Configuring an SSO connection to Amazon AppStream 2.0

Configuring an SSO connection to Amazon AppStream 2.0

Published: 04/10/2017
This article describes how to configure an SSO connection to Amazon AppStream2.0 in PingOne.

The following steps describe how to configure a SSO connection with PingOne to Amazon AppStream 2.0. The configuration is broken into 2 parts: PingOne configuration and AWS configuration. 

PingOne SSO to Amazon AppStream 2.0 Configuration:

1. Log into your PingOne account

2. Click "Applications" in the navigation tool bar then click
the "Search Application Catalog" tab

3. Enter "Amazon" into the search and select the "Amazon AppStream 2.0" SAML option.

AppStream 2.0

4. Click "Set up" then "Continue to Next Step"

Setup Application

The entity ID and ACS URL are preset and no change is necessary. Edit the Target Resource to the relay state of your AppStream 2.0 stack. Replace ${region-code} with the AWS region code in which your stack is created, ${stack-name} with the name of the stack and ${aws-account-id} with your AWS account id without hyphens.

For example, if your stack name is saml-stack and is created in Oregon region and your account id is 123456789012, your Target Resource URL will be

Click "Continue to Next Step"

Configure Connection

6. You should now be on the attribute mappings section. For the SAML_SUBJECT field click advanced.

Attribute Mapping

Under "Name ID Format to send to SP:" click into the text field and select  "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" from the dropdown.

User-added image

Under "IDP Attribute Name or Literal Value" select an attribute mapping that corresponds to a directory attribute that matches the username that Amazon expects. For example if users login with their email and you are using AD, the field you would select is "mail." Once you have finished setting up the subject, click "Save."

User-added image

7. The next attribute: ( is a multipurpose attribute that actually handles the AWS account number, role name and SAML provider name in a single attribute. Click "Advanced."

Attribute Role

Click into the NameFormat Field and select "urn:oasis:names:tc:SAML:2.0:attrname-format:uri."

User-added image

In the "IDP Attribute Name or Literal Value" field, you will need to specify the account number, role and provider name in the format: arn:aws:iam::[account-number]:role/[role-name],arn:aws:iam::[account-number]:saml-provider/[provider-name] As an example, if your account number is 987654321012, your role name is "Users" and your provider is "PingOne," the value you would enter in is:
"arn:aws:iam::9876543212:role/Users,arn:aws:iam::987654321012:saml-provider/PingOne." After entering in the value, check the box "As Literal" and Click "Save."

User-added image

If you don’t know what your AWS values are, just enter “TO DO: Enter mapping,” check “As Literal,” click "Save" and move on to the next step for now.

8. Once the attributes have been set, click "Continue to Next Step"

9. Click "Save and Publish" to save the new PingOne connection.

Customize application

10. Locate "SAML Metadata" and click "Download." Save the file to your local file system. This file will be needed to configure some settings on the AWS side.

User-added image

The AWS SSO connection is now configured in PingOne. The next step is to configure Amazon Web Services. 

Amazon Web Services SSO Configuration:
1. You will need to add a SAML provider to SSO enable your AWS environment. Log into the AWS Console:
Click “IAM”

User-added image

2. Click "Identity Providers."

User-added image

3. This step is where you will define PingOne as your SAML provider. Click "Create SAML Provider."

User-added image

4. Enter a provider name (PingOne) then click “Continue."

Configure Provider

5. Click “Choose File” and select the PingOne metadata file you downloaded in step 10 then click “Create.”

6. AWS requires that you add a role for SSO usage. You can configure the roles by selecting “Roles” in the left hand navigation and clicking “Create New Role.”
User-added image

7. If you don't already have roles defined, enter a role name. In this example, we will call it “User.” Click “Continue.”

Role Name

8. Select “Role for Identity Provider Access” and click “Select” for “Grant Web Single Sign-On (WebSSO) access to SAML providers.”

Role Type

9. In the Following screen, select the SAML provider, which is the name of the provider added in step 4 and click “Continue.”

SAML Provider

10. Click “Continue” on the following screen
and click Create Role.

11. The Next step is to set the actual permissions the users will have for this role. Select the role from the IAM console and click on Permissions, Inline Policies, Create Custom Policy  to create a custom policy that provides the role permissions to the stack.  You can copy the policy document to be attached from here. Replace the placeholders in the policy document with actual values of region-code, account-id, and stack-name 

If you weren’t sure how the role attribute needed to be configured in Step 7 of the PingOne setup, you can now access that information in your AWS set up. As previously described, the format of the role variable value is: 

Plug the values into the format specified above to give:

Paste this entire string into the attribute mapping for the role attribute and save your configuration in PingOne if necessary. 

You have now completed your SSO configuration and can begin logging in via SSO to Amazon AppStream 2.0. You can configure for PingOne dock or you can use the direct SSO link in PingOne by clicking "Applications"-->Click "AWS" in the table.

Setup , 
KB or other URL: