Desktop and Application Streaming

Utilize OneLogin with application entitlements for Amazon AppStream 2.0

This blog posts shows you how to use Amazon AppStream 2.0 application entitlements with OneLogin for your AppStream 2.0 stacks.

Customers use Amazon AppStream 2.0 to manage applications centrally, and stream them to their end users. With application entitlements, you can control access to specific applications in the AppStream 2.0 application catalog based on SAML assertions. Using this feature, you can streamline access control to multiple AppStream 2.0 stacks. Using Application entitlements can reduce the number of fleets and images that must be maintained.

Time to read 5 minutes
Time to complete 30 minutes
Cost to complete (estimated) There is no additional cost to use application entitlements. You only pay for the streaming resources that you provision plus a small monthly fee per streaming user depending on the operating system chosen. For more information, see the Amazon AppStream 2.0 pricing.
Learning level Advanced (300)
Services used Amazon AppStream 2.0, AWS Identity and Access Management (IAM)

Overview of Solution

To demonstrate how application entitlements work, consider the Amazon AppStream 2.0 Sample Image. The sample image has Firefox, Eclipse, Notepad++ and the LibreOffice applications. For this walkthrough, contractors require access to Firefox, Eclipse, and Notepad++. Marketing users require access to the LibreOffice applications.

An AppStream 2.0 best practice is to minimize the number of fleets and images. This reduces the number of images to maintain, and minimizes the costs of running fleets.

The first scenario will show how users who are members of the Marketing group will have access to calc, math, and writer. A user with the department attribute of Contractor will have access Eclipse and Notepad++.

Application entitlements work by matching a supported SAML attribute name to a value when a SAML 2.0 federated user authenticates. If a user has a Department attribute of Contractor, they will have access to Eclipse, Firefox, and Notepad++. If a user has a Department attribute of Marketing, they will have access to the LibreOffice applications.

Application entitlements do not restrict what the user can access on the streaming instance. If you need to restrict access to an executable, review the blog .

Walkthrough

This walkthrough shows you how to configure OneLogin to add a principal tag as a SAML attribute to the SAML assertion. The tag is based on a user’s department attribute or group membership for application entitlements.

Prerequisites:

Step 1: Update the IAM role

In IAM, you update the trust policy on the IAM role for your AppStream 2.0 users to assume. Application entitlements require the PrincipalTag.  You must update the role to allow session tags.

  1. In the IAM AWS Console, Choose Roles
  2. Select the role you created for your AppStream 2.0 users to assume.
  3. Choose Trust relationships, Edit trust relationship.
  4. Update the Action to allow sts:TagSession
    1. Replace the existing Policy Document with the following code
    2. Update <account-id> with your account ID.
    3. Update <saml_provider_name> with the name of your SAML provider.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::012345678910:saml-provider/<saml_provider_name>"
      },
      "Action": [
        "sts:AssumeRoleWithSAML",
        "sts:TagSession"
      ],
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

Step 2: Update OneLogin Application

Now that you have updated the role to allow session tags, you must add the them into the SAML assertion. There are multiple ways to grant access to applications. In this step, you configure access using two scenarios, by department, or by group. If a user is a member of a department as well as Active Directory groups the user will see applications that match either rule.

Scenario 1: using the department  attribute in OneLogin

For the first scenario, assume that there are two users. One user with a department of Contractor, and the second user who is a member of the Marketing group in Active Directory.

  1. Open the OneLogin console
  2. Open the Custom Application you created following this resource
  3. Navigate to the Parameters section
  4. Create a custom parameter for the PrincipalTag, by choosing the blue plus button to the right
    1. Enter https://aws.amazon.com/SAML/Attributes/PrincipalTag:department as the Field name, select the Include in SAML assertion check box, and then choose save
    2. Value: Department
  5. Choose Save

Scenario 2: using the group attribute in Active Directory

For this scenario, assume the user is a member of the Marketing Group

  1. Open the OneLogin console
  2. the Custom Application you created following this resource
  3. Navigate to the Parameters section
  4. Create a custom parameter for the PrincipalTag, by choosing the blue plus button to the right
    1. Enter https://aws.amazon.com/SAML/Attributes/PrincipalTag:groups as the Field name, select the Include in SAML assertion and Multi-value parameter check boxes, and then choose save
    2. Choose Memberof as the defult attribute to use and select AD/LDAP CN Extraction (Multi-value output)
  5. Choose Save

Update OneLogin Custom AppStream Application, with the new relay state

To use the new feature the default relay state will need to be updated to remove any reference to stacks. Navigate to the OneLogin Custom AppStream 2.0 application and update the default relay state to the new format below:

https://relay-state-region-endpoint?accountId=aws-account-id-without-hyphens

Step 3: Update the AppStream 2.0 Stack

  1. Open the AppStream 2.0 console.
  2. Choose Stacks in the navigation pane.
  3. Choose the Stack associated with the fleet that contains the applications you wish to limit.
  4. Under Application Entitlements, choose Create.
  5. Scenario 1 (Using department attribute)
    1. Enter the following:
  1. Attribute Name: department
  • Attribute Value: Contractor
  1. Under Application settings, choose Select Applications
  1. Scenario 2 (Using groups)
    1. Enter the following:
      1. Name: group_ Marketing
      2. Attribute Name: groups
  • Attribute Value: Marketing
  1. Under Application settings, choose Select Applications
  2. Under Applications, choose each of the applications for LibreOffice (calc, math, writer).

Step 4: Test your solution

For scenario one, update the department attribute on the test user and set the department attribute on the user to Contractor. For the second scenario, add a test user to the Marketing active directory group.

To test your solution, navigate to the OneLogin portal and choose the AppStream 2.0 custom application application. You can verify the SAML assertion and the SAML attributes using a SAML decoder, or a browser extension.

For example in scenario one, the user with the department of contractor, will have that attribute.

<Attribute Name=”https://aws.amazon.com/SAML/Attributes/ PrincipalTag:department”> <AttributeValue>Contractor</AttributeValue>

For example in scenario two, the user in the Marketing group, will have that attribute.

<Attribute Name=”https://aws.amazon.com/SAML/Attributes/PrincipalTag:groups”> <AttributeValue>Marketing</AttributeValue>

Clean up resources

There is no additional cost to use application entitlements. You only pay for the streaming resources that you provision plus a small monthly fee per streaming user depending on the operating system chosen. For more information, see the Amazon AppStream 2.0 pricing.

You can stop your running fleet and delete your active stack to free up resources and to avoid unintended charges to your account. To clean up your resources, follow the guidance to clean up resources in the AppStream 2.0 administration guide.

Conclusion

In this blog you configured application entitlements using a OneLogin custom application. A user that is a member of a particular group or department, is only shown the applications they are entitled to in the application catalog.

If a user is a member of multiple groups in Active Directory using the group attribute above, please reach out to OneLogin for additional guidance.

Amazon AppStream 2.0 is a fully managed nonpersistent application and desktop streaming service. You can centrally manage your desktop applications on AppStream 2.0 and securely deliver them to any computer. You can try sample applications at no cost and get started by visiting the AppStream 2.0 console.