WorkSpaces Integration with SAML 2.0

Integrating SAML 2.0 with your WorkSpaces for desktop session authentication allows your users to use their existing SAML 2.0 identity provider (IdP) credentials and authentication methods through their default web browser. By using your IdP to authenticate users for WorkSpaces, you can protect WorkSpaces by employing IdP features like multi-factor authentication and contextual access policies.

Authentication workflow

The following sections describe the authentication workflow between WorkSpaces and a SAML 2.0 identity provider (IdP):

When the flow is initiated by the IdP. For example, when a user clicks on an application in the IdP user portal in a web browser.
When the flow is initiated by the WorkSpaces client. For example, when a user opens the client and signs in.

In these examples, the user enters user@example.comto sign in to the IdP. The IdP has a SAML 2.0 service provider application configured for a WorkSpaces directory and the user is authorized for the WorkSpaces SAML 2.0 application. The user creates a WorkSpace for the user name, user, in a directory that's enabled for SAML 2.0 authentication. Additionally, the user installs the WorkSpaces client application on their device.

Identity provider (IdP)-initiated flow

The IdP-initiated flow allows users to automatically register the WorkSpaces client application on their devices without having to enter a WorkSpaces registration code. Users don't sign in to their WorkSpaces using the IdP-initiated flow. WorkSpaces authentication must originate from the client application.

Using their web browser, the user signs in to the IdP.
After signing in to the IdP, the user clicks the WorkSpaces application from the IdP user portal.
The user is redirected to this page in the browser, and the WorkSpaces client application is opened automatically.
The WorkSpaces client is now registered and the user can continue to sign by clicking Continue to sign in to WorkSpaces.

WorkSpaces client-initiated flow

The client-initiated flow allows users to sign in to their WorkSpaces after signing in to an IdP.

The user launches the WorkSpaces client application (if it isn't already running) and clicks Continue to sign in to WorkSpaces.
The user is redirected to their default web browser to sign in to the IdP. If the user is already signed in to the IdP in their browser, they don't need to sign in again and will skip this step.
Once signed in to the IdP, the user is redirected to this page in the browser, and clicks Log in to WorkSpaces.
The user is redirected to the WorkSpaces client application to complete sign in to their WorkSpace. The WorkSpaces user name is populated automatically from the IdP SAML 2.0 assertion. When you use certificate-based authentication (CBA) , the user is automatically signed in.
The user is signed in to their WorkSpace.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Trusted devices

Setting up SAML 2.0