppStream 2.0.
  5. For the Attribute, choose SAML:aud and type https://signin.aws.amazon.com/saml
  6. Do not add any conditions.
  7. Choose Next, Permissions.
  8. Choose the IAM policy you created in the previous step, and choose Next, Tags.
  9. Add any optional tags. Choose Next: Review.
  10. Type a Role Name and Role Description that identifies the role, and choose Create Role.
  11. In the IAM console, in the navigation pane, choose Roles. Locate the role that you created, and choose it to open the role properties.
  12. Choose the Trust Relationships tab, and then choose Edit Trust Relationship.
  13. Under Trusted Entities, verify that the IdP that you created is listed.
  14. Copy the Role ARN. The ARN is required to configure claims rules later in this post. The ARN is in the following format:
    arn:aws:iam::AccountID:role/Role Name

Configure the Azure AD Seamless SSO Application

With the IAM Role created, we can now complete the setup in Azure.

  1. Open Azure AD, and in the navigation pane, choose Azure Active Directory, Enterprise applications.
  2. Choose the name of the Enterprise Application you created in the first step.
  3. Under Manage choose Single sign-on, SAML
  4. In the Basic SAML Configuration section click the pencil and set the following fields.

Identifier (Entity ID): URN:AMAZON:WEBSERVICES

This is the entity ID passed during the SAML exchange. Azure requires that this value be unique for each application. For additional AppStream 2.0 stacks, you can append a number to the string; for example, URN:AMAZON:WEBSERVICES2.

Reply URL: https://signin.aws.amazon.com/saml

Sign on URL: <Blank>

Relay State: The Relay State is unique to your account, AWS Region, and AppStream 2.0 stack. The format is https://relay-state-region-endoint?stack=stackname&accountId=aws-account-id-without-hyphens. For a list of AppStream 2.0 Relay State Region Endpoints at https://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html

5.  In the User Attributes & Claims section click the pencil to edit.

      Under Required claim

Unique User Identifier (Name ID): This is the key that is used to identify your users in the SAML assertion. If you are planning to take advantage of a domain-joined fleet, make sure this matches the domain user name of the user. Generally user.mail or user.userprincipalname works.

Click + Add new claim and add the following claims.

SAML Token Attributes: By default, Azure populates several SAML attributes for a new application. These attributes are not needed for the federation to AppStream 2.0. You can remove them by choosing the three dots next to each, and choosing Delete.

After removing the default attributes, choose the Add attribute link, and then add the following.

NAME: Role

       NAMESPACE: https://aws.amazon.com/SAML/Attributes

      SOURCE: Attribute

      SOURCE ATTRIBUTE: This is the Role ARN discussed earlier in this post, followed by a comma and then the Provider ARN. For our Example stack, this would look like “arn:aws:iam::01234567890:role/ExampleStack,arn:aws:iam::01234567890:saml-provider/AzureSSO1”

 

NAME: RoleSessionName

NAMESPACE: https://aws.amazon.com/SAML/Attributes

       SOURCE: Attribute

       SOURCE ATTRIBUTE: SomeString

(Note: You can provide any string value in place of SomeString.)

 

NAME: SAML_SUBJECT

NAMESPACE: https://aws.amazon.com/SAML/Attributes

SOURCE: Attribute

SOURCE ATTRIBUTE: SomeOtherString

(Note: You can provide any string value in place of SomeOtherString.)

 

(Optional: If you intend to use the AppStream client, sessions will default to a 60 minute timeout. This setting will allow you to specify the duration)

NAME: SessionDuration

NAMESPACE: https://aws.amazon.com/SAML/Attributes

SOURCE: Attribute

SOURCE ATTRIBUTE: Enter the number of seconds the session should be valid for. This can be between 900 (15 minutes) and 43200 (12 Hours)

 

Add users and groups

  1. On the Enterprise Application menu, choose Users and groups, and on the next screen, choose the + Add user button.
  2. In the Add Assignment dialog box, choose Users and groups >.
  3. In the Users and groups dialog box, choose all of the users and groups you want to access your AppStream 2.0 stack.
  4. Choose the Select button, and then choose the Assign button.

Assign an icon and verify your configuration

  1. On the Enterprise Application menu, go to the Properties section.
  2. Choose a file to use as a logo and upload it using the text box.
  3. Note the User Access URL, which your users use to access the stack directly.
  4. Make sure that everything is working by opening separate browser or an Incognito or Private window in your current browser.
  5. Paste the User Access URL into the new browser and log in as a user assigned to the application.

That’s it! Your users are now able to access AppStream 2.0 through Azure AD Single Sign-On.