Desktop and Application Streaming

Enabling identity federation with Duo Single Sign-On and Amazon AppStream 2.0

Amazon AppStream 2.0 supports identity federation to AppStream 2.0 stacks through Security Assertion Markup Language 2.0 (SAML 2.0). This blog provides guidance on how to configure Duo Single Sign-On as an identity provider for AppStream 2.0.

If you don’t have an identity provider, you can use AWS Single Sign-On. Review the AppStream 2.0 administration guide on how to configure AWS SSO and other AppStream 2.0 supported third-party SAML 2.0 identity provider solution.

Overview of the Solution

This post shows how to configure Duo Single Sign-On with Amazon AppStream 2.0 so users can access their assigned stacks and applications. The steps to proceed through this post are:

  1. Create Duo SAML 2.0 application and download the metadata
  2. Create the SAML 2.0 identity provider (IdP)
  3. Configure an AWS Identity and Access Management (IAM) policy
  4. Create an IAM role
  5. Configure a Duo application
  6. Add the SAML application to Duo Central
  7. Test the application
  8. Use attribute-based application entitlement (optional)


This walkthrough will guide you through the steps needed to authenticate to an Amazon AppStream 2.0 stack with Duo Single Sign-On.


This post assumes you have the following:

Step 1: Create Duo SAML 2.0 application and download the metadata

In this step, create a generic duo application for AppStream 2.0. You will download the metadata to be used in a later step.

  1. Sign in to the Duo Admin Account console.
  2. On the left panel, navigate to Applications.
  3. Select Protect an Application.
  4. Search for Custom to find Generic Service Provider and select Protect.
  5. In the Downloads section, choose Download XML. Save the metadata file.

Step 2: Create the SAML 2.0 identity provider (IdP)

Next, create an identity provider in the AWS Management console using the metadata from step 1.

  1. Navigate to the IAM console.
  2. Choose Identity providers in the navigation pane.
  3. Choose Add provider.
  4. For the Provider type, choose SAML.
  5. For the Provider name, type something meaningful to you, such as ProviderName.
  6. Choose Choose file and select the metadata document that you downloaded in step 1.
  7. Choose Add provider.
  8. Select the created provider from the list.
  9. On the summary page, copy the value for the Provider ARN. The ARN is in the following format: arn:aws:iam::AccountID:saml-provider/ProviderName

Step 3: Configure an AWS Identity and Access Management (IAM) policy

 Next, create a policy with permissions to the AppStream 2.0 stack. This makes sure that users have only the permission to stream applications from a specific stack.

  1. In the IAM console, choose Policies, then Create Policy.
  2. Choose the JSON tab.
  3. Replace the contents of the sample policy with the below code.
    "Version": "2012-10-17",
     "Statement": [
                "Effect": "Allow",
                "Action": "appstream:Stream",
                "Resource": "arn:aws:appstream:<region_code>:<account_id>:stack/<stack_name>",
                "Condition": {
                "StringEquals": {
                        "appstream:userId": "${saml:sub}"
  4. Update the policy with the following changes:
    • Replace <region_code> with your Region code. Use one of the following values based on the AWS Region your AppStream 2.0 stack is in.
    • Replace <account_id> with your account id without spaces or dashes.
    • Replace <stack_name> with your case-sensitive AppStream 2.0 stack name.

For more information, see the Setting Up SAML page in the AppStream 2.0 Admin Guide.

  1. After you’ve specified the policy, choose Next: Tags.
  2. Add any optional tags. Choose Next: Review.
  3. For the Name, enter a descriptive name, such as AppStream2_ExampleStack.
  4. For the Description, enter an optional description.
  5. Choose Create policy and you should see a notification that it has been created.

Step 4: Create an IAM role

Next, create the role that your Duo users assume when federating to AppStream 2.0.

  1. In the IAM console, choose Roles then Create role.
  2. For the Trusted entity type, choose SAML 2.0 federation.
  3. Under SAML provider, choose the SAML IdP that you created earlier.
  4. Do not choose either of the two SAML 2.0 access level methods for AppStream 2.0.
  5. For the Attribute, choose SAML:aud and Value enter
  6. Do not add any conditions.
  7. Choose Next.
  8. Select the box next to the IAM policy you created in Step 3. Choose Next.
  9. Enter a Role Name and Role Description that identifies the role, and choose Create Role.
  10. Find and select the newly created role from the list.
  11. Copy the Role ARN from the summary page. The ARN is required to configure claims rules later in this post. The ARN is in the following format: arn:aws:iam::AccountID:role/RoleName

Step 5: Configure a Duo application

With the IAM role created, we can now complete the setup in Duo.

