WorkLink is configurable to work with a wide variety of architectures. This automated POC provides a working configuration with everything needed to get started as quickly as possible. You can choose to walk through each step or focus only the parts that are relevant to your environment.

Pre-requisites:
  • Administrator access to an AWS account suitable for setting up a POC. Admin access must include US-EAST-1.
  • A hosted zone in Route 53 for a domain you own. (Example: mycompany.com). The WorkLink POC will create a sample site using this domain during Part 2. 
  • SSH key pair stored in the AWS console.

To use a domain with Amazon WorkLink administrators must prove ownership of the domain. This requirement protects user privacy and company security by ensuring only traffic from domains associated with WorkLink go through AWS. This step-by-step guide will describes creating a certificate in AWS Certificate Manager (ACM), which is used to prove domain ownership.

Pre-requisites:

You need to complete these pre-requisites prior to federating access to Amazon WorkLink:

  • Administrative access to the AWS console with privileges to create a certificate in AWS Certificate Manger in US-EAST-1
  • Permissions to create a public CNAME record in Route 53
  • A public hosted zone in Route 53 for the domain that you own.
  • Permissions to create a record set in the hosted zone.

Note: It’s possible to validate ownership of domains using other methods, such as importing certificates or by using other DNS providers. However, this guide does not cover these cases. For more information on Amazon WorkLink, see Getting started with Amazon WorkLink. 

Setup Instructions:

1. Navigate to AWS Certificate Manager Console in US-EAST-1. In the Provision certificates section click Get Started.

2_1

(click to expand)

2_1

2. Request a public certificate.

2_2

(click to expand)

2_2

3. Add a domain name that you own. Choose a domain for which you can create a CNAME record (detailed below in Part 1, Step 8).

3. Add a domain name

(click to expand)

3. Add a domain name

4. Select the DNS validation method and confirm.

2_4

(click to expand)

2_4

5.  Copy the CNAME values presented in the validation dialogue. Then choose Complete.

 

5. Copy the CNAME

(click to expand)

5. Copy the CNAME

6.  Navigate to Route 53 in the console.

2_6

(click to expand)

2_6

7.  Choose the hosted zone for your domain and choose Create Record Set.

7. Choose the hosted zone

(click to expand)

7. Choose the hosted zone

8. Enter the values obtained from certificate manager to create a new record set, such as Name, Type (CNAME), Value

8. Enter the values obtained

(click to expand)

8. Enter the values obtained

9. Return to the certificate manager page to await certificate issuance.

9. Return to the certificate manager

(click to expand)

9. Return to the certificate manager

Verification

After a period of time (5-30 minutes) your certificate will be ready to use for setting up Amazon WorkLink. The console indicates when the certificate is issued. With this, you have completed the domain verification step. Copy the certificate ARN for later use in Amazon WorkLink setup.

Verification - After a period of time

(click to expand)

Verification - After a period of time

This document provides a step-step guide on how to use CloudFormation to set up the infrastructure required to evaluate the onboarding process for Amazon WorkLink. It also shows how Amazon WorkLink works in an account you control.

Pre-requisites:

Before you perform the steps in the document, obtain the following:

  • Administrator access to an AWS account suitable for setting up a POC
  • Amazon WorkLink POC CloudFormation template
  • A certificate in AWS Certificate Manager for the domain you want to use as your POC site
  • SSH key pair stored in the AWS console

Note: The Amazon WorkLink POC CloudFormation template will create a number of resources automatically in the account where it is deployed. These resources (VPC, EC2 instance, Security Groups, etc.) will incur monthly charges. A full list of what is deployed is visible in the CloudFormation output.

Setup Instructions:

1. Navigate to CloudFormation in the AWS Console. Choose Create Stack.


3_1

(click to expand)

