Desktop and Application Streaming

Use Amazon AppStream 2.0 application entitlements with Azure AD

This blog post shows you how to use application entitlements with Azure Active Directory (Azure AD) for your AppStream 2.0 stacks.

Customers use Amazon AppStream 2.0 to manage applications centrally, and stream them to their end users. With application entitlements, you can control access to specific applications in the AppStream 2.0 application catalog based on SAML assertions. Using this feature, you can also streamline access control to multiple AppStream 2.0 stacks. Using Application entitlements can reduce the number of fleets and images that must be maintained.

Time to read 5 minutes
Time to complete 30 minutes
Cost to complete (estimated) There is no additional cost to use application entitlements. You only pay for the streaming resources that you provision plus a small monthly fee per streaming user depending on the operating system chosen. For more information, see the Amazon AppStream 2.0 pricing.
Learning level Advanced (300)
Services used Amazon AppStream 2.0, AWS Identity and Access Management (IAM)

Overview of solution

To demonstrate how application entitlements work, consider the Amazon AppStream 2.0 Sample Image. The sample image has Firefox, Eclipse, Notepad++ and the LibreOffice applications. For this walkthrough, developers require access to Firefox, Eclipse, and Notepad++. Productivity users require access to the LibreOffice applications.

An AppStream 2.0 best practice is to minimize the number of fleets and images. This reduces the number of images to maintain, and minimizes the costs of running fleets.

The goal is for the two groups of users, developers and productivity users to use the same fleet, and the same image to access their applications. Their application catalog will only display the applications for their group.

Application entitlements work by matching a supported SAML attribute name to a value when a SAML 2.0 federated user authenticates. If a user is a member of the as2-developers group, they will have access to Eclipse, Firefox, and Notepad++. If a user is a member of the as2-productivity group, they will have access to the LibreOffice applications.

Application entitlements don’t restrict what the user can access on the streaming instance. If you need to restrict access to an executable, review the blog using Microsoft AppLocker to manage application experience on Amazon AppStream 2.0.

Walkthrough

In this walkthrough, you configure Azure AD to add a principal tag as a SAML attribute to the SAML assertion. The principal tag is based on a user’s group membership for application entitlements.

Prerequisites:

Step 1: Update the IAM role

In IAM, you must update the trust policy on the IAM role for the AppStream 2.0 users to assume. Application entitlements require the PrincipalTag. The role trust policy needs to have the sts:TagSession permission.

  1. In the IAM AWS Management Console, choose Roles
  2. Select the role you created for your AppStream 2.0 users to assume.
  3. Choose Trust relationships, Edit trust relationship.
  4. Update the Action to allow sts:TagSession
    1. Replace the existing Policy Document with the following code
    2. Update <account-id> with your account ID.
    3. Update <saml_provider_name> with the name of your SAML provider.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<account-id>:saml-provider/<saml_provider_name>"
      },
      "Action": [
        "sts:AssumeRoleWithSAML",
        "sts:TagSession"
      ],
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

Step 2: Update Azure AD enterprise application claims

Now that you have updated the role to allow session tags, you must add them into the SAML assertion. In this step, you add a claim to the SAML assertion with groups as a principal tag with a value of the group name. For more information on the principal tags supported by application entitlement see create application entitlements in the AppStream 2.0 administration guide.

Each user should only be a member of one of the groups. If the user is a member of both groups, you will get the error “Response contains invalid principal tag value.” If your identity provider supports it, you can return a value delimited by a colon for each group. For more information, see the note on create application entitlements in the AppStream 2.0 administration guide.

  1. Open the Azure AD console and navigate to the Enterprise Application for AppStream 2.0.
  2. Under manage, choose Single sign-on.
  3. Under Attributes & Claims, choose Edit.
  4. Choose Add new claim
  5. Enter the following:
    1. Name: PrincipalTag:groups
    2. Namespace: https://aws.amazon.com/SAML/Attributes
    3. Claim Conditions:
      1. User type: Members
      2. Scoped Groups: as2-productivity
      3. Source: Attribute
      4. Value: “as2-productivity
  6. Repeat this step for as2-developers.

Step 3: Update the AppStream 2.0 Stack

Update the Stack that contains the applications you want to restrict. Using application entitlements does not restrict the user from opening the application. It hides them from the application catalog.

  1. Navigate to the AppStream 2.0 Console.
  2. Choose Stacks in the navigation pane.
  3. Choose the Stack associated with the fleet that contains the applications to limit.
  4. Under Application Entitlements, choose Create.
  5. Enter the following:
    1. Name: access_to_as2-productivity
    2. Attribute Name: groups
    3. Attribute Value: as2-productivity
    4. Under Application settings, choose Select Applications
    5. Under Applications, choose each of the applications for LibreOffice (calc, draw, impress, math, writer).
  6. Repeat this step for as2-developers. For the developer applications, choose Firefox, Eclipse, and Notepad++.

Step 4: Enable support for multiple stacks (optional)

If you have more than one stack with at least one application entitlement, application entitlements also support multiple stacks. You can update your relay state to remove the reference to the stack and application (if present) as follows. For more information, see SAML 2.0 multi-stack application catalog in the AppStream 2.0 administration guide

  1. Navigate to the IAM console.
  2. Choose Policies in the navigation pane.
  3. Choose the policy associated to the role your AppStream 2.0 users assume.
  4. Update the resource to include any stack
    1. Select Permissions, Edit Policy
    2. Replace the existing policy with the following code
    3. Update <region-code> with your Region code.
    4. Update <account-id> with your account ID.
  5. In Azure AD, navigate to your enterprise application for AppStream 2.0, and modify the relay state to remove the stack name. The updated format is follows:
    1. https://relay-state-region-endpoint?accountId=aws-account-id-without-hyphens
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "appstream:Stream",
            "Resource": "arn:aws:appstream:<region-code>:<account-id>:stack/*",
            "Condition": {
                "StringEquals": {
                    "appstream:userId": "${saml:sub}"
                }
            }
        }
    ]
}

Step 5: Test your solution

Add a test user to the groups that correspond to the AppStream 2.0 applications they should access. In this blog, you created two groups – as2-productivity and as2-developers. Each group must have a unique test user.

To test your solution, navigate to the Azure My Apps portal, and choose the AppStream 2.0 enterprise application. You can verify the SAML assertion and the SAML attributes using a SAML decoder, or a browser extension. For example, the user in the productivity group, will have that attribute.

<Attribute Name="https://aws.amazon.com/SAML/Attributes/PrincipalTag:groups"> 
    <AttributeValue>as2-productivity</AttributeValue>
</Attribute>

Clean up resources

There is no additional cost to use application entitlements. You only pay for the streaming resources that you provision plus a small monthly fee per streaming user depending on the operating system chosen. For more information, see the Amazon AppStream 2.0 pricing.

You can stop your running fleet and delete your active stack to free up resources and to avoid unintended charges to your account. To clean up your resources, follow the guidance to clean up resources in the AppStream 2.0 administration guide.

Conclusion

In this blog, you configured application entitlements using Azure AD claims. A user that is a member of a particular group is only shown the applications they are entitled to in the AppStream 2.0 application catalog.

With or without application entitlements, you can configure an additional SAML attribute to set context for AppStream 2.0 sessions. For more information, see session context in the AppStream 2.0 administration guide.

If you don’t want to restrict the individual applications, but want to use a single identity provider for multiple stacks, review the blog create a single identity provider for all your Amazon AppStream 2.0 stacks with Azure AD.

Application entitlements don’t restrict what the user can access on the streaming instance. If you need to restrict access to an executable, review the blog using Microsoft AppLocker to manage application experience on Amazon AppStream 2.0.

Amazon AppStream 2.0 is a fully managed non-persistent application and desktop streaming service. You can centrally manage your desktop applications on AppStream 2.0 and securely deliver them to any computer. You can try sample applications at no cost.