
A detailed guide to Configure SAML 2.0 for Amazon AppStream 2.0
There are guides and how to publish in the past about SAML 2.0 configuration for AppStream 2.0 and OKTA. I found that these guides are either outdated, no longer referencing the current configurations or did not have enough details to walk the reader through the entire process. This guide attempts to provide an updated and detailed walk through.
Published Oct 4, 2024
Last Modified Oct 18, 2024
Okta’s Amazon AppStream 2.0 integration allows end-users to authenticate AWS AppStream applications using single sign-on with SAML. Okta admins can also set the duration of the authenticated session of users via Okta.
Configuring SAML 2.0 for Amazon AppStream 2.0 consists of the following steps:
- Step 1: Configure the Amazon AppStream 2.0 integration in Okta
- Step 2: Setting up Okta as your Identity Provider in AWS
- Step 3: Setting up a SAML Role for Identity Provider Access
- Step 4: Update the Amazon AppStream 2.0 integration in Okta
- Step 5: Testing the Amazon AppStream 2.0 integration
This guide assumes you have an existing Amazon AppStream 2.0 Stack and Fleet configured to run the AppStream Demo image.
- StackName: BaseStack_DemoW19Fleets
- FleetName: DemoW19Fleets
The first step to configure the SAML 2.0 integration with Amazon AppStream is to create the Okta Application. Open the Amazon AppStream 2.0 app integration configuration in Okta and perform the following steps:
1. In Okta, go to Applications and Create App Integration

2. Choose SAML 2.0 and click Next

3. In the General Settings, enter an App name and optionally upload an App Logo. Click Next.

4. In the Configure SAML, enter the following details for SAML Settings. Items highlighted need to be adjusted to match your aws region, account number, and stackname.
- Single sign-on URL: https://signin.aws.amazon.com/saml
- Check the box: Use this for Recipient URL and Destination URL
- Audience URI (SP Entity ID): urn:amazon:webservices
- Default RelayState: https://appstream2.euc-sso.us-east-1.aws.amazon.com/saml?stack=BaseStack_DemoW19Fleets&accountId=601012345139
- Name ID format: Persistent
- Application username: Okta username
- Update application username on: Create and update


5. (Optional) If the AppStream 2.0 stack has a domain-joined fleet, select the AD user principal name for Application username format (otherwise leave as Okta username). If you need to set a custom format, you can create an expression language reference.
6. The last step is to configure the Relay State parameter for the application. It should follow the following format:
https://relay-state-region-endoint?stack={stackname}&accountId={aws-account-id-without-hyphens}
For details, see Amazon’s documentation on How to Configure the Relay State for your Federation.
7. Click Save.
8. Leave the Advanced Settings with their default values.
9. In the Attribute Statement (optional) section, Click Add Another and create the following attributes:

Name
- https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email
- https://aws.amazon.com/SAML/Attributes/RoleSessionName
- https://aws.amazon.com/SAML/Attributes/SessionDuration
- https://aws.amazon.com/SAML/Attributes/Role URI Reference
10. Enter the Role ARN and the Provider ARN values placeholder for this configuration in the Role ARN and Idp ARN field, as comma separated values.

11. Set the user’s desired session duration in seconds in the Session Duration field.
12. If you want to verify the information entered and the XML file that OKTA will use for the assertion, Click on Preview the SAML Assertion button.

13. Click Next and Finish.
14. The Application is created and details for Sign On is provided. Copy the Metadata URL and open it in a separate window.

15. Right click on the xml content and click Save as to oktametadata.xml

In order to use SAML for Amazon AppStream 2.0, you need to set up Okta as an identity provider in AWS and establish the SAML connection, as follows:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
- Select Identity Providers in the navigation pane, then click Add Provider:

- Follow the steps below:
- Provider Type: Select SAML
- Provider Name: Enter a name for the identity provider.
- Metadata Document: Click Choose File and upload the oktametadata.xml file downloaded from Okta SAML application.

- Click Add Provider:

- Verify the Identity Provider information and locate the Identity Provider you created. Click on the name and make a copy of your Provider ARN value (e.g. arn:aws:iam::601234561139:saml-provider/idp-okta-appname-use1) . You will need it later during this configuration.

Next, create a SAML 2.0 federation IAM role. This step establishes a trust relationship between IAM and Okta, which identifies Okta as a trusted entity for federation. The role also defines which users authenticated by Okta are allowed to access an AppStream 2.0 stack. See Amazon documentation here for more information.
1. In the AWS console navigation pane, select Roles > Create role:

2. Select SAML 2.0 federation, then follow the steps below:

• SAML provider: Select the SAML IdP that you created.
IMPORTANT: Do not choose either of the two SAML 2.0 access methods (Allow programmatic access only or Allow programmatic and AWS Management Console access).
- Attribute: Select SAML:sub_type.
- Value: Enter persistent.
- Click Next: Permissions:

3. On the Attach permissions policies page embed an inline IAM policy for your role. Refer to Amazon documentation here for more information. Then click Next: Review:

4. Click Next: Review:
5. Follow the steps below:
• Role name: Enter a name that helps you identify the purpose of this role. Because various entities might reference the role, you cannot edit the name of the role after it has been created.
• Role description (optional): Enter a description for the new role.
• Skip the Add Permissions section for now.
• Click Create role:

6. Locate the IAM role you created. Click on Add permission and choose Create inline policy.

7. In the Policy Editor, select JSON and paste the following JSON statement in the editor. Ensure you edit the JSON with your aws account number and stack name as highlighted.

8. Enter a name for the policy and click Create Policy.

9. Verify the role trust relationship and Locate the ARN for the role and copy this, you will need this to update the Okta Application.

1. Logon to Okta and open the SAML Application General tab.

2. Click on edit in the SAML Settings and go to the Configure SAML section.

3. In the Attribute Statement section, edit the value for the Role attribute.

4. For example if your Role ARN is: arn:aws:iam::123456789012:role/ role-okta-apptream-use1and your IDP ARN is arn:aws:iam::123456789012:saml-provider/idp-okta-appname-use1,
The value is: arn:aws:iam::123456789012:role/role-okta-apptream-use1,arn:aws:iam::123456789012:saml-provider/idp-okta-appname-use1
5. Save the settings and Finish.
1. You are now ready to assign users to the application and test SAML.
2. In the Okta Application details, scroll to the App Embed Link and copy the URL

3. Open the Embed Link URL in a new window.
4. Authenticate with Okta
5. Once SAML assertion between OKTA and AWS is successful, the AppStream client option screen is shown.

6. Click Continue with browser for the test.
7. AppStream Application catalog displays. If you get an error “No Application Available”, this means the AppStream authentication was successful, however the AppStream stack does not have a fleet associated.

8. Check the AppStream Stack and Fleet association in AWS.

9. Once you associate the stack with a fleet, you can click on Try Again to refresh the application catalog.

10. Click on an App to test. Depending on your fleet configuration, it may take up to 90 seconds for the session to begin.

https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-AppStream-2-0.html