Enabling Single Sign-on Access to AppStream 2.0 Using SAML 2.0
Amazon AppStream 2.0 supports identity federation to AppStream 2.0 stacks through Security Assertion Markup Language 2.0 (SAML 2.0). You can use an identity provider that supports SAML 2.0—such as Active Directory Federation Service, Ping One Federation Server, or Okta—to provide a simple onboarding flow for your AppStream 2.0 users. This feature offers your users the convenience of one-click access to their AppStream 2.0 applications using their existing identity credentials. You also have the security benefit of identity authentication by your identity provider. You can control which users have access to a particular AppStream 2.0 stack, using your existing identity provider.
Example Authentication Workflow
The following diagram illustrates the authentication flow between AppStream 2.0 and a
third-party identity provider. In this example, the administrator has set up a sign-in
page to access AppStream 2.0, called
applications.exampleco.com. The web page uses
a SAML 2.0 compliant federation service to trigger a sign-on request. The administrator
has also set up a user to allow access to AppStream 2.0.
The user browses to
https://applications.exampleco.com. The sign-on page requests authentication for the user.
The federation service requests authentication from the organization's identity store.
The identity store authenticates the user and returns the authentication response to the federation service.
On successful authentication, the federation service posts the SAML assertion to the user’s browser.
The user's browser posts the SAML assertion to the AWS Sign-In SAML endpoint (
https://signin.aws.amazon.com/saml). AWS Sign-In receives the SAML request, processes the request, authenticates the user, and forwards the authentication token to the AppStream 2.0 service.
Using the authentication token from AWS, AppStream 2.0 authorizes the user and presents applications to the browser.
From the user's perspective, the process happens transparently: The user starts at your organization's internal portal and lands at an AppStream 2.0 application portal, without ever having to supply any AWS credentials.