AWS Logo
Menu

Configuring Workspace Personal and Workspaces Pools SAML Authentication with Auth0

This post describes end-to-end setup of Amazon Workspaces Personal and Workspaces Pools with Auth0

Published Nov 1, 2024
Last Modified Nov 12, 2024
The Amazon WorkSpaces family of products provides customers with multiple options to deploy managed virtual desktops to end users. WorkSpaces Personal WorkSpaces Personal is a fully managed, highly configurable virtual desktop service designed to provide knowledge workers with seamless access to the applications and resources they need to do their jobs while Workspaces Pools is our non-persistent desktop option, and requires SAML for user authentication.
You will need administrative access to an existing Auth0 account in order to use this article to setup SAML Authentication for Workspaces Personal and Workspaces Pools.
Steps required in order to implement/complete the SAML configuration.
  1. Create an App in Auth0 to generate the Metadata manifest file.
  2. Create a SAML Identity Provider in AWS Identity and Access Management (IAM).
  3. Create a SAML 2.0 Federation IAM Role and IAM Policy.
  4. Configuring Auth0 and SAML assertions.
  5. Enabling SAML 2.0 Integration in your workspaces directory.
  6. Test your configuration.
A guide for setting up a functioning lab for SAML authentication with WorkSpaces Personal and Workspaces Pools using Auth0 as your IDP.
NOTE : Please make to go over the appropriate requirements and pre-requisites outlined here. For lab purposes I have created a Auth0 lab account using the following link.
Prerequisites
  • Auth0 Account with Active directory connector configured.
  • AWS Managed Active Directory configured for AWS Workspaces
  • A provisioned Amazon Workspace within the same directory.
NOTE : For my lab purposes I am using AWS Managed AD but this can also be done with AD Connector if there is a presence of existing on-prem Active Directory.
Installed the Auth0 AD/Ldap Connector on a EC2 Instance that is joined to my AWS managed AD Domain. Once this Connector is implemented users that are part of the directory should sync across the Auth0 console. [Active-Directory-LdapConfiguration]
  • Login to Auth0 console and navigate to Authentication -> Enterprise and then select Active Directory/LDAP.
ActiveDIrectory/LDAP
  • Select Create Connection name and then provide the name to your AD Connection. I have named my connection as below.
CreateConnection
  • On the Setup Tab download the required Installed as per the operation system. Once the installation is complete you should see the below tab populating with your default browser.
https://docs.aws.amazon.com/workspaces/latest/adminguide/setting-up-saml.html#enable-integration-saml
  • Enter the provisioning ticket Url which should be unique for your connection string and then click Continue.
  • Next Enter the Administrator Username as Domain\Username and password , click save.
  • Once the connection is established to Auth0 you should see the following log details if all the checks are successful.
  • After successful verification the respective AD\LDAP Connection should be back to online status.
As of now the respective AWS Managed AD is connected to Auth0. Now we will proceed ahead with the steps required to setup Auth0 saml application and other configurations needed from AWS end.
Step1 . Create an App in Auth0 to generate the Metadata manifest file
  • Log back into the Auth0 management console and create a New Application. Once the application is created navigate to AddOns tab and enable SAML2 WEB APP.
  • Click on the SAML2 WEB APP to configure the Addon which will be used to provide the AWS SAML call back url along with the SAML configuration setting that would be required to identify NameIdFormat.
  • On the settings tab within the Application Callback Url add "https://signin.aws.amazon.com/saml" this is where the SAML token will send the POST request. Next update the settings section paste the following SAML configuration code in json format.
  • Scroll down at the bottom save and click enable.
  • Next navigate to the Usage tab and then download the metadata manifest file. This file would be required in the next steps.
  • Close the SAML2 Web App window, then click over Connections. Under Enterprise, select the correct Active Directory/LDAP Connector and enable.
STEP 2 : Create a SAML Identity Provider in AWS Identity and Access Management (IAM)
Step 3: Create an IAM Role and IAM Policy for SAML 2.0 Federation
Similarly for this step we will be following the steps that are outlined in our AWS Public Documentation.
https://docs.aws.amazon.com/workspaces/latest/adminguide/setting-up-saml.html#create-saml-iam-role
https://docs.aws.amazon.com/workspaces/latest/adminguide/setting-up-saml.html#embed-inline-policy
Step 4: Configuring Auth0 and SAML assertions
  • Sign in to Auth0 Management Dashboard, go to Actions->Library-> Create Action -> Build from Scratch.
  • Provide a Name , keep the trigger as Login/Post Login and runtime as Node 18 then click Create.
  • On the Next Screen Copy Paste below Code an Click Deploy.
  • Replace the appropriate application name in the event.cllient.name section which was created in Step.1 . Followed by updating the awsRole section with the respective IAMRole arn and Idp_arn which was created in Step 3.
  • Once the step is done please navigate to Actions --> Flows -> Click Login.
  • On the right hand side under Add Action -> click Custom and move the action which was created in previous step between Start and Complete as per the below screenshot. This will allow the end users to assume the respective IAM role and IDP defined in the logon flows.
  • Once done Click Apply.
Step 5: Enabling SAML 2.0 Integration in your workspaces directory
  • For this step please follow the steps outlined in the following AWS Public Documentation. You can keep the IdP deep link parameter name as “RelayState”.
  • User Access url : This can be achieved from Usage Tab from the SAML Web App Addon Section.
STEP 6 : Test Workspace SAML Authentication
  • Open your Amazon Workspaces Client to test this configuration and provide your registration code. You should see something similar to below.
  • Click continue to proceed ahead with the saml authentication where you will be redirected to the IDP logon page in this case Auth0 that will look something as seen below.
  • Sign in with your AD username and password once successful you should be redirected to specific region end point url and then redirected to the Workspace Client with pre-populated workspace username.
  • Enter your username password and you should be logged into the Workspace.

