How to Integrate Amazon AppStream 2.0 with Okta SAML?

What is AWS AppStream?

AWS AppStream is a fully managed application streaming service from AWS. Organizations can manage various desktop applications from a centralized console and securely deliver them to a browser on any computer. It is a scalable service that can be scaled up or down based on the number of users without provisioning any hardware, operating system, or infrastructure. AWS App Stream provides a seamless experience to all the users accessing the application on a web browser because your applications run on virtual machines optimized for specific use cases, and each streaming session automatically adjusts to network conditions.

AWS App Stream is a hosted service with automatic scaling built-in, and each user has their virtual machine running the application at the backend. It is a remote internet-based Windows application streaming service for HTML 5-enabled browsers. AWS App Stream is a simple alternative for Microsoft RDP or Citrix.

What is OKTA?

Okta is an online third-party provider that can be used for authentication with AWS AppStream. It is a secure identity and access management platform that can be integrated with many applications and provide seamless authentication services. In this blog, we will be looking at a specific case of integrating OKTA with AWS App Stream wherein our users will be using a single sign-on and login into their OKTA account and form there will be able to access AWS AppStream as an application on any HTML5 enabled web browsers.

Step By Step Approach of Integrating Amazon AppStream 2.0 with Okta SAML:

1. We need to start by creating an account with OKTA, and you can create a developer account with Okta to start with, and it comes free of cost. It is effortless to create an account with Okta.

2. OKTA, go to https://developer.okta.com/signup/ and fill up some basic details. You don’t even need to put in your credit card details.

3. After creating an account, you need to go to the admin tab and click on Dashboard. The Dashboard will give you an overview of Notifications, Usage, etc. You need to add an application; every application created in OKTA has different metadata. If you have multiple AppStream Stacks to connect to, you need to create a separate application for each Stack.

4. AWS App Stream is already on the list of applications that OKTA supports. So you need to search for AWS AppStream in the search box and add that as an application. Once added AppStream will be listed in Active Applications.

5. Once the application is added, you need to go to the Sign On tab to download the Identity Provider Metadata. This file will be used when configuring SAML Identity in AWS IAM. Download the file and save it on your local drive.

6. Once the application is added then you need to go to Sign On tab to download the Identity Provider Metadata. This file will be used when configuring SAML Identity in AWS IAM. Download the file and save it in your local drive.

7. Once the Identity Provider has been created, we need to create a policy by going to the policies tab in IAM. You need to click on the Create Policy tab, select AppStream2.0 as a service, and allow all the actions and resources. Please click on the review policy and create the policy.

8. The next step is to create a SAML role. Click on Roles Tab and go to Create Role. Select SAML 2.0 federation as a type of trusted entity. Click on SAML provider, select SAML identity you created earlier, and select programmatic access only. Select “Attribute as SAML:aud” and put Value as “https://signin.aws.amazon.com/saml”.

9. Click on Next: Permissions and attach the IAM policy you created earlier. Follow the subsequent steps to create the IAM Role.

10. Go to OKTA Dashboards and click on the Sign On tab. You need to edit the setting, so click on edit and scroll down to Advanced Sign-On Settings. First field is of Role ARN and Idp ARN; copy the Role ARN and Idp ARN respectively from AWS Console and put it in this field as a string value separated by a comma. Session Duration can be set ad default of 900 seconds, and the application username format will be OKTA username. Once all the fields are filled, scroll up and go to Default Relay State and put in the value in the below format “https://appstream2.ap-southeast-1.aws.amazon.com/saml?stack=Test&accountId=200901412345” make the changes of region name, stack name and account id and click on save.
11. Once all the settings are done, you need to move to the Assignments tab to assign this application to users. In this case, we are assigning this application to ourselves. Click on the Assign Tab, select “Assign To People,” select your user, click on Save, go to the bank, and click on Assign.
12. Once you have assigned the application to people or groups, you need to click on My Apps, and it will take you to the page where all of your apps are listed. In our case, we will have only one AWS AppStream application.

13. Click on Amazon AppStream2.0, and it will take you to the Get Started page of Amazon AppStream 2.0, and it should look like this.

Conclusion:

You can log in to your application using OKTA credentials, and the user does not have to use any separate login details while accessing the Application. There can be other applications that can be linked to OKTA, and users will be able to access all the applications using a single sign-on. Moreover, we can also integrate OKTA with Active Directory or LDAP.

Written by – Atin Mittal