Online Help

SafeNet Trusted Access for Amazon AppStream 2.0

Overview

Configuring SafeNet Trusted Access for Amazon AppStream 2.0 is a three-step process:

1.Amazon AppStream 2.0 setup

2.SafeNet Trusted Access setup

3.Verify authentication

Amazon AppStream 2.0 Setup

As prerequisites,

Configure the Amazon AppStream 2.0 stack.

Download the Identity Provider metadata from the SafeNet Trusted Access console by clicking the Download metadata file button. You will need this metadata in one of the steps below.

In Amazon Web Services (AWS), create a SAML identity provider and a role to configure SafeNet Trusted Access as your identity provider.

 

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in Amazon AppStream 2.0:

1.Log in to AWS as an administrator using the https://console.aws.amazon.com/iam URL.

2.On the AWS IAM dashboard, in the left pane, click Identity providers, and in the right pane, click Create Provider.

3.Under Configure Provider, in the Provider Type field, select SAML, and then perform the following steps:

a.In the Provider Name field, enter a name for the SafeNet Trusted Access identity provider (for example, SAML_Provider).

b.Next to the Metadata Document field, click Choose File to search and select the metadata file that you downloaded earlier from the SafeNet Trusted Access console.

c.Click Next Step.

4.Under Verify Provider Information, click Create.

The identity provider (for example, SAML_Provider) is successfully added in AWS.

5.In the left pane, click Roles, and in the right pane, click Create role.

6.On the Create role window, select SAML 2.0 federation.

7.Under Choose a SAML 2.0 provider, perform the following steps:

a.In the SAML provider field, select the SAML identity provider (for example, SAML_Provider) that you created earlier.

b.Select the Allow programmatic and AWS Management Console access option.

c.Click Next: Permissions.

8.Under Attach permissions policies, in the table, select the policy that you want to attach to the SAML users (for example, AmazonAppStreamServiceAccess), and click Next: Tags.

9. Under Add tags (Optional), click Next: Review.

10. Under Review, perform the following steps:

a.In the Role name field, enter a name for the role (for example, Operator1).

b.In the Role description field, enter an appropriate description for the role.

c.Click Create role.

After creating the role, you can limit the role to have one or more AppStreams 2.0 stacks. This can be done by embedding an inline policy (containing permissions) for the role. When the inline policy is embedded for the role, the permission in the policy are attached to the role.

For more information, refer to: http://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-grantperms

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in Amazon AppStream 2.0, the second step is to activate the Amazon AppStream 2.0 application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, the Amazon AppStream 2.0 application you added earlier is in the inactive state by default. To configure and activate this application, click the application (for example, Amazon AppStream 2.0) and proceed to the next step.

2.Under STA Setup, perform the following steps:

a.Under Account Details, complete the following fields:

Field Value
ACCOUNTID Enter the account ID of AWS. The account ID is available on the AWS IAM dashboard, in the IAM users sign-in link. For example, https://<AccountID>.signin.aws.amazon.com/console
ROLE Enter a federation brand name (for example, OrgName).
PROVIDER Enter the SingleSignOnService URL that is provided on the SafeNet Trusted Access console.

On the SafeNet Trusted Access console, you can copy this URL by clicking on the Copy to Clipboard icon available next to the SINGLESIGNONSERVICE field .

b.Under User Login ID Mapping, in the NAME ID field, ensure that Email address is selected.

c.Under Return Attributes, ensure that the RoleSessionName attribute is set to First Name.

d.Under Advanced Settings, in the IDP INITIATED SSO RELAY STATE field, enter the following URL:

https://{relay-state-region-endoint}?stack={stackname}&accountId={aws-account-id-without-hyphens}

For example, https://appstream2.<your region>.aws.amazon.com/saml?stack=<yourstackname>&accountId=<yourawsaccountid>

For more information, refer to https://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-relay-state

e.Click Save Configuration to save the details and activate the Amazon AppStream 2.0 application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the AWS login URL, https://<Your Safenet Single signon URL>/clients/<AWS Application Name>, where <AWS Application Name> is the application's name that you provided while adding the application in SafeNet Trusted Access. You will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Amazon AppStream 2.0 stack after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click the Amazon AppStream 2.0 application icon. You should be successfully logged in to the Amazon AppStream 2.0 stack after authentication.

 

© 2019 SafeNet Trusted Access. Various trademarks are held by their respective owners.