Desktop and Application Streaming

Federating Access to Amazon AppStream 2.0 from VMware Workspace ONE

Amazon AppStream 2.0 provides three different methods for authenticating your users and providing them remote access to your Windows applications:

  • User Pool– a simple built-in option to configure users and provide sign-in
  • Custom identity – Set up your own identity and use the CreateStreamingURL API to start a session after user sign
  • SAML 2.0 – Federated single sign-in

This blog post focuses on the federated sign-in support. You can use your existing SAML2.0-compliant identity provider to provide single sign-on access of AppStream 2.0 applications to your users, without needing to manage a separate identity system. You have several options for connecting SAML 2.0 sign-in to AppStream 2.0 including ADFS, Okta, or Ping. This post shows how you can use your VMware Workspace ONE digital workspace platform to federate access to your AppStream 2.0 applications without separately managing user accounts and passwords.

Walkthrough

After setting up SAML 2.0 federation for AppStream 2.0, users can log into their Workspace ONE application catalog to choose their AppStream 2.0 app. When they choose AppStream 2.0, their browser receives the SAML assertion as an authentication response and which is sent to the AWS IAM sign-in SAML endpoint. Temporary IAM security credentials are issued after the SAML assertion and the embedded attributes are validated. The user is then redirected to the AppStream 2.0 application stack to select the app to stream.

At a high level, this is the flow for the SSO federation:

  1. The user navigates to your Workspace ONE tenant in their browser then provides their credentials.
  2. The user sees the applications that they are entitled to. The user chooses the AppStream 2.0 application stack.
  3. Workspace ONE builds the SAML assertion, and displays it in the users’ browser to post to the AWS sign-in SAML endpoint. AWS IAM receives the SAML request, authenticates the user, and forwards the authentication token to the AppStream 2.0 SAML endpoint.
  4. AppStream 2.0 uses the authentication token from IAM to validate that the user has access to the AppStream 2.0 stack. It then presents users with the applications in that stack.

In this post, we walk through the steps to configure IAM and Workspace ONE to enable your users to launch their AppStream 2.0 apps without authenticating multiple times. Here are the steps:

  1. Configure IAM to trust Workspace ONE.
  2. Create the IAM policy that provides permissions to the AppStream 2.0 stack.
  3. Create the IAM role that provides permissions to stream from the AppStream 2.0 stack.
  4. Create the AppStream 2.0 SAML app in Workspace ONE and assign users to it.
  5. Test the launch of AppStream 2.0 from the Workspace ONE catalog.

Prerequisites

To complete the steps in this post, you need the following:

  • An existing Workspace ONE tenant with users.
  • Access to IAM with permissions to create an identity provider and roles.
  • An existing AppStream 2.0 stack that users can access.
  • Familiarity with AppStream 2.0 resources.

Step 1: Configure IAM to trust Workspace ONE

Create the Workspace ONE identity provider within IAM. This step provides IAM the public key required to trust the users and their attributes that come from the Workspace ONE identity provider. To trust Workspace ONE, you must download the metadata.xml file and provide it to IAM. To create the Workspace ONE identity provider within IAM:

  1. Log in to your Workspace ONE tenant administration console.
  2. Navigate to the Catalog tab, then choose Settings.
  3. On the left side, select SAML Metadata.
  4. Download the Identity Provider (IdP) metadata.
  5. After the file is downloaded, navigate to the AWS Management Console. Log in with a user that has sufficient permissions to create IAM identity providers and roles.
  6. After you log in, navigate to the IAM service by typing IAM in the search box. When the suggestions appear, choose the one at the top.
  7. On the left side, choose Identity providers.
  8. Choose Create Provider from the top of the IAM console.
  9. For Provider Type, choose SAML. For Provider Name, type a descriptive name, such as WorkspaceONE_IdP. For Metadata Document, choose the file downloaded in step 4, then choose Next Step.
  10. Review the details that you specified, then choose Create.

You should now see the WorkspaceONE_IdP listed, meaning it was created successfully. IAM will now accept user SSO assertions from the Workspace ONE identity provider.

Step 2: Create the IAM policy that provides permissions to the AppStream 2.0 stack

Create the IAM policy that provides the user access to stream apps from a specific AppStream 2.0 stack. To create the IAM policy:

  1. Open the IAM console.
  2. On the left side, choose Policies.
  3. Choose Create Policy, then choose the JSON
  4. Paste following JSON into the JSON editor box: 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "appstream:Stream",
            "Resource": "arn:aws:appstream:[AWS Region]:[12 digit AWS accountID]:stack/[AppStreamStackName]",
            "Condition": {
                "StringEquals": {
                    "appstream:userId": "${saml:sub}",
                    "saml:sub_type": "persistent"
                }
            }
        }
    ]
}
  5. Replace the text within the brackets with your information, then choose Review Policy.
  6. Type a descriptive name, such as WorkspaceONE_<stackname>_Policy then choose Create Policy.

You have now created the IAM policy that the user asserts when they federate to IAM from Workspace ONE. The user is limited to the AppStream 2.0 Stream action, and only to the specific stack specified by the Amazon Resource name (ARN) in the Resource field.

Step 3: Create the IAM role that provides permissions to stream from the AppStream 2.0 stack

When users federate to AWS, they assert an IAM role that has the IAM policies applied to it to provide it permissions. Now that you have created the IAM policy, create the IAM role, and attach the policy to it.

  1. Open the IAM console.
  2. On the left side, choose Roles,Create role.
  3. For Select type of trusted entity, choose SAML 2.0 federation. For SAML provider, choose the identity provider that you created earlier. From our example, it is WorkspaceONE_IdP. For attribute, choose SAML:sub_type. For Value, enter in Persistent. Then choose Next: Permissions.
  4. In the search box, search for the policy that you created earlier, then choose it. In our example, it is named WorkspaceONE_<stackname>_Policy.
  5. Choose Next: Review, provide a descriptive name for the role, such as WorkspaceONE_Role_For_<stackname>, then choose Create role.

You have now created the IAM role the user asserts when they federate to IAM and AppStream 2.0. The IAM role uses the IAM policy, limiting the user to streaming only from the stack specified in the policy.

Step 4: Create the AppStream 2.0 SAML app in Workspace ONE and assign users to it

Create the AppStream 2.0 app in the Workspace ONE catalog for users to launch apps.

  1. Log in to your Workspace ONE tenant administration console.
  2. Navigate to the Catalog tab, then choose New.
  3. In the search field, type Amazon AppStream 2.0, then choose Amazon AppStream 2.0. Verify the pre-populated name and description. The name and description display to your users in the catalog. Optionally, choose which categories the AppStream 2.0 SAML app should be added to. When completed, choose Next.
  4. In the Application Parameters section, specify the following values. When completed, choose Next.
    1. For roleName, specify the IAM role that you created earlier. In our example, we used WorkspaceONE_Role_For_<stack>.
    2. For identityProviderName, specify the name of the identity provider that you created earlier. In our example, it was WorkspaceONE_IdP.
    3. For awsAccNum, specify the 12 digits of your AWS account ID, without the hyphens.
    4. For as2StackName, specify the name of the stack specified in the IAM policy that you created earlier.
    5. For awsRegion, specify the AWS Region where the AppStream 2.0 stack is located.
  5. Choose the appropriate Access Policies for the SAML app, then choose Next.
  6. Review the information that you specified, then choose Save & Assign.
  7. Search for and choose the users and user groups that require access to the AppStream 2.0 application stack. When completed, choose Save.

Step 5: Test the launch of AppStream 2.0 from the Workspace ONE catalog

Validate that the AppStream 2.0 app in the Workspace ONE catalog works as expected.

  1. Log in to your Workspace ONE tenant with a user that the app was assigned to.
  2. Switch to the Catalog to see the app that was created.
  3. Choose the app that was created, then choose Open. A new tab opens that performs the SAML assertion against IAM, asserts the IAM role specified, and then redirects to the AppStream 2.0 stack.
  4. In the AppStream 2.0 app catalog, choose an application to launch. The application starts streaming.

Conclusion

That’s it! You have configured IAM and Workspace ONE, and verified that it works. Your users can now launch their Windows applications from AppStream 2.0 after first authenticating to Workspace ONE. They aren’t required to authenticate again when they open the AppStream 2.0 application portal.