Using Amazon AppStream 2.0 application entitlements with Google Workspace

This blog post shows you how to use application entitlements with Google WorkSpace authentication for your AppStream 2.0 stacks.

Customers use Amazon AppStream 2.0 to manage applications centrally, and stream them to their end users. With application entitlements, you can control access to specific applications in the AppStream 2.0 application catalog based on SAML assertions. Using this feature, you can also streamline access control to multiple AppStream 2.0 stacks. Using application entitlements can reduce the number of fleets and images that must be maintained.

Overview of solution

An AppStream 2.0 best practice is to minimize the number of fleets and images. This reduces the number of images to maintain, and minimizes the costs of running fleets.

To demonstrate how application entitlements work, use the Amazon AppStream 2.0 Sample Image. The sample image has Firefox, Eclipse, Notepad++, Calc, and Writer applications. Application entitlements work by matching a supported SAML attribute name to a value when a SAML 2.0 federated user authenticates.

For this walkthrough, we show you how to allow users from different departments access to different set of applications.

Let’s say there are two departments, IT, and HR. The users in the IT department will have access to Firefox, Eclipse, and Notepad++. The users in the HR department will have access to Calc and Writer.

We demonstrate two ways of setting the application entitlement:

1. Using department attribute in the directory user profile.
2. In case the department attribute is already populated, define a custom attribute.

Note that application entitlements do not restrict what the user can access on the streaming instance. If you must restrict access to an executable, review using Microsoft AppLocker to manage application experience on Amazon AppStream 2.0.

Walkthrough

In this walkthrough, you configure Google Workspace to add a custom attribute or use department attribute to populate the application entitlements.  You also configure a principal tag as a SAML attribute to the SAML assertion. The principal tag is based on a user’s department attribute for application entitlements.

Prerequisites:

• Setup Amazon AppStream 2.0 or a pre-existing stack and fleet. For this blog, use the AppStream 2.0 sample image.
• Setup Google Workspace SAML 2.0 federation with Amazon AppStream 2.0

Step 1: Update the IAM role

In IAM, you must update the trust policy on the IAM role for the AppStream 2.0 users to assume. Application entitlements require the PrincipalTag. The role trust policy must have the sts:TagSession permission.

1. In the IAM AWS Management Console, choose Roles.
2. Select the role that you created for your AppStream 2.0 users to assume.
3. Choose Trust relationships, Edit trust relationship.
4. Update the Action to allow sts:TagSession
   1. Replace the existing Policy Document with the following code
   2. Update <account-id> with your account ID.
   3. Update <saml_provider_name> with the name of your SAML provider.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<account-id>:saml-provider/<saml_provider_name>"
      },
      "Action": [
        "sts:AssumeRoleWithSAML",
        "sts:TagSession"
      ],
      "Condition": {
        "StringEquals": {
          "SAML:sub_type": "persistent"
        }
      }
    }
  ]
}

Step 2: Update Google Workspace directory attributes

In this step, you configure entitlements for the Google Workspace directory attributes. You can use the existing Department attribute or add a custom attribute to define the entitlements.

Scenario 1 : Using the existing department attribute in the directory user profile

1. 1. Sign in to your Google Admin console using an account that has super administrator permissions.
   2. Under Directory section, select Users.
   3. Select the user you want to add the department attributes values.
   4. On the user’s account page, expand User information.
   5. Select the Department attribute.
   6. Add the entitlement values as follows: as2-entitlements-it. You can also add multiple entitlement values separated by a colon for example: as2-entitlements-it:as2-entitlements-hr.
   7. Select Save

Scenario 2 : Using custom attribute and populate it with attribute values.

1. 1. Sign in to your Google Admin console using an account that has super administrator permissions.
   2. Under Directory section, select users.
   3. Under more options, select Manage custom attributes.
   4. Click on “SAML-USER-ATTRIBUTES” custom attribute to update the existing category.
   5. Configure the custom attribute as follows:
      For Custom fields, enter the following:
      Name: Entitlement
      Info type: Text
      Visibility: Visible to user and admin
      No. of values: Single-value
   6. Select Save

Now add values to the custom attribute.

1. 1. Sign in to your Google Admin console using an account that has super administrator permissions.
   2. In the Directory section, select Users.
   3. Select the user you want to add the custom attribute values to.
   4. On the user’s account page, expand User information.
   5. Select the Entitlement
   6. Add the entitlement values as follows: as2-entitlements-it. You can also add multiple entitlement values separated by a colon for example: as2-entitlements-it:as2-entitlements-hr.
   7. Select Save

Step 3: Create the attribute mapping in Web SAML Application

1. 1. Sign in to your Google Admin console using an account that has super administrator permissions.
   2. Select Apps, choose Web and Mobile apps.
   3. Select Amazon Web Services to open the app.
   4. Choose SAML attribute mapping.
   5. Select Add Mapping to add an addition SAML attribute mapping.
   6. If you are setting entitlements based on the department attribute in the directory user profile (scenario 1), on the select field dropdown under Google Directory Attribute, choose Department. For App attributes enter: https://aws.amazon.com/SAML/Attributes/PrincipalTag:department

7. If you are using a custom attribute (scenario 2), map the attribute as follows:

On the select field dropdown under Google Directory Attribute, choose Entitlement. For App attributes, enter: https://aws.amazon.com/SAML/Attributes/PrincipalTag:department

Step 4: Configure an AppStream Relay State URL in Web SAML Application

1. 1. Sign in to your Google Admin console using an account that has super administrator permissions
   2. Go to Apps, select Web and Mobile apps
   3. Select Amazon Web Services to open the app.
   4. Expand the Service Provider details page.

Enter the relay state URl in the Start URL. Replace <region>, and <awsaccount-id> with your values : https://appstream2.<region>.aws.amazon.com/saml?accountId=<aws account-id>

Step 5: Update the AppStream 2.0 Stack

Update the stack that contains the applications you want to restrict. Using application entitlements does not restrict the user from opening the application. It hides them from the application catalog.

1. 1. Navigate to the AppStream 2.0 console.
   2. Choose Stacks in the navigation pane.
   3. Select the Stack associated with the fleet that contains the applications to limit.
   4. Under Application Entitlements, choose Create and enter the following
   5. a. Name: access-dept-entitlements-it.
      b. Attribute Name: Department.
      c. Attribute Value: as2-entitlements-it.
      d. Under Application settings, choose Select Applications.
      e. Choose each of the applications (Firefox, Eclipse, and Notepad++).

Repeat this step for as2-entitlements-hr. For the HR department applications, choose Calc and Writer.

Step 6: Enable support for multiple stacks

If you have more than one stack with at least one application entitlement, application entitlements also support multiple stacks. You can update your relay state to remove the reference to the stack and application (if present) as follows. For more information, see SAML 2.0 Multi-Stack Application Catalog in the AppStream 2.0 Administration Guide

1. 1. Navigate to the IAM console.
   2. Choose Policies in the navigation pane.
   3. Select the policy associated to the role your AppStream 2.0 users assume.
   4. Update the resource to include any stack
   5. Select Permissions, Edit Policy.
   6. Replace the existing policy with the following code.
   7. Update <region-code> with your Region code.
   8. Update <account-id> with your account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "appstream:Stream",
            "Resource": "arn:aws:appstream:<region-code>:<account-id>:stack/*",
            "Condition": {
                "StringEquals": {
                    "appstream:userId": "${saml:sub}"
                }
            }
        }
    ]
}

Step 7: Test your solution

In this blog, you mapped the user to IT department using “as2-entitlements-it” as the department attribute value.

To test your solution, navigate to Google account RelayState URL to access the Amazon Web Services Application.

https://accounts.google.com/o/saml2/initsso?idpid=<idp_id>&spid=<sp_id>&forceauthn=false

After successful sign in, you can verify the SAML assertion and the SAML attributes using a SAML decoder, or a browser extension. For example, a user in the IT group will have that attribute.

<Attribute Name="https://aws.amazon.com/SAML/Attributes/PrincipalTag:department">
<AttributeValue>as2-entitlements-it</AttributeValue>

Following the same steps above, logon again using a user in the HR department. The SAML assertion should contain following attribute name and value.

<Attribute Name="https://aws.amazon.com/SAML/Attributes/PrincipalTag:department"> 
<AttributeValue>as2-entitlements-hr</AttributeValue>

Cleaning up

There is no additional cost to use application entitlements. You only pay for the streaming resources that you provision plus a small monthly fee per streaming user depending on the operating system chosen. For more information, see the Amazon AppStream 2.0 pricing.

You can stop your running fleet and delete your active stack to avoid unintended charges to your account. To clean up your resources, follow the guidance to clean up resources in the AppStream 2.0 administration guide.

Conclusion

In this blog, you configured application entitlements using Google Workspace claims. A user that is a member of a particular department is only shown the applications they are entitled to in the AppStream 2.0 application catalog.

With or without application entitlements, you can configure an additional SAML attribute to set context for AppStream 2.0 sessions. For more information, see session context in the AppStream 2.0 administration guide.

Application entitlements don’t restrict what the user can access on the streaming instance. If you need to restrict access to an executable, review the blog using Microsoft AppLocker to manage application experience on Amazon AppStream 2.0.

Amazon AppStream 2.0 is a fully managed nonpersistent application and desktop streaming service. You can centrally manage your desktop applications on AppStream 2.0 and securely deliver them to any computer. You can try sample applications at no cost.

Authors

	Muni Doddala is a Solutions Architect with AWS’s Higher Education team. He has been working with the AWS Cloud for more than seven years and enjoys working with customers to understand the customer’s challenges and collaborating with the customer to build optimal solutions. Outside of work, he enjoys travel and the outdoors
	Mulalo Matamela is a Cloud Infrastructure Architect with AWS. He has been working with the AWS Cloud for more than four years and is passionate about identities and automation. In his spare time, he enjoys spending time with his family.