Set up multi-factor authentication with OneLogin for Amazon WorkSpaces
In this blog, I walk you through configuring Amazon WorkSpaces multi-factor authentication (MFA) with OneLogin.
The steps to work through this blog are:
- Configure OneLogin RADIUS for use with Amazon WorkSpaces.
- Configure Active Directory Connector for MFA.
- Test logon.
This post assumes you have the following.
- A OneLogin account.
- OneLogin Active Directory integration is configured.
- An existing Active Directory Connector.
- The public IP addresses for outbound traffic from your Active Directory Connector for your WorkSpaces. These will be the Elastic IP addresses used by the resources performing Network Address Translation (NAT) for the subnets where the AD Connector is deployed, such as NAT Gateways.
- Familiarity with Amazon WorkSpaces.
- Familiarity with AWS Directory Service.
Step 1: Configure OneLogin for RADIUS with Amazon WorkSpaces
Following these steps configures OneLogin to be used as the RADIUS provider for Amazon WorkSpaces MFA.
- Log in to your OneLogin console.
- Choose Authentication, then select RADIUS.
- Choose New Configuration.
- Enter a name for your RADIUS configuration. In my example, I use AmazonWorkSpaces
- Create a Secret; do not use special characters in the secret.
- Make a note of the secret, you need this in Step 4.
- In the IP Addresses field, enter the IP addresses that your RADIUS requests will come from. These will be the Elastic IP addresses used by the resources performing NAT for the Active Directory Connector for your WorkSpaces.
- Save the configuration.
- Modify the Credentials section for User-Name and User-Password.
- Set User-Name to “Username”
- Set User-Password to “OTP”
- Save the changes.
Step 2: Configure an Authentication Factor (optional)
Now we’ll configure an Authentication Factor, and allow users to enroll that Authentication Factor. If you already have one configured, you can skip this step.
- Choose the Security tab and select Authentication Factors.
- Choose the authenticator you want to use, and select “choose”
- Provide a User Description, and optionally a custom icon.
- Save the configuration.
Step 3: Enable self-enrollment for users
In this step, you allow users to self-enroll in the authenticator.
- Choose the Security tab, and browse to
- Select the policy for self-enrollment. You can use the Default Security policy. If you have applied custom policies to your users, modify those instead.
- Select the MFA tab, check the box under the Available Factor you added.
Step 4: Configure AD Connector for MFA
Configure AD Connector to use OneLogin for RADIUS
- Log in to the AWS Management Console, and select the WorkSpaces console in the Region that your WorkSpaces are deployed.
- In the navigation pane, select
- Choose your AD Connector directory. Select Action, and Update Details.
- Expand the Multi-Factor Authentication
- For RADIUS server IP address(es), add the IP addresses listed under the configure NAS section of the OneLogin documentation. As of the time of writing, the IP addresses are 22.214.171.124 and 126.96.36.199.
- Keep the port as default 1812.
- Enter the shared secret you created in step 1 in the shared secret fields.
- Set the protocol as PAP.
- Specify a Server timeout in seconds and Max retries. I use 50 and 10 respectively.
- Select Update, and choose Exit.
Step 5: Test a logon
Now test a logon to Amazon WorkSpaces with OneLogin MFA.
- Launch the WorkSpaces client and enter the registration code for the directory .
- Enter the Active Directory user name and password for a user with a WorkSpace in the directory configured for OneLogin MFA.
- Enter the one time password (OTP) shown in the authenticator method selected in step 2, and select Sign In.
That’s it! You have configured OneLogin RADIUS for MFA with Amazon WorkSpaces.
If you use Amazon WorkSpaces, you will not be charged an additional fee for AD Connector directories registered with these services, as long as you have active users of Amazon WorkSpaces. In order to qualify for free usage of AD Connector, you must have at least one active user for small directories each month and at least 100 active users for large directories each month. For more information on AD Connector pricing, review the other directory types pricing.
To remove this configuration, repeat step 4 and remove the MFA configuration for the directory.
Depending upon your plan with OneLogin, you may pay extra for directory synchronization and MFA. Remove these features from your OneLogin account to avoid future charges for these services.
To increase security for WorkSpaces users, you can enable multi-factor authentication (MFA) in the WorkSpaces logon process. In this blog, you walked through configuring MFA with OneLogin RADIUS for Amazon WorkSpaces.