3_1

2. Choose to Upload a template file and select your chosen POC template.

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  WorkLinkPOCVPC:
    Type: 'AWS::EC2::VPC'
    Properties:
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      CidrBlock: 10.0.0.0/16
  WorkLinkPOCSubnet:
    Type: 'AWS::EC2::Subnet'
    Properties:
      VpcId:
        Ref: WorkLinkPOCVPC
      CidrBlock: 10.0.0.0/24
  WorkLinkPOCServer:
    Type: 'AWS::EC2::Instance'
    Properties:
      IamInstanceProfile:
        Ref: WorkLinkPOCInstanceProfile
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AWSRegionArch2AMI
          -
            Ref: 'AWS::Region'
          -
            'Fn::FindInMap':
              - AWSInstanceType2Arch
              -
                Ref: InstanceType
              - Arch
      KeyName:
        Ref: KeyName
      NetworkInterfaces:
        -
          GroupSet:
            -
              Ref: WorkLinkPOCSG
          AssociatePublicIpAddress: 'true'
          DeviceIndex: '0'
          DeleteOnTermination: 'true'
          SubnetId:
            Ref: WorkLinkPOCSubnet
      UserData:
        Fn::Base64: !Sub | 
          #!/bin/bash -xe
          yum install -y aws-cfn-bootstrap
          /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WorkLinkPOCServer --configsets All --region ${AWS::Region}
          /opt/aws/bin/cfn-signal -e $?  --stack ${AWS::StackName} --resource WorkLinkPOCServer --region ${AWS::Region}
    Metadata:
      AWS::CloudFormation::Init:
        configSets:
          All:
            - ConfigureWorkLinkSampleSite
            - SaveConfig
            - ConfigureSSL
            - ConfigureWorklink
        SaveConfig:
          files:
            /tmp/setupWorkLink/config.json:
              content: !Sub |
                       {
                       "FleetName":"worklinkpoc",
                       "VpcId":"${WorkLinkPOCVPC}",
                       "SecurityGroupIds":"${WorkLinkPOCSG}",
                       "SubnetIds":"${WorkLinkPOCSubnet}",
                       "Site":"${Site}",
                       "CertARN":"${CertARN}",
                       "Region":"${AWS::Region}",
                       "CertificateFileName":"/tmp/setupSSL/rootCA.pem",
                       "FleetArn":"N/A"
                       }
              mode: '000644'
              owner: root
              group: root
            /tmp/setupWorkLink/setupWorkLink.sh:
              content: !Sub |
                     cd /tmp/setupWorkLink
                     pip install awscli --upgrade
                     site=$(jq -r '.Site' config.json | tr '[:upper:]' '[:lower:]')
                     fleetName=$(jq -r '.FleetName' config.json)
                     securityGroupIds=$(jq -r '.SecurityGroupIds' config.json)
                     subnetIds=$(jq -r '.SubnetIds' config.json)
                     vpcId=$(jq -r '.VpcId' config.json)
                     certArn=$(jq -r '.CertARN' config.json)
                     region=$(jq -r '.Region' config.json)
                     response=$(aws worklink create-fleet --fleet-name=$fleetName --display-name=$fleetName --optimize-for-end-user-location --region=$region )
                     fleetArn=$(echo $response | jq -r '.FleetArn')
                     aws worklink update-company-network-configuration --fleet-arn=$fleetArn --security-group-ids=$securityGroupIds --subnet-ids=$subnetIds --vpc-id=$vpcId --region=$region
                     mycert=$(cat /tmp/setupSSL/rootCA.pem)
                     aws worklink associate-website-certificate-authority --fleet-arn=$fleetArn --certificate="$mycert" --display-name=$fleetName --region=$region
                     aws worklink associate-domain --fleet-arn=$fleetArn --domain-name=$site --acm-certificate-arn=$certArn --display-name=$site --region=$region
              mode: '000644'
              owner: root
              group: root
            /tmp/setupSSL/setupSSL.sh:
              content: !Sub |
                    set -e
                    hostname="$1"
                    cd /tmp/setupSSL
                    sed -i 's/SSLCertificateFile.*/SSLCertificateFile \/etc\/pki\/tls\/certs\/server\.crt/' /etc/httpd/conf.d/ssl.conf
                    sed -i 's/SSLCertificateKeyFile.*/SSLCertificateKeyFile \/etc\/pki\/tls\/private\/server\.key/' /etc/httpd/conf.d/ssl.conf
                    cat >>/etc/httpd/conf/httpd.conf<<END
                    <VirtualHost *:443>
                            SSLEngine on
                            SSLCertificateFile /etc/pki/tls/certs/server.crt
                            SSLCertificateKeyFile /etc/pki/tls/private/server.key
                            <Directory /var/www/html>
                            AllowOverride All
                            </Directory>
                            DocumentRoot /var/www/html
                            ServerName $hostname
                    </VirtualHost>
                    END
                    sed -i 's/.*NameVirtualHost \*\:80.*/&\nNameVirtualHost \*\:443\n&/' /etc/httpd/conf/httpd.conf
                    cfg="
                    dir = .
                    [ ca ]
                    default_ca = ROOT_CA
                    [ ROOT_CA ]
                    serial        = serial
                    database      = index.txt
                    certificate   = root.pem
                    private_key   = root.key
                    new_certs_dir = .
                    default_md    = sha256
                    policy        = policy_strict
                    default_days  = 3650
                    copy_extensions = copy
                    req_extensions = self_signed
                    x509_extensions = self_signed
                    private_key   = root.key
                    certificate   = root.pem
                    [ req ]
                    prompt = no
                    distinguished_name = req_dn
                    x509_extensions = self_signed
                    req_extenstions = self_signed
                    [ req_dn ]
                    CN=$hostname
                    0.C = US
                    ST = Washington
                    O = Amazon
                    emailAddress           = worklink@amazon.com
                    commonName             = $hostname
                    [ self_signed ]
                    subjectKeyIdentifier = hash
                    subjectAltName = @alt_names
                    basicConstraints = CA:true
                    authorityKeyIdentifier = keyid,issuer:always
                    keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
                    extendedKeyUsage = serverAuth, clientAuth
                    [ alt_names ]
                    DNS.1 = $hostname
                    [ usr_cert ]
                    authorityKeyIdentifier = keyid,issuer:always
                    [ policy_strict ]
                    countryName            = match
                    stateOrProvinceName    = match
                    organizationName       = match
                    commonName             = match
                    emailAddress = optional
                    "
                    cat /dev/null > index.txt
                    echo 'unique_subject = no' > index.txt.attr
                    subject_start='/C=US/ST=Washington/O=Amazon/OU=Worklink/CN='
                    subject_end='/emailAddress=worklink@amazon.com'
                    subject="$subject_start$hostname$subject_end"
                    openssl req -new -newkey rsa:2048 -sha256 -keyout root.key -out root.csr -nodes -subj $subject
                    openssl ca -batch -out root.pem -create_serial -keyfile root.key -selfsign -config <(echo "$cfg") -infiles root.csr
                    openssl x509 -in root.pem > rootCA.pem
                    openssl req -new -batch -keyout server.key -out server.csr -days 365 -subj $subject -nodes
                    cfgClient=${!cfg/CA:true/CA:false}
                    openssl ca -batch -config <(echo "$cfgClient") -out server.pem -infiles server.csr
                    openssl x509 -outform der -in "server.pem" -out server.crt
                    cp server.crt /etc/pki/tls/certs/server.crt
                    cp server.key /etc/pki/tls/private/server.key
                    /etc/init.d/httpd restart
              mode: '000644'
              owner: root
              group: root
        ConfigureWorkLinkSampleSite:
          packages:
            yum:
              httpd: []
              mod_ssl: []
              jq: []
              openssl: []
          files:
            /var/www/html/index.html:
              content:
                'Fn::Join':
                  - "\n"
                  -
                    - '<!DOCTYPE html><html><head><meta name="viewport" content="width=device-width, initial-scale=1.0"><style>*{box-sizing: border-box;}.row::after{content: ""; clear: both; display: table;}[class*="col-"]{float: left; padding: 15px;}html{font-family: "Lucida Sans", sans-serif; background-color: #2a427c;}.header{background-color: #596d98; color: #ffffff; padding: 15px; box-shadow: 0 1px 3px rgba(0,0,0,.22), 0 1px 2px rgba(0,0,0,0.28);}.menu ul{list-style-type: none; margin: 0; padding: 0;}.menu li{padding: 8px; margin-bottom: 7px; background-color: #596d98; color: #ffffff; box-shadow: 0 1px 3px rgba(0,0,0,0.12), 0 1px 2px rgba(0,0,0,0.24);}.menu li:hover{background-color: #596d98;}.aside{background-color: #596d98; padding: 15px; color: #ffffff; text-align: center; font-size: 12px; box-shadow: 0 1px 3px rgba(0,0,0,.22), 0 1px 2px rgba(0,0,0,0.28);}.footer{background-color: #596d98; color:#ffffff; text-align: center; font-size: 12px; padding: 15px; box-shadow: 0 1px 3px rgba(0,0,0,.22), 0 1px 2px rgba(0,0,0,0.28);}[class*="col-"]{width: 100%;}@media only screen and(min-width: 768px){/* For desktop: */ .col-1{width: 8.33%;}.col-2{width: 16.66%;}.col-3{width: 25%;}.col-4{width: 33.33%;}.col-5{width: 41.66%;}.col-6{width: 50%;}.col-7{width: 58.33%;}.col-8{width: 66.66%;}.col-9{width: 75%;}.col-10{width: 83.33%;}.col-11{width: 91.66%;}.col-12{width: 100%;}}</style></head><body><div class="header"> <h1>Amazon WorkLink POC</h1></div><div class="row"> <div class="col-3 right"> <div class="aside"> <h2>Congratulations, you have successfully configured Amazon WorkLink</h2></div></div></div><div class="footer"> <p>Amazon WorkLink</p></div></body></html>'
              mode: '000644'
              owner: root
              group: root
          services:
            sysvinit:
              httpd:
                enabled: 'true'
                ensureRunning: 'true'
          commands:
            01_makedir:
              command: "mkdir /tmp/setupSSL"
            02_makedir:
              command: "mkdir /tmp/setupWorkLink"
        ConfigureSSL:
          commands:
            01_runbash:
              command: 
                !Sub 'bash /tmp/setupSSL/setupSSL.sh ${Site}'
        ConfigureWorklink:
          commands:
            01_setupWorkLink:
               command: "bash /tmp/setupWorkLink/setupWorkLink.sh &"
    DependsOn:
      - WorkLinkPOCDRT
      - WorkLinkPOCPolicy
  WorkLinkPOCIG:
    Type: 'AWS::EC2::InternetGateway'
    Properties: {}
  WorkLinkPOCGatewayAttachement:
    Type: 'AWS::EC2::VPCGatewayAttachment'
    Properties:
      InternetGatewayId:
        Ref: WorkLinkPOCIG
      VpcId:
        Ref: WorkLinkPOCVPC
  WorkLinkPOCRT:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId:
        Ref: WorkLinkPOCVPC
  WorkLinkPOCDRT:
    Type: 'AWS::EC2::Route'
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      RouteTableId:
        Ref: WorkLinkPOCRT
      GatewayId:
        Ref: WorkLinkPOCIG
    DependsOn:
      - WorkLinkPOCIG
  WorkLinkPOCSubnetAssociation:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      RouteTableId:
        Ref: WorkLinkPOCRT
      SubnetId:
        Ref: WorkLinkPOCSubnet
  WorkLinkPOCSG:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      VpcId:
        Ref: WorkLinkPOCVPC
      GroupDescription: 'No external access'
      SecurityGroupIngress:
         - IpProtocol: tcp
           FromPort: 443
           ToPort: 443
           CidrIp: 10.0.0.0/8
  WorkLinkPOCInstanceProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Path: /
      Roles:
        - WorkLinkPOCRole
    DependsOn:
      - WorkLinkPOCRole
  WorkLinkPOCPolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: WorkLinkPOCPolicy
      PolicyDocument:
        Statement:
          -
            Effect: Allow
            Action:
              - 'worklink:*'
              - 'acm:DescribeCertificate'
              - 'cloudfront:CreateDistribution'
              - 'cloudfront:UpdateDistribution'
            Resource: '*'
      Roles:
        -
          Ref: WorkLinkPOCRole
  WorkLinkPOCRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AmazonWorkLinkFullAccess'
      RoleName: WorkLinkPOCRole
  WorkLinkPOCRecordSet:
    Type: 'AWS::Route53::RecordSet'
    Properties:
      HostedZoneId:
        Ref: WorkLinkPOCHostedZone
      Comment: 'DNS name for my instance.'
      Name:
        Ref: Site
      Type: A
      TTL: '900'
      ResourceRecords:
        -
          'Fn::GetAtt':
            - WorkLinkPOCServer
            - PrivateIp
    DependsOn:
      - WorkLinkPOCHostedZone
  WorkLinkPOCHostedZone:
    Type: 'AWS::Route53::HostedZone'
    Properties:
      HostedZoneConfig:
        Comment: 'WorkLink POC'
      Name:
        Ref: Site
      VPCs:
        -
          VPCId:
            Ref: WorkLinkPOCVPC
          VPCRegion:
            Ref: 'AWS::Region'
    DependsOn:
      - WorkLinkPOCServer
Parameters:
  Site:
    Description: 'FQDN to be used in the POC website'
    Type: String
    ConstraintDescription: 'Must be a FQDN.'
  CertARN:
    Description: 'Certificate ARN'
    Type: String
    ConstraintDescription: 'Must be a valid Certificte ARN'
  KeyName:
    Description: "Name of an EC2 KeyPair to enable SSH access to the instance."
    Type: "AWS::EC2::KeyPair::KeyName"
    ConstraintDescription: "must be the name of an existing EC2 KeyPair."
  InstanceType:
    Description: 'WebServer EC2 instance type'
    Type: String
    Default: t2.small
    AllowedValues:
      - m1.small
      - t1.micro
      - t2.nano
      - t2.micro
      - t2.small
    ConstraintDescription: 'must be a valid EC2 instance type.'
Mappings:
  AWSInstanceType2Arch:
    m1.small:
      Arch: HVM64
    t1.micro:
      Arch: HVM64
    t2.nano:
      Arch: HVM64
    t2.micro:
      Arch: HVM64
    t2.small:
      Arch: HVM64
  AWSRegionArch2AMI:
    us-east-1:
      HVM64: ami-0ff8a91507f77f867
      HVMG2: ami-0a584ac55a7631c0c
    us-west-2:
      HVM64: ami-a0cfeed8
      HVMG2: ami-0e09505bc235aa82d
    us-west-1:
      HVM64: ami-0bdb828fd58c52235
      HVMG2: ami-066ee5fd4a9ef77f1
    eu-west-1:
      HVM64: ami-047bb4163c506cd98
      HVMG2: ami-0a7c483d527806435
    eu-west-2:
      HVM64: ami-f976839e
      HVMG2: NOT_SUPPORTED
    eu-west-3:
      HVM64: ami-0ebc281c20e89ba4b
      HVMG2: NOT_SUPPORTED
    eu-central-1:
      HVM64: ami-0233214e13e500f77
      HVMG2: ami-06223d46a6d0661c7
    ap-northeast-1:
      HVM64: ami-06cd52961ce9f0d85
      HVMG2: ami-053cdd503598e4a9d
    ap-northeast-2:
      HVM64: ami-0a10b2721688ce9d2
      HVMG2: NOT_SUPPORTED
    ap-northeast-3:
      HVM64: ami-0d98120a9fb693f07
      HVMG2: NOT_SUPPORTED
    ap-southeast-1:
      HVM64: ami-08569b978cc4dfa10
      HVMG2: ami-0be9df32ae9f92309
    ap-southeast-2:
      HVM64: ami-09b42976632b27e9b
      HVMG2: ami-0a9ce9fecc3d1daf8
    ap-south-1:
      HVM64: ami-0912f71e06545ad88
      HVMG2: ami-097b15e89dbdcfcf4
    us-east-2:
      HVM64: ami-0b59bfac6be064b78
      HVMG2: NOT_SUPPORTED
    ca-central-1:
      HVM64: ami-0b18956f
      HVMG2: NOT_SUPPORTED
    sa-east-1:
      HVM64: ami-07b14488da8ea02a0
      HVMG2: NOT_SUPPORTED
    cn-north-1:
      HVM64: ami-0a4eaf6c4454eda75
      HVMG2: NOT_SUPPORTED
    cn-northwest-1:
      HVM64: ami-6b6a7d09
      HVMG2: NOT_SUPPORTED
Outputs:
  URL:
    Value:
      !Join 
        - '' 
        - -  "http://"
          -  !GetAtt WorkLinkPOCServer.PublicIp
    Description: 'Newly created application URL'

3_2

(click to expand)

3_2

3. Supply the required information, including Stack name, Certificate ARN, Instance type, KeyName, and POC Site name. Certificate ARN can be found in certificate details on the AWS Certificate Manager console.

3. specifiy stack details

(click to expand)

3. specifiy stack details

4.  You might be required to acknowledge that the template will create resources that you will be billed for. Click the box to acknowledge, then choose Create the stack.


3_4

(click to expand)

3_4

Next steps

After stack deployment is complete and the EC2 instance created by CloudFormation is in a ready state, you are done deploying the infrastructure to evaluate the onboarding process for Amazon WorkLink. You can complete setup by configuring an IDP to complete your Amazon WorkLink setup. After you complete your evaluation, you can delete the cloud formation stack which will delete the resources it creates so you are no longer billed for the resourced created by it.

Follow the steps below to federate access to Amazon WorkLink using AWS SSO as a SAML 2.0 based Identity Provider (IDP). This document assumes you have not previously configured Amazon SSO.

Pre-requisites:

You need to complete these pre-requisites prior to federating access to Amazon WorkLink:

  • Administrative access to the AWS portal with administrative privileges to configure SSO
  • Amazon WorkLink fleet with permissions to configure the identity provider (IdP)

Note: The instructions shared here only covers the Identity provider (IdP) configuration portion of Amazon WorkLink and not other areas of the service. For more information on Amazon WorkLink, see Getting started with Amazon WorkLink.

Setup Instructions:


There are 3 options to download the service provider document.

  1. If you launched the Amazon WorkLink POC CloudFormation Template in Part 2, a fleet called worklinkpoc has been automatically created for you. Open worklinkpoc fleet detail and skip to step 3.
  2. If you have not launched the CloudFormation template in Part 2, you will need to create a fleet to download the Service Provider Document. Go to https://console.aws.amazon.com/worklink/. Choose Create Fleet.
  3. If you have previously created a fleet using the WorkLink console, go to the WorkLink Console, click on your fleet, and skip to step 3.
4_1

(click to expand)

4_1

2. On the Create fleet page, enter a fleet name and optionally a display name.


4_2

(click to expand)

4_2

3. Choose the Link IdP button.

4_3

(click to expand)

4_3

4.  Download the service provider metadata document. Now you are ready to set up Amazon SSO.

4_4

(click to expand)

4_4

1. Navigate to AWS SSO Console and choose the Enable AWS SSO button.

 

4_5

(click to expand)

4_5

2. Choose Manage your Directory.

4_6

(click to expand)

4_6

3.  Connect a directory.

4_2_3

(click to expand)

4_2_3

4. Choose AWS SSO directory and chose Next: Review.

4_7

(click to expand)

4_7

5.  Type CONFIRM and choose Finish.

4_8

(click to expand)

4_8

6. Choose Add user.

4_9

(click to expand)

4_9

7.  Create a user and a group. Add the user to the group.

IMPORTANT: the username and password set on this page will be used to login to Amazon WorkLink. Save this information for later use. Refer to AWS SSO documentation for details on how to retrieve and reset user passwords.

4_10

(click to expand)

4_10

8. Add a new application.

4_11

(click to expand)

4_11

9. Choose Amazon WorkLink and add the application.

4_12

(click to expand)

4_12

10. Scroll down to the Application metadata section. Upload the metadata file that you downloaded from the Amazon WorkLink Console in step 1 above.

4_13

(click to expand)

4_13

11. Choose the Attribute Mappings tab and add a NameId user attribute with the string value ${user:name} and Format basic.

4_14

(click to expand)

4_14

12. Choose the Assigned Users tab and assign the user you created to the application.


12. choose the assigned

(click to expand)

12. choose the assigned

13. Scroll to the SSO metadata section and select the link to download the metadata file.

4_16

(click to expand)

4_16

14. In the AWS Console navigate back to Amazon WorkLink. Edit the worklinkpoc fleet. Select Identity Provider Details. The Choose file option will prompt you to upload the IdP metadata file downloaded in the previous step. Once your file is uploaded choose Link IDP

3_14

(click to expand)

3_14

15. You have completed setting up Amazon SSO for use with Amazon WorkLink.


  1. Download the Amazon WorkLink app from the App/Play store onto your mobile device. Open Amazon WorkLink and choose Get Started. 
  2. Find your company code on the User Invites tab on the WorkLink Fleet Detail screen in the AWS Console. 
  3. Choose Next to see the AWS SSO login page. Log in with the username@domain and password you setup in AWS SSO.
  4. Open your phones Safari (on iOS) or Chrome (on Android) browser and go to the domains that you associated by typing the domain name into the URL bar.

4_17
4_19
4_18
4_20