Redirect an Okta SAML app to the Amazon WorkSpaces Applications native client

Customers use Amazon WorkSpaces Applications to stream applications and desktops to an HTML5-capable web browser. WorkSpaces Applications through the web browser provides functionality for most users, including support for multiple monitors, touchscreen devices, file transfers, and webcams. Users can also access WorkSpaces Applications with the native client for additional functionality such as peripheral devices or native application mode.

When a user launches a WorkSpaces application from their SAML provider, they are directed to the web client for their session. If a user logs into their SAML provider directly from the native client, their session will continue in the native client. Customers often want to provide their users a single location to launch their SSO applications, but may need the additional functionality the native client provides.

Overview

In this blog, you create an application tile in Okta that will automatically redirect requests for a WorkSpaces application to the WorkSpaces Applications client.

Walkthrough

You will perform the following steps:

1. Format a Base64 encoded application URL.
2. Create an Okta Bookmark App.
3. Hide the Okta app on mobile devices.
4. Configure Okta for a seamless authentication exchange.

Prerequisites

This article assumes that you have the following already in place:

• An AWS account setup for Amazon WorkSpaces Applications
• Okta configured with SAML 2.0 for WorkSpaces Applications, and permissions to create new application tiles
• The WorkSpaces Applications Windows client deployed to end users and configured with your Okta environment listed as a TrustedDomain
• Microsoft Active Directory for seamless authentication

Step 1: Format a Base64 encoded application URL

Amazon WorkSpaces Applications uses a custom URI handler,amazonappstream:, when redirecting a streaming URL from a web browser to the native client. The custom URI must be combined with a Base64 encoded URL for the WorkSpaces Applications resource.

1. Log in to your Okta administrative portal and select your WorkSpaces Applications application under the Applications menu.
2. Select the General tab.
3. In the App Embed Link section, copy the Embed Link.
4. Run the following PowerShell command to convert the embed link URL into a Base64 encoded URL. Replace Embed_Link_URL with the URL copied in step 3:

[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("Embed_Link_URL"))

Step 2: Create an Okta Bookmark App

We will use the Base64 encoded URL generated in the previous step to create an Okta Bookmark App tile. The Bookmark App will direct users to the specially formatted URL which calls the native WorkSpaces Applications client.

1. In the Okta administrative portal, select Applications then Browse App Catalog.
2. Search for and select Bookmark App.
3. Choose Add.
   

   

4. For Application label, enter WorkSpaces Applications – Client. This is what the user will see on the tile in the Okta web interface.
5. For URL, enter amazonappstream: and the output from the PowerShell in step 1. For example: amazonappstream:T2t0YSBlbWJlZGRlZCBsaW5r.
6. Choose Done.

Step 3: Hide the Okta app on mobile devices

The purpose of this icon is to redirect requests to the WorkSpaces Applications client. Disable the visibility of the tile within the Okta mobile app.

1. On the General tab under App Settings, choose Edit.
2. Next to Application visibility, select the box for Do not display application icon in the Okta Mobile app.
3. Choose Save.
4. Assign the application to the required users or groups and configure any other settings on the application in the console as required.

Step 4: Configure Okta for a seamless authentication exchange

With the previous steps complete, when a user launches the Bookmark App, the URL automatically redirects the launch action to the Windows WorkSpaces Applications client. The user would be presented with the Okta logon page again, as the authentication token cannot be shared from the web browser to the native client.

To make the process completely seamless, the WorkSpaces Applications client can take advantage of the Okta feature Desktop Single Sign-on (DSSO). When Okta single sign-on is enabled on the user’s desktop, the WorkSpaces Applications client will honor that authentication mechanism and log into the AppStream 2.0 stack assigned. The result is a seamless experience from selecting the WorkSpaces application tile in the Okta web interface to launching the application in the native client.

Conclusion

You now have a WorkSpaces Applications tile within your Okta portal that automatically launches the selected resource with the WorkSpaces Applications client. For users that are on Active Directory joined desktops with Okta DSSO enabled, the handoff from the web tile to the WorkSpaces Applications client can be made seamless.

While this blog was written specifically for Okta, the techniques may be applied to other SAML providers. Those providers need to support similar bookmark functionality as well as the ability to provide links directly to application tiles.