SAML 2.0 and certificate-based authentication now available with Amazon WorkSpaces

Amazon WorkSpaces now supports SAML 2.0 and certificate-based authentication (CBA). SAML 2.0 authentication enables a consistent and familiar experience for end users. It allows you to extend security features available from your SAML 2.0 identity provider (IdP) to WorkSpaces, including multi-factor authentication (MFA) and contextual access. With CBA, you provide end users with a single sign-on logon experience to access domain-joined WorkSpaces desktop sessions. In this blog, I outline the benefits of SAML 2.0 authentication with CBA. The blog also provides a high-level view of the architecture of WorkSpaces SAML 2.0 and CBA authentication and the step-by-step authentication workflow.

Multi-factor authentication (MFA) to access Amazon WorkSpaces

Amazon WorkSpaces continues to support multi-factor authentication (MFA) by integrating Remote authentication dial-in user service (RADIUS) infrastructure hosted on-premises or on Amazon EC2. As organizations migrate their workforce identities to the cloud, they rely more on the authentication features of their IdP to provide access to work resources. These features include additional MFA solutions, devices that utilize FIDO2, WebAuthn, and CTAP, also contextual access, and passwordless authentication. Are you planning to retire RADIUS infrastructure and standardize your workforce identity posture using your IdP? You can now apply those standards to Amazon WorkSpaces.

SAML 2.0 and CBA with Amazon WorkSpaces

With SAML 2.0 authentication, you can attach your IdP workforce identities to the WorkSpaces authentication workflow. WorkSpaces continues to use AWS Directory Service to integrate with your Microsoft Active Directory to store and manage information for your WorkSpaces and users. Therefore, your users must authenticate to multiple systems, your Active Directory and the IdP, to access and utilize their WorkSpaces. With CBA, you can streamline this experience for your users. With CBA, you map your IdP workforce identities to the corresponding Active Directory users and WorkSpaces resources. Users authenticate automatically without interruption or password prompts. By using SAML 2.0 integration with CBA, you provide a single sign-on experience, while incorporating your cloud workforce identity security posture through your SAML 2.0 IdP.

AWS Private Certificate Authority (AWS Private CA) short-lived certificates

CBA integrates with AWS Private Certificate Authority (AWS Private CA) to automatically issue short-lived certificates when users sign in to their WorkSpaces. AWS Private CA is a highly available, pay-as-you-go private CA service without the upfront investment and ongoing maintenance costs of operating your own public key infrastructure (PKI) in the cloud. CBA uses AWS Private CA’s recently launched short-lived certificate mode to rotate user certificates on a daily basis. With AWS Private CA, CBA enables you to reduce the validity period for end user credentials, without the need for password or manual certificate administration. You can configure a private CA as a third-party root CA in Active Directory or as a subordinate to your existing enterprise CA. WorkSpaces CBA with AWS Private CA can provide rapid deployment of end user certificates to authenticate seamlessly your workforce identities.

WorkSpaces SAML 2.0 and CBA authentication workflow

The following diagram illustrates your end-to-end user authentication flow from the initial browser request through SAML 2.0 and Active Directory authentication using CBA.

1. Navigate to the start URL for the SAML 2.0 identity provider using your default browser by selecting Sign In on the WorkSpaces client application.
2. Authenticate to the SAML 2.0 identity provider. Authentication requirements are governed by the provider.
3. As a SAML 2.0 federated user, you are authorized to stream WorkSpaces resources provisioned for you.
4. Based on attributes in the SAML assertion, WorkSpaces requests and is issued a short-lived certificate from AWS Private CA, signed by the private CA root certificate.
5. WorkSpaces publishes the short-lived certificate to your desktop.
6. WorkSpaces seamlessly authenticates you to Active Directory using the short-lived certificate.
7. You are signed in to your WorkSpaces desktop.

Note: As a prerequisite to use CBA authentication, you must publish your private CA root certificate to your Active Directory Trusted Root Certification Authorities and Enterprise NTAuth stores.

Conclusion

In this post, you learned about the benefits of using SAML 2.0 and CBA authentication with Amazon WorkSpaces and the additional capabilities this feature unlocks. We reviewed the architecture and the authentication workflow. Learn more about how to get started with WorkSpaces SAML 2.0 and CBA authentication by visiting the WorkSpaces Administration Guide.