How to use Okta claims with application entitlements for Amazon AppStream 2.0

This blog post shows you how to use Okta claims to configure application entitlements for your Amazon AppStream 2.0 stacks.

Customers use Amazon AppStream 2.0 to manage applications centrally, and stream them to their end users. With , you control access to specific applications in the AppStream 2.0 application catalog with SAML assertions. In addition, you can use this feature to streamline access control to multiple AppStream 2.0 stacks. Use application entitlements to reduce the number of fleets and images you must maintain.

Time to read	5 minutes
Time to complete	30 minutes
Cost to complete (estimated)	There is no additional cost to use application entitlements. You only pay for the streaming resources that you provision, plus a small monthly fee per streaming user depending on the operating system chosen. For additional information, review the Amazon AppStream 2.0 pricing.
Learning level	Advanced (300)
Services used	Amazon AppStream 2.0, AWS Identity and Access Management (IAM)

Overview of Solution

An AppStream 2.0 best practice is to minimize the number of fleets and images. This reduces the number of images to maintain, and minimizes the costs of running fleets.

To demonstrate application entitlements this walkthrough has two common user scenarios. Application entitlements work by matching a supported SAML attribute name to a value when a SAML 2.0 federated user authenticates.

The first scenario shows how users with different departments can use the same image. The Finance department must have access to calc, math, and writer. The IT_Developers department must have access Eclipse and Notepad++. The goal is for the two groups of users, IT_Developers and Finance users to use the same fleet to access their applications. Their application catalog will display the applications for the appropriate group.

The second scenario demonstrates using Active Directory groups. Members of team_Finance group have access to calc, math, and writer. The team_IT_Developers group have access Eclipse and Notepad++.

The goal is for the two users groups to use the same fleet to access their applications. Their application catalog will display the applications for the appropriate Active Directory group.

Application entitlements do not restrict what the user can access on the streaming instance. If you must restrict access to an executable, review the blog using Microsoft AppLocker to manage application experience on Amazon AppStream 2.0.

Walkthrough

This walkthrough shows you how to configure Okta to add a principal tag as a SAML attribute to the SAML assertion. The tag is based on a user’s department attribute or group membership for application entitlements.

Prerequisites:

Setup Amazon AppStream 2.0 or a pre-existing stack and fleet. In this blog, you use the AppStream 2.0 sample image.
Okta configured as an Identity Provider for your AppStream 2.0 stack

Step 1: Update the IAM role

In IAM, you update the trust policy on the IAM role for your AppStream 2.0 users to assume. Application entitlements require the PrincipalTag. You must update the role to allow session tags.

Open the AWS Management Console, Choose Roles
Select the role you created for your AppStream 2.0 users to assume.
Choose Trust relationships, Edit trust relationship.
Update the Action to allow sts:TagSession
1. Replace the existing Policy Document with the following code
2. Update <account-id> with your account ID.
3. Update <saml_provider_name> with the name of your SAML provider.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<account-id>:saml-provider/<saml_provider_name>"
      },
      "Action": [
        "sts:AssumeRoleWithSAML",
        "sts:TagSession"
      ],
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

Step 2: Update Okta Application

Now that you have updated the role to allow session tags, you must add the them into the SAML assertion. There are multiple ways to grant access to applications. In this step, you configure access using two scenarios, by department, or by group. If a user is a member of a department as well as Active Directory groups, the user will see applications that match either rule.

Scenario 1: using the department attribute

For the first scenario, assume that there are two users. One user with a department of Finance, and the second user with a department of IT_Developers.

Open the Okta console
Navigate to the Okta AppStream Application, and select the tab Sign on.
Choose Edit
Expand Attributes, and enter the following values:
1. Name: https://aws.amazon.com/SAML/Attributes/PrincipalTag:department
2. Value: user.department
Choose Save

Scenario 2: using the group attribute

For this scenario, assume that there are two groups. One with a name team_Finance, and the second named team_IT_Developers. We use the string.join function to create a concatenated list of users group membership delimited by a colon. The isMemberOfGroupName is the function that checks for group membership, for additional information see: https://developer.okta.com/docs/reference/okta-expression-language/#country-code-conversion-functions

Open the Okta console
Navigate to the Okta AppStream Application, and select the tab Sign on.
Choose Edit
Expand Attributes, and enter the following values:
1. Name: https://aws.amazon.com/SAML/Attributes/PrincipalTag:groups
2. Values: String.join(":", isMemberOfGroupName("team_IT_Developers") ? 'team_IT_Developers' : '', isMemberOfGroupName("team_Finance") ? 'team_Finance' : '')
Choose Save

Update Okta AppStream Application, with the new relay state

To use the new feature the default relay state will need to be updated to remove any reference to stacks. Navigate to the Okta AppStream 2.0 application and update the default relay state to the new format below:

https://relay-state-region-endpoint?accountId=aws-account-id-without-hyphens

Step 3: Update the AppStream 2.0 Stack

Open the AppStream 2.0 console.
Choose Stacks in the navigation pane.
Choose the Stack associated with the fleet that contains the applications you wish to limit.
Under Application Entitlements, choose Create.

Scenario 1 (Using department attribute)

Enter the following:
1. Name: department_Finance
2. Attribute Name: department
3. Attribute Value: Finance
4. Under Application settings, choose Select Applications
5. Under Applications, choose each of the applications for LibreOffice (calc, math, writer).
Repeat this step for the IT_Developers. For the developer applications, choose Eclipse, and Notepad++.

Scenario 2 (Using groups)

Enter the following:
1. Name: group_ team_Finance
2. Attribute Name: groups
3. Attribute Value: team_Finance
4. Under Application settings, choose Select Applications
5. Under Applications, choose each of the applications for LibreOffice (calc, math, writer).
Repeat this step for the team_IT_Developers. For the developer applications, choose Eclipse, and Notepad++.

Step 4: Test your solution

For scenario one, update the department attribute on two test users. Set the department attribute on the first user to Finance and the second user to IT_Developers. For the second scenario, add a test user to the groups that correspond to the AppStream 2.0 applications they must access. In this blog, you created two groups – team_Finance and team_IT_Developers. Each group must have a unique test user.

To test your solution, navigate to the Okta portal, and choose the AppStream 2.0 enterprise application.
You can verify the SAML assertion and the SAML attributes using a SAML decoder, or a browser extension.

For example scenario one, the user in the team_Finance group, will have that attribute

<Attribute Name="https://aws.amazon.com/SAML/Attributes/PrincipalTag:department"> 
     <AttributeValue>Finance</AttributeValue>
</Attribute>

For example scenario two, the user in the team_Finance group, will have that attribute:

<Attribute Name="https://aws.amazon.com/SAML/Attributes/PrincipalTag:groups">
     <AttributeValue>team_Finance
</AttributeValue>

Clean up resources

There is no additional cost to use application entitlements. You only pay for the streaming resources that you provision plus a small monthly fee per streaming user depending on the operating system chosen. For additional information, see the Amazon AppStream 2.0 pricing.

You can stop your running fleet and delete your active stack to avoid unintended charges to your account. To clean up your resources, follow the guidance to clean up resources in the AppStream 2.0 administration guide.

Conclusion

In this blog you configured application entitlements using Okta claims. A user is shown the set of applications they are entitled to in their application catalog, by using either a group or a department. Use application entitlements to reduce the number of fleets and images you must maintain. In addition, you can use this feature to streamline access control to multiple AppStream 2.0 stacks.

Application entitlements don’t restrict what the user can access on the streaming instance. If you must restrict access to an executable, review the blog using Microsoft AppLocker to manage application experience on Amazon AppStream 2.0.

Amazon AppStream 2.0 is a fully managed non-persistent application and desktop streaming service. You can centrally manage your desktop applications on AppStream 2.0 and securely deliver them to any computer. You can try sample applications at no cost.

Desktop and Application Streaming