AWS Logo
Menu
Deploy SAML 2.0 Authentication for AWS EUC Services in Minutes with CloudFormation

Deploy SAML 2.0 Authentication for AWS EUC Services in Minutes with CloudFormation

SAML 2.0 authentication for AWS End-User Computing (EUC) services like Amazon AppStream 2.0 or Amazon WorkSpaces can be tricky, with even small typos leading to deployment failures. This article demonstrates how to leverage AWS CloudFormation to streamline and error-proof the AWS-side SAML 2.0 integration process. Learn how to automate your setup, minimize configuration errors, and simplify your deployment workflow for more reliable and efficient EUC service authentication.

samlworkspacesworkspaces-poolsappstream2euc
Sergio Volpi
Amazon Employee
Published May 27, 2025
Last Modified Jun 3, 2025
This CloudFormation template creates a SAML federation setup for AWS End-User Computing services (either AppStream 2.0 or WorkSpaces Personal or Pools).

key components

Template Parameters

  • EnvType: Lets you choose between AppStream 2.0 or WorkSpaces Personal
  • FederationName: Name for your SAML provider in IAM
  • FederationBucket and FederationFile: S3 location of your identity provider's metadata XML file
  • Service-specific parameters: AppStreamStackName for AppStream, or WorkSpacesDirectoryID and UserAccessUrl for WorkSpaces (Personal or Pools)

Conditions

  • CreateWSResources: True when WorkSpaces Personal is selected
  • CreateASResources: True when AppStream 2.0 is selected

Key Resources

The AWS CloudFormation template will deploy the following resources:
  1. FederatedRole: An IAM role that:
    • Can be assumed via SAML federation
    • Has permissions to either stream AppStream or WorkSpaces based on the selected environment
    • Uses the SAML subject as the user identifier for authorization
  2. LambdaExecutionRole: IAM role for Lambda functions with permissions to:
    • Create/delete SAML providers
    • Access S3 to read the metadata file
    • Modify WorkSpaces SAML properties
    • Write logs to CloudWatch
  3. ModifySamlPropertiesLambda (only for WorkSpaces):
    • Python function that configures SAML integration for WorkSpaces
    • Enables SAML authentication and sets the user access URL
    • Handles CloudFormation custom resource lifecycle events
  4. ModifySamlProperties: Custom CloudFormation resource that invokes the Lambda function
  5. SAMLProviderLambda:
    • Python function that manages the IAM SAML provider
    • Downloads the metadata file from S3
    • Creates/updates/deletes the SAML provider based on CloudFormation events
    • Includes proper error handling and response sending
  6. SAMLProvider: Custom CloudFormation resource that invokes the Lambda function to create the actual IAM SAML provider

Deployment

Create your IdP custom SAML 2.0 application

Before deploying the AWS CloudFormation described in this blogpost, you must to configure your Identity Provider (IdP) Custom SAML 2.0 Application and depending on your IdP, you might need to manually update your IdP to trust AWS as a service provider. You do this by downloading the saml-metadata.xml file found at https://signin.aws.amazon.com/static/saml-metadata.xml, and then uploading it to your IdP. To configure SAML-based Identity Provider (IdP) for:
  • Amazon AppStream: Link
  • Amazon WorkSpaces Personal: Link
  • Amazon WorkSpaces Pools: Link

Upload Template and IdP Metadata to S3

Before executing the CloudFormation template, you must upload your IdP metadata.xml and the template example (check AWS CloudFormation Template Example section) to the bucket created for this purpose.

Deploy CloudFormation Stack

Now you need to execute the CloudFormation to start deploying the required resources.

Verify CloudFormation Stack

Once the AWS CloudFormation stack finishes:
  1. Access CloudFormation Outputs
  1. Record Output Values

Update your IdP Custom SAMl 2.0 Application

  1. Depending on your IdP, you must manually update your IdP's Role assertion (https://aws.amazon.com/SAML/Attributes/Role) with the Record Output Values from previous step in the following format: [FederatedRoleArn,SAMLProviderArn]

AWS CloudFormation Template Example

This template uses a combination of native CloudFormation resources and custom resources (via AWS Lambda) to set up a complete SAML federation for either AppStream 2.0 or WorkSpaces, allowing users to access these services through their identity provider.

Testing the Solution

This section provides structured procedures for validating SAML 2.0 integration deployed with this solution for AWS WorkSpaces and AppStream 2.0.

AppStream 2.0 Access Validation Procedure

  1. AppStream 2.0 Client Installation
    • Download and install the Amazon AppStream client from https://clients.amazonappstream.com
    • Set the StartURL Registry with your IdP UserAccessUrl . Link
  2. Application Launch
    • Open your AppStream 2.0 Client
    • AppStream 2.0 Client will redirect to your IdP to authenticate
    • Click on the application tile you want to launch
    • Confirm the "Launch Application" prompt appears

WorkSpaces Access Validation Procedure

  1. WorkSpaces Client Installation
    • Download and install the Amazon WorkSpaces client from https://clients.amazonworkspaces.com/
    • Enter the registration code of your WorkSpaces deployment
  2. Desktop Launch
    • Open your WorkSpaces Client
    • The client will redirect to your IdP to authenticate
    • Return to your WorkSpaces Client
    • Confirm the desktop launched

Cleanup Instructions

This section provides a systematic instructions to safely remove all AWS resources created by the SAML 2.0 CloudFormation stack. The cleanup process ensures proper removal of resources while maintaining data integrity and preventing unintended service disruptions.

Pre-Cleanup Verification

Remove S3 Content

Delete Stack

 

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments