Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

AWS Logo
Menu
Setting Up Microsoft Entra ID SAML 2.0 Federation with Amazon WorkSpaces Pools

Setting Up Microsoft Entra ID SAML 2.0 Federation with Amazon WorkSpaces Pools

In this article, I’ll walk you through the process of setting up SAML 2.0 federation between Microsoft Entra ID (formerly Azure AD) and Amazon WorkSpaces Pools. This setup allows users to authenticate using their Microsoft Entra ID credentials, providing a seamless single sign-on (SSO) experience.

eucentraidamazon-workspacesworkspaces-poolsworkspaces
Dzung Nguyen
Published Oct 18, 2024
Last Modified Mar 4, 2025
Comments
11

Introduction

In this blog, I’ll walk you through the process of setting up SAML 2.0 federation between Microsoft Entra ID (formerly Azure AD) and Amazon WorkSpaces Pools. This setup allows users to authenticate using their Microsoft Entra ID credentials, providing a seamless single sign-on (SSO) experience. For the walkthrough, we will be using the AWS US-East-2 (N. Virginia) region.

Prerequisites

Before you begin, ensure you have the following:
• An active Microsoft Azure Entra ID subscription.
• Administrative access to the Microsoft Entra admin center.
• An AWS account with administrative access.
• Basic understanding of SAML 2.0 and identity federation concepts.
• Amazon WorkSpaces Pool Directory and Pools configured.

Step 1: Create an Enterprise Application in Microsoft Entra ID for SAML 2.0

1. Sign in to the Microsoft Entra admin center.
2. Navigate to Enterprise applications and select New application.
Image not found
3. Add an application from the gallery and search for Amazon Web Services (AWS).
Image not found
4. Select the AWS Single-Account Access and customize a name for the Application and click Create.
Image not found
5. Once the Application is created, click on Single sign-on
Image not found
6. Chose SAML as the single sign-on method.
Image not found
7. Edit the Basic SAML Configuration:
o The Entity ID is a unique identifier for the SAML service provider. The SAML specification recommends that the entity ID is a URL that contains the domain name of the entity, and industry practices use the SAML metadata URL as the entity ID.
Image not found
  • Identifier (Entity ID): https://signin.aws.amazon.com/saml
  • Reply URL (Assertion Consumer Service URL): https://signin.aws.amazon.com/saml
  • Relay State (Optional): https://workspaces.euc-sso.us-east-1.aws.amazon.com/sso-idp?registrationCode=SLiad+G1234E#
Note: You can get the registration code from the Amazon WorkSpaces Pools directory.
8. Edit the Attribute and Claims Configuration:
  • Select and delete all the additional claims
Image not found
  • Click on Add New Claim and create the attributes listed in the table
Image not found
NameNamespaceSourceSource Attribute
RoleSessionNamehttps://aws.amazon.com/SAML/AttributesAttributeuser.userprincipalname
PrincipalTag:Emailhttps://aws.amazon.com/SAML/AttributesAttributeuser.mail
Rolehttps://aws.amazon.com/SAML/AttributesAttributearn:aws:iam::101234567890:role/EntraID-SAML-Federation,arn:aws:iam:: 101234567890:saml-provider/MicrosoftEntraID-IDP-WorkSpacesPool-UsEast
SessionDurationhttps://aws.amazon.com/SAML/AttributesAttribute3600
  • This is what the Attributes and Claims should show:
Image not found
9. Download the Federation Metadata XML from the App
Image not found

Step 2: Create a SAML Identity Provider in AWS IAM

1. Sign in to the AWS Management Console and open the IAM console.
2. In the navigation pane, choose Identity providers, then Add provider.
3. For Provider Type, select SAML.
4. For Provider Name, enter a name (e.g., MicrosoftEntraID-IDP-WorkSpacesPool-UsEast).
Image not found
5. Upload the metadata document you downloaded from Microsoft Entra ID.
6. Choose Add Provider.
7. Copy the Provider ARN, you will use this ARN value to update the Role attribute in the Microsoft EntraID App.
Image not found

Step 3: Create a SAML 2.0 Federation IAM Role

1. In the IAM console, choose Roles, then Create role.
2. Select SAML 2.0 federation as the trusted entity type.
3. Select the SAML provider you created in the previous step.
Image not found
4. Choose Allow programmatic access only for the access to be allowed.
5. Choose SAML:aud for the attribute.
6. For Value, enter "persistent". This value restricts role access to SAML user streaming requests that include a SAML subject type assertion with a value of persistent.
Image not found
7. Choose Next to continue.
8. Don't make changes or selections in the Add permissions page. Choose Next to continue.
9. Enter a name and a description for the role.
Image not found
10. Choose Create role.
11. In the Roles page, choose the role you must created.
12. Choose the Trust relationships tab.
13. Choose Edit trust policy.
Image not found
14. In the Edit trust policy JSON text box, add the sts:TagSession action to the trust policy.
15. The result should look like the following example.
Image not found
16. Choose Update policy.
17. Choose the Permissions tab.
18. In the Permissions policies section of the page choose Add permissions and then choose Create inline policy.
Image not found
19. In the Policy editor section of the page, choose JSON.
20. In the Policy editor JSON text box, enter the following policy. Be sure to replace:
  • <region-code> with the code of the AWS Region in which you created your WorkSpace Pool directory.
  • <account-id> with the AWS account ID.
  • <directory-id> with the ID of the directory you created earlier. You can get this in the WorkSpaces console.
Image not found
  • The policy should look similar to this example.
Image not found
21. Copy the Role ARN.
Image not found

Step 4: Update the Enterprise Application in Microsoft Entra ID

1. In the Microsoft Azure console, go to the Enterprise App and edit the Single Sign-on Attribute and Claims
2. Edit the Role Attribute using the IDP Provider ARN and the Role ARN. The string should be “IDP provider ARN,Role ARN”. Example:
arn:aws:iam::601234567890:saml-provider/MicrosoftEntraID-IDP-WorkSpacesPool-UsEast,arn:aws:iam::601234567890:role/Role-MicrosoftEntraID-IDP-WorkSpacesPool-UsEast-Access
Image not found
3. Save the changes.

Step 5: Test the Configuration

1. Assign users in Microsoft Entra ID to the AWS application.
Image not found
2. Copy the Login URL and Attempt to sign in to WorkSpaces Pools using a user account from Microsoft Entra ID.
Image not found
3. Verify that the SSO process works correctly and that users are authenticated and redirected appropriately.

Step 6: Edit the WorkSpaces Pools Directory with the User Access URL.

1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.
2. Choose Directories in the navigation pane.
3. Select the WorkSpaces Pools directory.
Image not found
4. In the Authentication section of the page, click Edit and update the User access URL with the Login URL from the previous step.
Image not found

Conclusion

By following these steps, you can successfully set up SAML 2.0 federation between Microsoft Entra ID and Amazon WorkSpaces Pools. This integration enhances security and provides a seamless user experience by leveraging existing Microsoft Entra ID credentials for authentication.
 
Comments
11

11 Comments

Log in to comment