PART-II : In this section I have added the additional steps that would be required to Setup SAML authentication for Workspaces Pools using Auth0.

NOTE : My Workspaces Pool Lab is domain Joined using AWS Managed AD but this can be implemented using self managed ad or without any Active Directory Integration as well

Things to keep in mind while setting up AWS Workspaces Pools with directory domain join make sure to have the DHCP option scope updated with appropriate Domain DNS Ip address or if you are using default dhcp option scope you can use Route53 outbound resolver to forward the requests to the respective Domain DNS. Modifying or updating DHCP option scope is not a requirement if you want to have non domain Workspaces Pools.

  • https://docs.aws.amazon.com/whitepapers/latest/best-practices-for-deploying-amazon-appstream-2/vpc-design.html
  • https://guide.aws.dev/articles/ARNAUCSX2UT22h2rouPsxGNQ/how-to-deploy-appstream-domain-join-environment-without-using-custom-dhcp-option-set
Step1 . Create an App in Auth0 to generate the Metadata manifest file
  • This step will be same as we did for Workspaces Personal Setup.
Step 2 : Create a SAML Identity Provider in AWS Identity and Access Management (IAM)
https://docs.aws.amazon.com/workspaces/latest/adminguide/create-directory-pools.html#saml-directory-configure-saml-idp
Step 3: Create an IAM Role and IAM Policy for SAML 2.0 Federation
https://docs.aws.amazon.com/workspaces/latest/adminguide/create-directory-pools.html#saml-directory-saml-federation-role-in-iam
Step 4: Configuring Auth0 and SAML assertions
  • Same steps would be required to create appropriate SAML assertions for Workspaces Pool setup.
Step 5: Enabling SAML 2.0 Integration in your workspaces Pool directory
https://docs.aws.amazon.com/workspaces/latest/adminguide/create-directory-pools.html#saml-directory-enable-saml-integration

Testing Workspaces Pool SAML authentication.

  • Open the Workspace Client and enter the respective registration code provided by your admin.
  • After Entering the Workspace Pool registration code you will be asked to continue with authentication to the IDP portal where the corresponding Workspaces_pool application has been configured.
  • Once the end user is authenticated at the Identity provider url , the session provisioning request will be redirected to the Workspace.
  • After successful authentication you should be able to confirm the Workspaces pooled desktop is a part of Pool Directory.

Conclusion

You now have an Amazon WorkSpaces Personal and Workspaces Pools setup using Auth0, and can proceed with further testing as required. Thank you very much for your time reviewing this article. We look forward to your feedback.
 

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments