Configuring Amazon WorkSpaces Pools with Okta

The Amazon WorkSpaces family of products provides customers with multiple options to deploy managed virtual desktops to end users. WorkSpaces Pools is our non-persistent desktop option, and requires SAML for user authentication.

You will need administrative access to an existing Okta account in order to use this article.

This article has a two-part YouTube video series that you can watch to follow along with.

Part One:

Part Two:

Overview

This article will describe an end-to-end setup of WorkSpaces Pools with Okta, a popular identity provider platform. The high level steps are as follows:

First, you will begin by creating a WorkSpaces Pool setup
- Specifically, a WorkSpaces Pool Directory, and then WorkSpaces Pool itself.
Next, you will create the SAML application in Okta, perform the majority of the Okta specific steps, and configure the SAML sign in settings on the WorkSpaces Pools Directory.
Then, you will use AWS Identity and Access Management (or IAM).
- Specifically, you will set up an Identity Provider for the Okta application to use, and a Role containing the permissions it will need.
Then you will finalize the SAML assertions on the Okta application

After these steps, the WorkSpaces Pool will be available and can be signed in using the Okta users or groups that have been assigned to the Okta application.

Note that the below configuration is specific to non-domain-joined WorkSpaces Pools setups. Active Directory has slightly different SAML claim requirements, which will be added in a future edit.

WorkSpaces Pools Directory Setup

To start, navigate to the WorkSpaces console. Double check that are you in the AWS Region you intend to deploy in.

Navigate to the "Directories" section in the left column. Then, select the orange Create Directory option in the top right.

Select the Pool directory type at the top, and then fill out the form.

User identity source:
- User access URL: put https://placeholder
- Leave relay state blank
Directory Information
- Directory name and description: A friendly name, not a Fully Qualified Domain Name. For example, use something like Pools-1.
- Description can be a friendly placeholder.
Networking and Security
- The Enable internet access box should be unchecked, unless you are deploying the Pool to public subnets. When enabled, this option attaches public IPv4 addresses to the WorkSpaces. In most cases, you should deploy your WorkSpaces in private subnets and use a NAT Gateway or managed security appliance to access the Internet instead of direct public IPv4 addresses.
  - VPC: Select your VPC
  - Subnet 1 and 2: Select your subnets.
  - Security Group: Select a Security Group you would like to attach to your Pools.
Configuration
- If your account is enabled for Bring Your Own License, you will need to enable this option. If enabled, this Directory can be used for Windows 10 and 11 images. If not enabled, this Directory cannot be used for Windows 10 and 11 images.
  - This option cannot be switched after creation.
Active Directory Config
- If you would like your WorkSpaces Pool to join an Active Directory environment, this is where you would configure that. This section is optional.
Streaming properties
- If you would like to control settings like clipboard redirection and printer access, this is where you can do so.
IAM role
- If you would like to attach an IAM role to the WorkSpaces Pool instances, permitting programmatic access to AWS resources, you can do so here. See our documentation for more information on how to configure an IAM Role that can be used here.

After creation has begun, select the link for your new directory in the left column of the list, so that you are the Details page for the directory. This includes information such as the Registry code.

Leave this directory details tab open, and open a new tab for the next steps. You will come back to this directory details tab in subsequent steps.

WorkSpaces Pool setup

Now you will set up the WorkSpace Pool instance itself.

In a new tab, navigate to the WorkSpaces console. Double check that are you in the AWS Region you intend to deploy in. Select Pools in the left column, and then select the orange Create WorkSpace button at the top right.

On Step 1, "Onboarding", select I know what workspace options I need for my use case, and then Next.
Select Pools under WorkSpace Type, and enter a Name and Description.
For Bundle, select a public bundle, or alternatively, a custom bundle with the WSP protocol that you have already prepared. Existing WSP WorkSpaces Personal bundles can be used with Pools.
The options in Settings can be left at their default values unless you need to customize them.
The Capacity and Scaling section can be left at its defaults for this test, or customized based on your needs. Select Next at the bottom.
Then, select the WorkSpace Pool Directory you created previously, and then the orange Create WorkSpace Pool button.
Select the Pool you just created, and then Actions, and then Start. While the Pool is starting, you can proceed to the next steps.

Okta integration - initial setup

Next, you will create the SAML integration in Okta. Before starting that, you will need to construct the Default RelayState URL. This URL has a syntax to follow. Copy the below line into a text editor.

https://workspaces.euc-sso.REGION.aws.amazon.com/sso-idp?registrationCode=REGCODE

You will replace REGCODE at the end with your registration code, and REGION with the region of the directory, such as us-west-2 or eu-west-1.

Return to the prior tab with the WorkSpaces Directory details. In the Summary section at the top, in the lower left, you will see the Registration Code. Copy this registration code and paste it over the REGCODE placeholder. Then replace the REGION placeholder with the region code that matches your deployment. A full list of valid region codes is available on our documentation here.

You are now ready to proceed with the initial Okta configuration steps.

In a new tab, open your Okta administration console. Navigate to Applications in the left column. Select the blue Create App Integration button at the top left.
Select the SAML 2.0 and Next choices.
Provide an App name and optionally, a logo, then selct Next.
For step 2 of the wizard, there are several sections to configure. Below are the fields to copy and paste.
1. General:
  1. Single sign-on URL: https://signin.aws.amazon.com/saml
    1. Leave the Use this for Recipient URL and Destination URL box checked.
  2. Audience URI (SP Entity ID): urn:amazon:webservices
  3. Default RelayState: Paste the URL you constructed here.
  4. Name ID format: Select Persistent.
  5. Application username: Leave this at the default.
  6. Update application username: Leave this at the default.
2. Attribute Statements: You will need to create 3 attribute statements here with the following values.
  1. Name: https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email
    1. Name Format: Unspecified
    2. Value: user.email
  2. Name: https://aws.amazon.com/SAML/Attributes/RoleSessionName
    1. Name Format: URI Reference
    2. Value: userName
  3. Name: https://aws.amazon.com/SAML/Attributes/SessionDuration
    1. Name Format: Basic
    2. Value: 3600
      1. This is measured in seconds, and can be higher than this - up to a max of 43200. See our SessionDuration SAML Attribute documentation for more information.
Scroll to the bottom of the page and choose Next.
Choose This is an internal app, and then Finish.

WorkSpaces Pools Directory SAML Configuration

In the Okta configuration for your application, there is a Sign On tab. In that tab, under the SAML 2.0 Settings section, expand the Details and look for the Sign On URL. Copy this URL.
Return to the separate browser tab that has the Workspaces Pool Directory Details page open. In the second section, Authentication, select the Edit button.
Select the Edit SAML 2.0 Identity Provider button.
Paste the URL you just copied into the User Access URL field. Leave the Enable SAML 2.0 authentication box checked, and ensure the IdP deep link parameter name is at its default value of RelayState.
Select Save, and then return to the details tab for the overall directory.

AWS Identity and Access Management (IAM) Setup

Now you can create the AWS IAM SAML Identity Provider, and AWS IAM Role, which will be used to finish the setup. You will start with the IAM Identity Provider.

IAM Identity Provider

The first steps are done in the Okta administration console.

In the Okta administration console, open your WorkSpaces Pool application you created previously.
In the Sign On tab, load the metadata URL in a new tab.
In the resulting XML tab, right select anywhere, and choose Save As.
Save this file as metadata.xml to your computer.
1. Double check that the .xml extension does not get dropped. In Firefox, you will need to save as type All files and manually add the .xml extension to the file name before saving.

The next steps are done in the AWS IAM console. Open a separate browser tab for this.

In a new browser tab, open the AWS IAM Identity Providers console and select Add provider in the top right.
Select SAML.
1. For the Provider name, choose any name you prefer, such as Pools-Demo-1-IdP
2. Metadata Document: Upload the metadata.xml file saved from the Okta console.
Choose Add provider to save the settings.
You will be returned to the list of identity providers, and you will see a green banner at the top that says <your chosen name> added. You must assign an IAM role to start using this provider. Select the View Provider button to the right of this to open your new Identity Provider's details page.
Leave this browser tab open, as you will need to return in a subsequent step.

IAM Role creation

In a new browser tab, open the AWS IAM Roles console and choose Create role.
Choose SAML 2.0 federation for the role type.
For the SAML 2.0-based provider drop down menu, choose the provider you created previously.
1. Do not choose either "programmatic access" or "programmatic access and console" for the access levels.
2. For Attribute choose SAML:sub_type
3. For Value enter persistent
On Step 2, add permissions, do not select any polices. Choose Next at the bottom.
On Step 3, choose a name, description, and any desired tags, then scroll to the bottom and select Create role.
You will be returned to the list of roles, and you will see a green banner at the top that says Role <your chosen role name> created. To the right, you will see a View role button. Select this button to open the details page for the Role.

IAM Role Permission Setup

In the IAM Role's details page, under the Permissions tab, select Add Permissions > Create inline policy.
Choose JSON, and delete the pre-existing JSON that will be populated.
Replace the JSON with the following template.
1. The first wildcard in the template corresponds to the AWS Region. As a wildcard value, this will perit the role to stream WorkSpaces Pools from any region.
2. The ACCOUNTID placeholder should be replaced with your account ID.
3. The second wildcard refers to your WorkSpaces Pool directory ID. As a wildcard, it permits connecting to any Pool.
After making any required changes to the example policy, scroll down and select Next to save it.

For more information on the IAM policy syntax, see the Specify WorkSpaces resources in an IAM policy documentation page, and expand the WorkSpace pool ARN section.

IAM Role Trust Policy setup

In the IAM role's details page, select the Trust relationships tab.
Select Edit trust policy.
You will need to add the "sts:TagSession" action. You will need to convert the Action section from a single item to an array. The below syntax is what it should look like.
1. The value on Line 7 is the ARN (Amazon Resource Name) of your IAM Identity Provider. You can copy this ARN from the Identity Provider's details page, which is still open in a prior tab.
Select Update policy to save the trust policy and return to the Role's details page.
This concludes the IAM setup. Do not close the tab yet, as you will need it in the next section.

Finalize Okta Configuration

The last configuration step is to configure the SAML assertion in Okta to use the IAM Role and Identity Provider you just created. Open a text editor to assemble this. The syntax will be like this:

IAM_ROLE_ARN,IAM_IDP_ARN

For example:
arn:aws:iam::111122223333:role/Pools-Demo-1-Role,arn:aws:iam::111122223333:saml-provider/Pools-Demo-1-IdP

In the IAM Role details page, in the Summary section, you will see an ARN value. Copy this and paste it into your text editor. Then put a comma immediately after it, with no space.
In the IAM Identity Provider details page, in the Summary section, you will see an ARN value. Copy this and paste it into your text editor, immediately after the comma.

The final steps are done in the Okta administration console. Return to that browser tab.

In the Okta administration console, go to your WorkSpaces Pool application in the Applications section.
Edit the application, go to to the General tab, expand SAML Settings, and choose the Edit button.
Add another attribute statement:
1. Name: https://aws.amazon.com/SAML/Attributes/Role
  1. Name Format: URI Reference
  2. Value: Paste the string you created in your text editor.
Select next and finish to save your settings.

Assign a user or group

Be sure to assign a user or group to this application in the Assignments tab before proceeding to testing.

Test your setup

A user or group who has been assigned Okta access to the WorkSpaces Pools application can now test your WorkSpaces Pools setup in one of two ways.

Launch the WorkSpaces Pools application directly from the list of Okta applications in their Okta dashboard.
Log into the Pool using the WorkSpaces Client. You will need to enter the Registration Code from the Directory Details tab.

Conclusion

You now have an Amazon WorkSpaces Pool setup using Okta, and can proceed with further testing as required. Thank you very much for your time reviewing this article. We look forward to your feedback.

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Site Terms, Privacy, and more.