Step 1: Create a web portal - Amazon WorkSpaces Web

Step 1: Create a web portal

Follow these steps to create a web portal.

If you already completed these steps in Set up your SAML 2.0 identity provider, you can skip this section and go to Step 2: Test the endpoint.

  1. Open the WorkSpaces Web console at

  2. Choose WorkSpaces Web, Web portals, and then choose Create web portal.

  3. On the Step 1: Specify networking connection page, complete the following steps to connect your VPC to your web portal, and configure your VPC and subnets.


    You can choose to skip this step for now and complete it after you create a web portal, in step 13 below.

    1. For Networking details, choose a VPC.

    2. Choose at lease two private subnets that meet all requirements. For more information, see Set up your network.

    3. Choose a security group.

  4. On the Step 2: Configure web portal settings page, complete the following steps to customize your users' browsing experience when they start a session, and then choose Next:


    WorkSpaces Web applies additional browser policies to isolate users to the browser interface sessions, on behalf of the customer. For more information, see Review browser policies.

    1. Under Web portal details, for Display name, enter an identifiable name for your web portal.

    2. Under Policy settings, enter the following details:

      • For Policy options, choose Visual editor or JSON file upload to choose how to provide the policy configuration details for your web portal. WorkSpaces Web includes support for Chrome enterprise policies, and you can add and manage policies using either a visual editor, or a manual upload for policy files. You can switch between either option at any time.

        When you upload a policy file, you will see the available policies in the file. However, not all policies can be edited in the visual editor. You might need to manually edit the JSON data to make changes to a policy.

      • For Startup URL - optional, you can enter a domain to use as the homepage when users launch their browser. Your VPC must have a stable connection to this URL.

      • For Browser bookmarks - optional, you can enter the Display name, Domain, and Folder for any bookmarks you want your users to see in their browser, and choose Add bookmark.


        Domain is a required field for browser bookmarks.

  5. On the Step 3: Select user settings page, complete the following steps to choose which features your users can access from the top navigation bar during their session, and then choose Next:

    1. For Clipboard, choose Disabled or Enabled.

    2. Under File transfer, choose Disabled or Enabled.

    3. For Print to local device, choose Allowed or Not allowed.

    4. For User session details, specify the following:

      • For Disconnect timeout in minutes, choose the amount of time that a streaming session remains active after users disconnect. If users try to reconnect to the streaming session after a disconnection or network interruption within this time interval, they are connected to their previous session. Otherwise, they are connected to a new session with a new streaming instance.

        If a user ends the session, the disconnect timeout does not apply. Instead, the user is prompted to save any open documents, and then is immediately disconnected from the streaming instance. The instance the user was using is then terminated.

      • For Idle disconnect timeout in minutes, choose the amount of time that users can be idle (inactive) before they are disconnected from their streaming session and the Disconnect timeout in minutes time interval begins. Users are notified before they are disconnected due to inactivity. If they try to reconnect to the streaming session before the time interval specified in Disconnect timeout in minutes has elapsed, they are connected to their previous session. Otherwise, they are connected to a new session with a new streaming instance. Setting this value to 0 disables it. When this value is disabled, users are not disconnected due to inactivity.


        Users are considered idle when they stop providing keyboard or mouse input during their streaming session. File uploads and downloads, audio in, audio out, and pixels changing do not qualify as user activity. If users continue to be idle after the time interval in Idle disconnect timeout in minutes elapses, they are disconnected.

  6. On the Step 4: Configure identity provider page of the creation wizard, choose Download metadata file to download the service provider (SP) metadata document that you will upload to your identity provider (IdP) in the next step. You must upload the service provider metadata file to your IdP. Otherwise, your users won't be able to log in.


    WorkSpaces Web supports service provider initiated (SP-initiated) sign-in flows with your SAML 2.0-compliant IdP. WorkSpaces Web does not yet support identity provider initiated (IdP-initiated) sign-in flows.

  7. Open another tab in your browser, and complete the following steps for your IdP:

    1. Upload the SP metadata document that you downloaded in the previous step to your IdP. You must either upload the file to your IdP, or copy and paste the metadata values (for providers like Okta). The details of this configuration process vary between providers. Check your provider's documentation for detailed help on adding the details provided by WorkSpaces Web to your configuration.

    2. Grant access to your users in your IdP to use WorkSpaces Web.

    3. Download a metadata exchange file from your IdP. You will upload this metadata to WorkSpaces Web in the next step.

  8. Return to the WorkSpaces Web console, and on the Configure identity provider page of the creation wizard, under IdP metadata document, choose Choose file to upload the XML-formatted metadata file from IdP that you downloaded in the previous step. WorkSpaces Web requires this metadata from your IdP to establish trust. When you are done, choose Next.


    WorkSpaces Web requires the subject or NameID to be mapped and set in the SAML assertion within your IdP's settings. Your IdP can create these mappings automatically. If these mappings are not configured correctly, a user who attemps to sign in to the web portal might be unable to start a session.

  9. On the Step 5: Review and launch page, review the settings you've selected for your web portal. You can choose Edit to make any changes, or you can change these settings later on from the Web portals tab of the console.

  10. When you're done, choose Launch web portal.

  11. To view the status of your web portal, choose Web portals, choose your portal, and choose View details.

    A web portal can have one of the following statuses:

    • Incomplete - The web portal's configuration is missing required identity provider settings.

    • Pending - The web portal is applying changes to its settings.

    • Active - The web portal is ready and available for use.

  12. Wait up to 15 minutes for your portal to become Active.

  13. If you skipped step 3 above, follow these steps to configure your subnets:

    1. Choose Web portals, choose your portal, and then choose Edit.

    2. In Networking details, choose a VPC with VPC endpoints.

    3. Choose at lease two private subnets with all three VPC endpoints that you created previously. Make sure they are in different AZs.

    4. Choose Save, and wait up to 15 minutes for the changes to take effect.