What is AWS AppStream?
AWS App Stream is a fully managed application streaming service from AWS using which organizations can manage various desktop applications from a centralized console and securely deliver them to a browser on any computer. It is a scalable service and can be scaled up or scaled down based on the number of users without provisioning any hardware, operating system, or infrastructure. AWS App Stream provides a seamless experience to all the users accessing the application on a web browser because your applications run on virtual machines that are optimized for specific use cases and each streaming session automatically adjusts to network conditions.
AWS App Stream is a hosted service with automatic scaling built-in and each user has their own virtual machine that is running the application at the backend. It is a remote internet-based windows application streaming service for HTML 5 enabled browsers. AWS App Stream can be considered as a simple alternative for Microsoft RDP or Citrix.
What is OKTA?
Okta is an online third-party provider that can be used for authentication purposes with AWS AppStream. It is a secure identity and access management platform that can be integrated with a lot of applications and provide seamless authentication services. In this blog we will be looking at a specific case of integrating OKTA with AWS App Stream wherein our users will be using a single sign-on and login into their OKTA account and form there will be able to access AWS App stream as an application on any HTML5 enabled web browsers.
Step By Step Approach of Integrating Amazon AppStream 2.0 with Okta SAML:
- We need to start by creating an account with OKTA and you can create a developer account with Okta to start with and it comes free of cost. It is very easy to create an account with
- OKTA just go to https://developer.okta.com/signup/ and fill up some basic details. You don’t even need to put in your credit card details.
- After creating an account, you need to go to the admin tab and click on Dashboard. The Dashboard will give you an overview of Notifications, Usage, etc. You need to add an application and every application created in OKTA has different metadata. If you have multiple AppStream Stacks to connect to then you will have to create a separate application for each Stack
- AWS App Stream is already in the list of applications that OKTA supports. So you need to just search for AWS AppStream in the search box and add that as an application. Once added AppStream will be listed in Active Applications.
- Once the application is added then you need to go to Sign On tab to download the Identity Provider Metadata. This file will be used when configuring SAML Identity in AWS IAM. Download the file and save it in your local drive.
- Login to your AWS Console and go to the IAM service. Click on Identity Providers and select “SAML as Provider Type” and give an appropriate name to Provider Name. In “Metadata Document” click on Choose File and select the file that we have downloaded from OKTA console
- Once the Identity Provider has been created we need to create a policy by going to the policies tab in IAM. You need to click on the Create Policy tab and select AppStream2.0 as a service and allowing all the actions and all resources. Please click on the review policy and create the policy.
- The next step is to create a SAML role. Click on Roles Tab and go to Create Role., select SAML 2.0 federation as a type of trusted entity. Click on SAML provider and select SAML identity that you have created earlier and select programmatic access only. Select “Attribute as SAML:aud” and put in Value as “https://signin.aws.amazon.com/saml”.
- Click on Next: Permissions and attach the IAM policy that you have created earlier. Follow the subsequent steps to create the IAM Role.
- Go to OKTA Dashboards and click on the Sign On tab. You need to edit the setting so click on edit and scroll down to Advanced Sign-On Settings. First field is of Role ARN and Idp ARN copy the Role ARN and Idp ARN respectively from AWS Console and put it in this field as a string value separated by a comma. Session Duration can be set ad default of 900 seconds and the application username format will be OKTA username. Once all the fields are filled scroll up and go to Default Relay State and put in the value in below format“https://appstream2.ap-southeast-1.aws.amazon.com/saml?stack=Test&accountId=200901412345” make the changes of region name, stack name and account id and click on save.
- Once all the settings are done you need to move to the Assignments tab to assign this application to users. In this case, we are assigning this application to ourselves. Click on Assign Tab and select “Assign To People” and select your user, click on save and go to the bank and click on Assign.
- Once you have assigned the application to people or groups you need to click on My Apps and it will take you the page where all of your apps are listed in our case we will have only one application that is AWS AppStream.
- Click on Amazon AppStream2.0 and it will take you to the Get Started page of Amazon AppStream 2.0 and it should look like this.
You are able to login to your application using OKTA credentials and the user did not have to use any separate login details while accessing the Application. There can be other applications that can be linked to OKTA and users will be able to access all the applications using a single sign-on. Moreover, we can also integrate OKTA with Active Directory or LDAP.
Written by – Atin Mittal