Setting Up Microsoft Entra ID SAML 2.0 Federation with Amazon WorkSpaces Pools
In this article, I’ll walk you through the process of setting up SAML 2.0 federation between Microsoft Entra ID (formerly Azure AD) and Amazon WorkSpaces Pools. This setup allows users to authenticate using their Microsoft Entra ID credentials, providing a seamless single sign-on (SSO) experience.
Published Oct 18, 2024
Last Modified Mar 4, 2025
In this blog, I’ll walk you through the process of setting up SAML 2.0 federation between Microsoft Entra ID (formerly Azure AD) and Amazon WorkSpaces Pools. This setup allows users to authenticate using their Microsoft Entra ID credentials, providing a seamless single sign-on (SSO) experience. For the walkthrough, we will be using the AWS US-East-2 (N. Virginia) region.
Before you begin, ensure you have the following:
• An active Microsoft Azure Entra ID subscription.
• Administrative access to the Microsoft Entra admin center.
• An AWS account with administrative access.
• Basic understanding of SAML 2.0 and identity federation concepts.
• Amazon WorkSpaces Pool Directory and Pools configured.
1. Sign in to the Microsoft Entra admin center.
2. Navigate to Enterprise applications and select New application.
3. Add an application from the gallery and search for Amazon Web Services (AWS).
4. Select the AWS Single-Account Access and customize a name for the Application and click Create.
7. Edit the Basic SAML Configuration:
o The Entity ID is a unique identifier for the SAML service provider. The SAML specification recommends that the entity ID is a URL that contains the domain name of the entity, and industry practices use the SAML metadata URL as the entity ID.
- Identifier (Entity ID): https://signin.aws.amazon.com/saml
- Reply URL (Assertion Consumer Service URL): https://signin.aws.amazon.com/saml
- Relay State (Optional): https://workspaces.euc-sso.us-east-1.aws.amazon.com/sso-idp?registrationCode=SLiad+G1234E#
Note: You can get the registration code from the Amazon WorkSpaces Pools directory.
8. Edit the Attribute and Claims Configuration:
- Select and delete all the additional claims
- Click on Add New Claim and create the attributes listed in the table
| Name | Namespace | Source | Source Attribute |
|---|---|---|---|
| RoleSessionName | https://aws.amazon.com/SAML/Attributes | Attribute | user.userprincipalname |
| PrincipalTag:Email | https://aws.amazon.com/SAML/Attributes | Attribute | user.mail |
| Role | https://aws.amazon.com/SAML/Attributes | Attribute | arn:aws:iam::101234567890:role/EntraID-SAML-Federation,arn:aws:iam:: 101234567890:saml-provider/MicrosoftEntraID-IDP-WorkSpacesPool-UsEast |
| SessionDuration | https://aws.amazon.com/SAML/Attributes | Attribute | 3600 |
- This is what the Attributes and Claims should show:
9. Download the Federation Metadata XML from the App
1. Sign in to the AWS Management Console and open the IAM console.
2. In the navigation pane, choose Identity providers, then Add provider.
3. For Provider Type, select SAML.
4. For Provider Name, enter a name (e.g., MicrosoftEntraID-IDP-WorkSpacesPool-UsEast).
5. Upload the metadata document you downloaded from Microsoft Entra ID.
6. Choose Add Provider.
7. Copy the Provider ARN, you will use this ARN value to update the Role attribute in the Microsoft EntraID App.
1. In the IAM console, choose Roles, then Create role.
2. Select SAML 2.0 federation as the trusted entity type.
3. Select the SAML provider you created in the previous step.
4. Choose Allow programmatic access only for the access to be allowed.
5. Choose SAML:aud for the attribute.
6. For Value, enter "persistent". This value restricts role access to SAML user streaming requests that include a SAML subject type assertion with a value of persistent.
7. Choose Next to continue.
8. Don't make changes or selections in the Add permissions page. Choose Next to continue.
9. Enter a name and a description for the role.
10. Choose Create role.
11. In the Roles page, choose the role you must created.
12. Choose the Trust relationships tab.
13. Choose Edit trust policy.
14. In the Edit trust policy JSON text box, add the sts:TagSession action to the trust policy.
15. The result should look like the following example.
16. Choose Update policy.
17. Choose the Permissions tab.
18. In the Permissions policies section of the page choose Add permissions and then choose Create inline policy.
19. In the Policy editor section of the page, choose JSON.
20. In the Policy editor JSON text box, enter the following policy. Be sure to replace:
- <region-code> with the code of the AWS Region in which you created your WorkSpace Pool directory.
- <account-id> with the AWS account ID.
- <directory-id> with the ID of the directory you created earlier. You can get this in the WorkSpaces console.
- The policy should look similar to this example.
21. Copy the Role ARN.
1. In the Microsoft Azure console, go to the Enterprise App and edit the Single Sign-on Attribute and Claims
2. Edit the Role Attribute using the IDP Provider ARN and the Role ARN. The string should be “IDP provider ARN,Role ARN”. Example:
arn:aws:iam::601234567890:saml-provider/MicrosoftEntraID-IDP-WorkSpacesPool-UsEast,arn:aws:iam::601234567890:role/Role-MicrosoftEntraID-IDP-WorkSpacesPool-UsEast-Access
3. Save the changes.
1. Assign users in Microsoft Entra ID to the AWS application.
2. Copy the Login URL and Attempt to sign in to WorkSpaces Pools using a user account from Microsoft Entra ID.
3. Verify that the SSO process works correctly and that users are authenticated and redirected appropriately.
1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.
2. Choose Directories in the navigation pane.
3. Select the WorkSpaces Pools directory.
4. In the Authentication section of the page, click Edit and update the User access URL with the Login URL from the previous step.
By following these steps, you can successfully set up SAML 2.0 federation between Microsoft Entra ID and Amazon WorkSpaces Pools. This integration enhances security and provides a seamless user experience by leveraging existing Microsoft Entra ID credentials for authentication.