  1. Sign in to your Duo console.
  2. In the navigation pane, choose Applications.
  3. Select Protect an Application.
  4. Search for Custom to find Generic Service Provider and select the Protect.
  5. Fill the information with the following details below:

Under Service Provider

Entity ID urn:amazon:webservices
Assertion Consumer Service (ACS) URL
Default Relay State Enter your AppStream 2.0 Relay state. The Relay State is unique to your account, AWS Region, and AppStream 2.0 stack. For more information, visit Configure the Relay State of Your Federation.

Under SAML Response

NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
NamedID attribute userPrincipalName

Under Create attributes

We need to create two additional SAML attributes RoleSessionName and Role.

Name Value userPrincipalName This is the IAM Role ARN created in step 3, followed by a comma and then the IAM Provider ARN created in step 1.For our example, this would look like: arn:aws:iam::012345678910:role/RoleName,arn:aws:iam::012345678910:saml-provider/ProviderName
  1. In the Settings section, enter a Name.
  2. Choose Save.

Step 6: Add the SAML application to Duo Central

Ensure that Duo Central is configured and the status is Online. See the Duo article on Configuring Duo Central.

  1. Navigate to the Duo admin console.
  2. Choose Single Sign-On.
  3. Choose Duo Central, then Add tile.
  4. In the What do you want to add to Duo Central dialog box, choose Add application tile.
  5. Select the box next to the name of the AppStream 2.0 application created in step 4.
  6. Choose Add tile.

Step 7: Test the application

To test the application, Browse the subdomain login URL copied from the Duo Central page. In our example https://<subdomain> and choose the application tile for AppStream 2.0.

Step 8: Use attribute-based application entitlement (optional)

Attribute-based application entitlements match a supported SAML attribute to a value when the user authenticates. Application entitlements don’t restrict what a user can access on the streaming instance. In application view, it limits what is shown on the application catalog.

These optional steps show you how to configure Duo to add a principal tag as a SAML attribute to the SAML assertion. The tag is based on a user’s department attribute for application entitlements.

  1. Update the IAM role to include sts:TagSession permission. For more information visit create a SAML 2.0 federation IAM role in the AppStream 2.0 administration guide.
  2. Update the Duo Application to include a department attribute. For more information on the principal tags supported by application entitlement see create application entitlements in the AppStream 2.0 administration guide.
    1. Navigate to the Duo Admin console.
    2. In the navigation pane, choose Applications.
    3. Select Protect an Application.
    4. Choose the application created in step 5.
    5. Under SAML Response, navigate to Map attributes and enter the following values:
    6. Update the Default Relay State to the following:
    7. Choose Save. 
  1. Update the AppStream 2.0 stack to use the principal tag to hide applications from the application catalog.
    1. Navigate to the AppStream 2.0 console.
    2. In the navigation pane, choose Stacks.
    3. Choose the stack associated with the fleet that contains the applications to limit.
    4. Under Application Entitlements, choose Create.
    5. Enter the following for the department attribute:
      1. Name: department-Finance
      2. Attribute Name: department
      3. Attribute Value: Finance
      4. Under Applications, choose each of the applications for finance department.
  1. Update the users attribute by setting the department attribute value to Finance. Follow the steps in step 7 to test your application. Your test user should only have the application with a matching application entitlement on the application catalog page.

Clean up resources

There is no additional cost to use SAML 2.0. For additional information on pricing, refer to the Amazon AppStream 2.0 pricing.

You can stop running your fleet to avoid unintended charges. Follow the instructions on clean up resources in the AppStream 2.0 administration guide to stop any unused running fleet and delete the associated stack.


In this post, we enabled federation with Duo Single Sign-On and Amazon AppStream 2.0. Duo metadata is unique per application. If multiple applications are configured, each will need its own respective IAM identity provider. For more information on setting up SAML 2.0 for AppStream 2.0, refer to the AppStream 2.0 Administration Guide.