Enabling SAML Authentication for AWS AppStream 2.0 with OKTA
OKTA – Create Application
| Step | Description | Screenshot |
| PRQ | Generate metadata from Okta | |
| 1 | Be sure to be accessing the ‘Classic UI’ and not the developer console | 
|
| 2 | Click Add Applications |  |
| 3 | Search for ‘appstream’
Click Add |
 |
| 4 | Provide Application label
Click Done |
 |
| 5 | Click Sign On tab |  |
| 6 | Click Identity Provider metadata
Save the metadata file locally (you will upload this to AWS configuration) |
AWS – Create SAML Provider
| Step | Description | Screenshot |
| PRQ | Generate metadata from Okta (above steps) | |
| 1 | Open AWS Console
Click IAM |
 |
| 2 | Click Identity Providers
Click Create Provider |
|
| 3 | Choose Provider Type: SAML
Give Provider a Name: <Name> Upload your okta_metadata.xml file |
 |
| 4 | Click Create
Note your ProviderARN |
 |
| 5 | You will be taken back to the identity providers screen |  |
| 6 | Click on the provider name ‘Okta’
Take note of your Provider ARN |
 |
AWS – Create Policy and Role
| Step | Description | Screenshot |
| 7 | In IAM Click Policies
Click Create Policy |
|
| 8 | Click Create Your Own Policy |  |
| 9 | Give your policy a recognisable Name, Description and paste the policy details as provided
This will give users access to all published stacks You can change the resource from* to your specific stacks like this: “Resource”: “arn:aws:appstream:REGION-CODE:ACCOUNT-ID-WITHOUT-HYPHENS:stack/STACK-NAME“, |
 |
| 10 | Policy Details:
This gives users access to stream AppStream apps and to access all Stacks and resources within. |
{ “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: “appstream:Stream”, “Resource”: “*”, “Condition”: { “StringEquals”: { “appstream:userId”: “${saml:sub}”, “saml:sub_type”: “persistent” } } } ] } |
| 11 | Click Roles
Click Create Role |
|
| 12 | Click Saml 2.0 federation |  |
| 13 | Select your SAML Provider created previously
Tick ‘Allow programmatic access only’ Type in Attribute ‘SAML:aud’ Value: https://signin.aws.amazon.com/saml Click Next: Permissions |
 |
| 14 | Select the Previously created AppStream Policy
Click Next: Review |
|
| 15 | Click Create Role |  |
| 16 | Click onto the Role Name and take note of the ARN
|
 |
OKTA – Configure Application
| Step | Description | Screenshot |
| 17 | Take your ARN from both steps 12 and 22
And combine them separated with a comma I.e. roleARN,providerARN
|
For example if your Role ARN is:
arn:aws:iam::123456789012:role/OktaAppStreamUsers and your IDP ARN is arn:aws:iam::123456789012:saml-provider/OKTA, enter (no white spaces): arn:aws:iam::123456789012:role/OktaAppStreamUsers,arn:aws:iam::123456789012:saml-provider/OKTA |
| 18 | In the Okta Console under your Application
Click the Sign On tab |
 |
| 19 | Click Edit |  |
| 20 | Provide the Default Relay State for your appstream sessions
Example Appstream infrastructure is based in Ireland eu-west-1 AppStream stack is called Appstream Account id is 123456789123 Our Relay State URL example https://appstream2.eu-west-1.aws.amazon.com/saml?stack=Appstream&accountId=123456789123 |
 |
| 21 | Provide the Role ARN and Idp ARN
roleARN,providerARN Select Application username format: Okta username |
 |
| 22 | Click Save |  |
| 23 | Assign this application to your Okta users
Click Assignments Tab Click Assign to People/groups Click Assign button against each Okta user you want to have access to this new app. |
 |
References
Okta Guide –
http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-AppStream-2-0.html
