Desktop and Application Streaming

OneLogin SSO with Amazon AppStream 2.0

Amazon AppStream 2.0 supports identity federation to AppStream 2.0 stacks through Security Assertion Markup Language 2.0 (SAML 2.0). This feature offers your users the convenience of access to their AppStream 2.0 applications using their existing identity credentials. You also have the security benefit of identity authentication by your IdP. By using your IdP, you can control which users have access to a particular AppStream 2.0 stack.

In this blog, I explain how to configure federated user access for Amazon AppStream 2.0 using OneLogin SSO.

Solution Overview

This blog walks you through configuring a SAML 2.0 federation using OneLogin SSO. Your users can access their assigned applications via the OneLogin console. The steps to proceed through this blog are:

  1. Create a OneLogin SSO Application
  2. Create an AWS SAML Identify Provider
  3. Configure an AWS Identity and Access Management (IAM) policy
  4. Create an IAM role
  5. Configure the OneLogin SSO Application
  6. Add users
  7. Test the configuration

Walkthrough

Prerequisites

Step 1: Create a OneLogin SSO Application

Your users will use OneLogin to authenticate to your AppStream 2.0 resources.

  1. Logon to your OneLogin console
  2. Browse to Applications from the top menu items and then click on Add App in the top right
  3. In the search field, search for SAML Custom Connector (Advanced) and then select it
  4. Create a Display Name for the application, add a Description if you prefer, and then choose Save
  5. Choose the Configuration tab on the left
  6. Update the RelayStateto the RelayState for your account. It follows this syntax https://appstream2.YOUR_REGION.aws.amazon.com/saml?stack=STACK_NAME&accountId=ACCOUNT_ID Review the external identity provider’s relay state guide for more information.
  7. Add an Audience (EntitiyID) of urn:amazon:webservices
  8. Add the Recipient as https://signin.aws.amazon.com/saml
  9. Add the ACS (Consumer) URL Validator* as ^https:\/\/signin\.aws\.amazon\.com\/saml$
  10. Add the ACS (Consumer) URL* as https://signin.aws.amazon.com/saml
  11. Update the SAML nameID format field to Persistent
  12. Update the SAML signature element to Both
  13. Select Sign SLO Request and Sign SLO Response by checking off their respective check boxes
  14. Choose the Save option in the top right
  15. Navigate to the “More Actions” dropdown at the top right of the page and choose SAML Metadata. This will download the metadata XML file. Save this file in a location as you will use this in Step 2 when completing the next section

Step 2: Create an AWS SAML Identity Provider

Create the SAML provider in the IAM console. You can also create it using the AWS Command Line Interface (AWS CLI). For more information, see the Setting Up SAML page in the AppStream 2.0 Developer Guide.

  1. In the IAM console, choose Identity providers, Add provider.
  2. On the Add an Identity provider page, for the Provider Type, choose SAML.
  3. For the Provider Name, you can use OneLogin or choose any meaningful name
  4. Choose Choose File to upload the metadata document that you downloaded in Step 1 when completing the previous section. Choose Next Step.
  5. Verify the information you entered, and choose Add provider.
  6. Choose the identity provider (IdP) that you created to get the Amazon Resource Name (ARN) of the IdP. The ARN is required in a following step in the walkthrough.
    1. The ARN is in the following format arn:aws:iam::AccountID:saml-provider/Provider Name

Step 3: Configure an AWS Identity and Access Management (IAM) Policy

Create a policy with permissions to the AppStream 2.0 stack. This makes sure that users have only the permission to stream applications from a specific stack.

  1. In the IAM console, choose Policies, Create Policy, and choose the JSON option.

The following code block shows the policy that gives users permissions to an AppStream 2.0 stack, named ExampleStack. For more information, see the Setting Up SAML page in the AppStream 2.0 Admin Guide.

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": "appstream:Stream",
             "Resource": [
                 "arn:aws:appstream:us-east-1:01234567890:stack/ExampleStack"
             ],
             "Condition": {
                 "StringEquals": {
                     "appstream:userId": "${saml:sub}"
                 }
             }
         }
     ]
 }
  1. Update the policy with the following changes:
    1. Replace us-east-1 with the Region code for the AWS Region your AppStream 2.0 stack is in.
    2. Replace 01234567890 with your account id without spaces or dashes
    3. Replace ExampleStack with your case sensitive stack name
  2. After you’ve specified the policy, choose Next: Tags.
  3. Add any optional tags. Choose Next: Review.
  4. For the Policy Name, type a descriptive name, such as AppStream2_ExampleStack.
  5. For the Description, enter details about the use and permission level.
  6. Choose Create Policy.

Step 4: Create an IAM Role

Create an IAM role that your OneLogin users will assume when federating to AppStream 2.0 resources.

  1. In the IAM console, choose Roles, Create role.
  2. For the trusted entity type, select SAML 2.0 federation.
  3. Under SAML provider, choose the SAML IdP that you created.
  4. Leave “Allow programmatic access only” and “Allow programmatic and AWS Management Console Access” unselected.
  5. For the Attribute, choose SAML:aud and
  6. For Value enter https://signin.aws.amazon.com/saml
  7. Choose Next, Permissions.
  8. Select the IAM policy you created in Step 3, and choose Next, Tags.
  9. Add any optional tags. Choose Next: Review.
  10. Enter a Role Name and Role Description that identifies the role, and choose Create Role.
  11. In the IAM console, in the navigation pane, choose Roles. Locate the role that you created, and choose it to open the role properties.
  12. Choose the Trust Relationships
  13. Under Trusted Entities, verify that the IdP that you created in Step 2 is listed.
  14. Copy the Role ARN which is the first line in the summary section. The ARN is required to configure claims rules in a following step. The ARN is in the following format:
    arn:aws:iam::AccountID:role/Role_Name

Step 5: Configure the OneLogin SSO Application

Make the final configuration changes on the OneLogin Application.

  1. Open your OneLogin console.
  2. Open the Custom Application you created
  3. Navigate to the Parameters section
  4. Create a custom parameter for the Role, by choosing the blue plus button to the right
    1. Enter https://aws.amazon.com/SAML/Attributes/Roleas the Field name, select the Include in SAML assertion check box, and then choose save
    2. Update the Value dropdown to -Macro-and provide the ROLE ARN. The ROLE ARN is from Step 4, followed by a comma, and then the identity provider ARN from Step 2. For our Example stack, this is arn:aws:iam::01234567890:role/ExampleStack,arn:aws:iam::01234567890:saml-provider/OneLogin
    3. Choose Save
  5. Create a custom parameter for the RoleSessionName
    1. Enter https://aws.amazon.com/SAML/Attributes/RoleSessionNameas the Field name, select the Include in SAML assertion check box, and then choose save
    2. Update the Value dropdown to Emailand then choose Save
  6. Create a custom parameter for the Session Duration
    1. Enter https://aws.amazon.com/SAML/Attributes/SessionDurationas the Field name, select the Include in SAML assertion check box, and then choose save
    2. Update the Value dropdown to -Macro-and provide a session duration. This value is the duration of a session, in seconds. This can be between 900 (15 minutes) and 43200 (12 hours).
    3. Choose Save
  7. Navigate to the SSO section
  8. Update the SAML Signature Algorithm to SHA-256 and choose Save

Step 6: Add Users

Add the appropriate users to the application so they can access the application.

  1. OneLogin uses roles to control users’ access to applications. If you already have a Role setup for your users, add the AppStream 2.0 application to the role. If you do not have a Role setup, skip to Step 2.
    1. Navigate to the Users dropdown and select Roles
    2. Choose the Role your users for this application will use
    3. On the applications tab, under Role Apps, choose the application you created and then choose Save
    4. You users will now have access to the AppStream 2.0 application, you can skip Step 2
  2. If you do not have a Role setup, or want to create a new Role for testing:
    1. Follow the OneLogin documentation to create a new role, and assign users to the role
    2. Once your Role is created, choose the Role, on the applications tab, under Role Apps, choose the application you created and then choose Save
  3. If you are currently just testing this solution, you can also go to an individual user, select Applications and add it to the individual user.

Step 7: Test Configuration

You can test using the OneLogin Console.

  1. As a user assigned to the application, browse to your OneLogin Console and login.
  2. Choose the application you created.
  3. Select the application to run.

Conclusion

In this post, I walked you through setting up OneLogin as your SAML provider for AppStream 2.0. Your users are now able to access AppStream 2.0 through OneLogin single sign-on.