Redirect an Okta SAML app to the Amazon AppStream 2.0 native client
Customers use Amazon AppStream 2.0 to stream applications and desktops to an HTML5-capable web browser. AppStream 2.0 through the web browser provides functionality for most users, including support for multiple monitors, touchscreen devices, file transfers, and webcams. Users can also access AppStream 2.0 with the native client for additional functionality such as peripheral devices or native application mode.
When a user launches an AppStream 2.0 application from their SAML provider, they are directed to the web client for their session. If a user logs into their SAML provider directly from the native client, their session will continue in the native client. Customers often want to provide their users a single location to launch their SSO applications, but may need the additional functionality the native client provides.
In this blog, you create an application tile in Okta that will automatically redirect requests for an AppStream 2.0 application to the AppStream 2.0 client.
|Time to read||10 minutes|
|Time to complete||10 minutes|
|Cost to complete (estimated)||$0|
|Learning level||Advanced (300)|
|Services used||Amazon AppStream 2.0|
You will perform the following steps:
- Format a Base64 encoded application URL.
- Create an Okta Bookmark App.
- Hide the Okta app on mobile devices.
- Configure Okta for a seamless authentication exchange.
This article assumes that you have the following already in place:
- An AWS account setup for Amazon AppStream 2.0
- Okta configured with SAML 2.0 for AppStream 2.0, and permissions to create new application tiles
- The AppStream 2.0 Windows client deployed to end users and configured with your Okta environment listed as a TrustedDomain
- Microsoft Active Directory for seamless authentication
Step 1: Format a Base64 encoded application URL
Amazon AppStream 2.0 uses a custom URI handler,
amazonappstream:, when redirecting a streaming URL from a web browser to the native client. The custom URI must be combined with a Base64 encoded URL for the AppStream 2.0 resource.
- Log in to your Okta administrative portal and select your AppStream 2.0 application under the Applications menu.
- Select the General tab.
- In the App Embed Link section, copy the Embed Link.
- Run the following PowerShell command to convert the embed link URL into a Base64 encoded URL. Replace Embed_Link_URL with the URL copied in step 3:
Step 2: Create an Okta Bookmark App
We will use the Base64 encoded URL generated in the previous step to create an Okta Bookmark App tile. The Bookmark App will direct users to the specially formatted URL which calls the native AppStream 2.0 client.
- In the Okta administrative portal, select Applications then Browse App Catalog.
- Search for and select Bookmark App.
- Choose Add.
- For Application label, enter AppStream 2.0 – Client. This is what the user will see on the tile in the Okta web interface.
- For URL, enter amazonappstream: and the output from the PowerShell in step 1. For example: amazonappstream:T2t0YSBlbWJlZGRlZCBsaW5r.
- Choose Done.
Step 3: Hide the Okta app on mobile devices
The purpose of this icon is to redirect requests to the AppStream 2.0 client. Disable the visibility of the tile within the Okta mobile app.
- On the General tab under App Settings, choose Edit.
- Next to Application visibility, select the box for Do not display application icon in the Okta Mobile app.
- Choose Save.
- Assign the application to the required users or groups and configure any other settings on the application in the console as required.
Step 4: Configure Okta for a seamless authentication exchange
With the previous steps complete, when a user launches the Bookmark App, the URL automatically redirects the launch action to the Windows AppStream 2.0 client. The user would be presented with the Okta logon page again, as the authentication token cannot be shared from the web browser to the native client.
To make the process completely seamless, the AppStream 2.0 client can take advantage of the Okta feature Desktop Single Sign-on (DSSO). When Okta single sign-on is enabled on the user’s desktop, the AppStream 2.0 client will honor that authentication mechanism and log into the AppStream 2.0 stack assigned. The result is a seamless experience from selecting the AppStream 2.0 application tile in the Okta web interface to launching the application in the native client.
You now have an AppStream 2.0 tile within your Okta portal that automatically launches the selected resource with the AppStream 2.0 client. For users that are on Active Directory joined desktops with Okta DSSO enabled, the handoff from the web tile to the AppStream 2.0 client can be made seamless.
While this blog was written specifically for Okta, the techniques may be applied to other SAML providers. Those providers need to support similar bookmark functionality as well as the ability to provide links directly to application tiles.