Desktop and Application Streaming

Set up multi-factor authentication with OneLogin for Amazon WorkSpaces

In this blog, I walk you through configuring Amazon WorkSpaces multi-factor authentication (MFA) with OneLogin.

Solution overview

The steps to work through this blog are:

  1. Configure OneLogin RADIUS for use with Amazon WorkSpaces.
  2. Configure Active Directory Connector for MFA.
  3. Test logon.

Prerequisites:

This post assumes you have the following.

  • A OneLogin account.
  • OneLogin Active Directory integration is configured.
  • An existing Active Directory Connector.
  • The public IP addresses for outbound traffic from your Active Directory Connector for your WorkSpaces. These will be the Elastic IP addresses used by the resources performing Network Address Translation (NAT) for the subnets where the AD Connector is deployed, such as NAT Gateways.
  • Familiarity with Amazon WorkSpaces.
  • Familiarity with AWS Directory Service.

Walkthrough

Step 1: Configure OneLogin for RADIUS with Amazon WorkSpaces

Following these steps configures OneLogin to be used as the RADIUS provider for Amazon WorkSpaces MFA.

  1. Log in to your OneLogin console.
  2. Choose Authentication, then select RADIUS.
  3. Choose New Configuration.
  4. Enter a name for your RADIUS configuration. In my example, I use AmazonWorkSpaces
  5. Create a Secret; do not use special characters in the secret.
  6. Make a note of the secret, you need this in Step 4.
  7. In the IP Addresses field, enter the IP addresses that your RADIUS requests will come from. These will be the Elastic IP addresses used by the resources performing NAT for the Active Directory Connector for your WorkSpaces.
  8. Save the configuration.
  9. Modify the Credentials section for User-Name and User-Password.
    1. Set User-Name to “Username”
    2. Set User-Password to “OTP”
  10. Save the changes.

Step 2: Configure an Authentication Factor (optional)

Now we’ll configure an Authentication Factor, and allow users to enroll that Authentication Factor. If you already have one configured, you can skip this step.

  1. Choose the Security tab and select Authentication Factors.
  2. Choose the authenticator you want to use, and select “choose”
  3. Provide a User Description, and optionally a custom icon.
  4. Save the configuration.

Step 3: Enable self-enrollment for users

In this step, you allow users to self-enroll in the authenticator.

  1. Choose the Security tab, and browse to
  2. Select the policy for self-enrollment. You can use the Default Security policy. If you have applied custom policies to your users, modify those instead.
  3. Select the MFA tab, check the box under the Available Factor you added.

Step 4: Configure AD Connector for MFA

Configure AD Connector to use OneLogin for RADIUS

  1. Log in to the AWS Management Console, and select the WorkSpaces console in the Region that your WorkSpaces are deployed.
  2. In the navigation pane, select
  3. Choose your AD Connector directory. Select Action, and Update Details.
  4. Expand the Multi-Factor Authentication
  5. For RADIUS server IP address(es), add the IP addresses listed under the configure NAS section of the OneLogin documentation. As of the time of writing, the IP addresses are 52.34.255.206 and 18.216.23.112.
  6. Keep the port as default 1812.
  7. Enter the shared secret you created in step 1 in the shared secret fields.
  8. Set the protocol as PAP.
  9. Specify a Server timeout in seconds and Max retries. I use 50 and 10 respectively.
  10. Select Update, and choose Exit.

Step 5: Test a logon

Now test a logon to Amazon WorkSpaces with OneLogin MFA.

  1. Launch the WorkSpaces client and enter the registration code for the directory .
  2. Enter the Active Directory user name and password for a user with a WorkSpace in the directory configured for OneLogin MFA.
  3. Enter the one time password (OTP) shown in the authenticator method selected in step 2, and select Sign In.

That’s it! You have configured OneLogin RADIUS for MFA with Amazon WorkSpaces.

Cleaning up

If you use Amazon WorkSpaces, you will not be charged an additional fee for AD Connector directories registered with these services, as long as you have active users of Amazon WorkSpaces. In order to qualify for free usage of AD Connector, you must have at least one active user for small directories each month and at least 100 active users for large directories each month. For more information on AD Connector pricing, review the other directory types pricing.

To remove this configuration, repeat step 4 and remove the MFA configuration for the directory.

Depending upon your plan with OneLogin, you may pay extra for directory synchronization and MFA. Remove these features from your OneLogin account to avoid future charges for these services.

Conclusion

To increase security for WorkSpaces users, you can enable multi-factor authentication (MFA) in the WorkSpaces logon process. In this blog, you walked through configuring MFA with OneLogin RADIUS for Amazon WorkSpaces.