Overview
In this 3 part series, we’re looking at integrating Amazon AppStream and Okta using an Okta Developer account. In the first post, we created an Okta Developer account, Okta applications for our AppStream stacks, and saved our Okta Identity Provider metadata. In the second post, we setup up Identity Providers and an IAM role in AWS to support AppStream/Okta integration.
To complete this series, we’ll update our Okta applications with the relevant AWS IDP information and then assign and access our AppStream resources using an Okta logon page.
As way of reminder, be sure to have the AWS IDP and Role ARNs at your disposal as you will need them when finalizing the configuration of the Okta applications.
Edit the Settings of the Okta Application(s)
First of all…..I logged into the Okta UI today and thought I opened the wrong page at first. Looks like the UI has been given an update! Though I have screenshots for the “old” UI, I’ll redo them to show the steps according to the new UI.
- Login to your Okta developer account using the administrator email address (the one used when you signed up for an Okta developer account)
2. Within the Okta UI, expand Applications on the left-hand pane and select Applications. Click the name of any application (blue link) to enter it’s settings.
3. On the Application page, click Sign On | Edit
4. On the Settings page, we’ll need to specify the following data and then click Save.
- Under the SAML 2.0 heading, specify the Default Relay State. The default syntax is as follows: https://
relay-state-region-endpoint?stack=stackname&accountId=aws-account-id-without-hyphens- An example relay state for the Default Relay State for Desktops-East would look like this: https://appstream2.us-east-1.aws.amazon.com/saml?stack=Desktops-East&accountId=123456789101
- If you’re curious….if the relay state isn’t set correctly, a user will be directed to the AppStream dashboard of the AWS Mgmt. Console instead of their desktop/applications.
- Under the Advanced Sign-on Settings, paste the Role and IDP ARN values into the Role ARN and Idp ARN dialog box. Format is: RoleARN,IDPARN. Then specify an Okta Session Duration and Application username format. In this instance I’m using Okta username as the format as I am not using Active Directory authentication.
5. When returned to the Application page, click Assignments | Assign | Assign to People (or Groups). I’m chose People because I am not integrated with AD.
6. On the Assign to People screen, click Assign to the right of any user/group you with to assign access.
7. Confirm the assignment by clicking Save and Go Back.
8. Once every appropriate user/group has been assigned access click Done.
9. With all user/group assignments complete, you can now test access to the AppStream stack(s).
Test User Access to AppStream Stacks
With the users/groups assigned, you can now login to the Okta page using an assigned user.
- Connect to the Okta logon page and login as a user with access to the Okta/AppStream application.
2. The user should see all Okta applications/AppStream stacks to which they have been assigned access….even if those AppStream stacks are in multiple regions OR multiple AWS accounts. Okta provides a single page to access stacks in multiple locations.
Conclusion
I hope this series on AppStream/Okta integration has been helpful. Note that AppStream also integrates with AWS SSO as well as ADFS so there are no shortage of options for authentication integration. Integrating AppStream with these systems will allow you to provide central access to stacks that could be located all over your AWS Organization and all over the world.
Thanks for reading and as always, we here at virtualbonzo would love to hear your thoughts so please leave a comment or send us an email through our Contact page.
