AppStream 2.0 Integration with SAML 2.0 - Amazon AppStream 2.0

AppStream 2.0 Integration with SAML 2.0

The following links help you configure third-party SAML 2.0 identity provider solutions to work with AppStream 2.0.

IdP solution More information
AWS IAM Identity Center Enable federation with IAM Identity Center and Amazon AppStream 2.0 — Describes how to use IAM Identity Center to federate user access to your AppStream 2.0 applications with their existing enterprise credentials.
Active Directory Federation Services (AD FS) for Windows Server Enabling Identity Federation with AD FS 3.0 and Amazon AppStream 2.0 — Describes how to provide users with SSO access to AppStream 2.0 by using their existing enterprise credentials. You can configure federated identities for AppStream 2.0 by using AD FS 3.0.
Azure Active Directory (Azure AD) Enabling Federation with Azure AD Single Sign-On and Amazon AppStream 2.0 — Describes how to configure federated user access for Amazon AppStream 2.0 by using Azure AD SSO for enterprise applications.
GG4L School Passport™ Enabling Identity Federation with GG4L’s School Passport™ and Amazon AppStream 2.0 — Describes how to configure GG4L’s School Passport™ to federate login to AppStream 2.0.
Google Setting up G Suite SAML 2.0 federation with Amazon AppStream 2.0 — Describes how to use the G Suite Admin console to set up SAML federation to AppStream 2.0 for users in G Suite domains.
Okta How to Configure SAML 2.0 for Amazon AppStream 2.0 — Describes how to use Okta to set up SAML federation to AppStream 2.0. For stacks that are joined to a domain, the "Application username format" must be set to "AD user principal name".
Ping Identity Configuring an SSO connection to Amazon AppStream 2.0 — Describes how to set up single sign-on (SSO) to AppStream 2.0.
Shibboleth Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth — Describes how to set up the initial federation between the Shibboleth IdP and the AWS Management Console. You must complete the following additional steps to enable federation to AppStream 2.0.

Step 4 of the AWS Security whitepaper describes how to create IAM roles that define the permissions that federated users have to the AWS Management Console. After you create these roles and embed the inline policy as described in the whitepaper, modify this policy so that it provides federated users with permissions to access only an AppStream 2.0 stack. To do this, replace the existing policy with the policy noted in Step 3: Embed an Inline Policy for the IAM Role, in Setting Up SAML.

When you add the stack relay state URL as described in Step 6: Configure the Relay State of Your Federation, in Setting Up SAML, add the relay state parameter to the federation URL as a target request attribute. The URL must be encoded. For information about configuring relay state parameters, see the SAML 2.0 section in the Shibboleth documentation.

For more information, see Enabling Identity Federation with Shibboleth and Amazon AppStream 2.0.

VMware WorkSpace ONE Federating Access to Amazon AppStream 2.0 from VMware Workspace ONE — Describes how to use the VMware Workspace ONE platform to federate user access to your AppStream 2.0 applications.
SimpleSAMLphp Enabling Federation with SimpleSAMLphp and Amazon AppStream 2.0 — Describes how to configure SAML 2.0 federation for AppStream 2.0 using SimpleSAMLphp.
OneLogin Single Sign-On (SSO) OneLogin SSO with Amazon AppStream 2.0 — Describes how to configure federated user access for AppStream 2.0 using OneLogin SSO.
JumpCloud Single Sign-On (SSO) Enable federation with JumpCloud SSO and Amazon AppStream 2.0 — Describes how to configure federated user access for AppStream 2.0 using JumpCloud SSO.
BIO-key PortalGuard Enable federation with Bio-key PortalGuard and Amazon AppStream 2.0 — Describes how to configure BIO-key PortalGuard for federated logins to AppStream 2.0.

For solutions to common problems you may encounter, see Troubleshooting.

For more information about additional supported SAML providers, see Integrating Third-Party SAML Solution Providers with AWS in the IAM User Guide.