AWS & Gsuite authentication integration

For Google Authentication to AppStream, we need to setup a trust between AWS and G Suite. Here’s the process:

Before you can get past step 1, we will need the metadata document to create the other values needed in the document. Start the app creation to download the file but cancel after that and resume when you have received the Start URL from us.

Step 1: Create a SAML 2.0 application in the G Suite management console

Log in into your G Suite admin console using your admin account and choose Apps, SAML Apps.

Choose the plus icon (+) to create a new SAML application and choose SETUP MY OWN CUSTOM APP.

Download the IdP metadata and save it locally. This needs to be emailed to ByteSpeed(cloud@bytespeed.com)  Choose Next.

Provide a name for your SAML 2.0 application, description, and an optional logo to easily identify the application in the user login portal. After entering the inputs, choose Next.

Provide the following input for various fields and then choose Next.

  • ACS URL— https://signin.aws.amazon.com/saml
  • Entity ID— urn:amazon:webservices
    Start URL — Relay state URL of your AppStream 2.0 stack. ByteSpeed Needs to provide this Value.
  • Signed Response— Leave it unchecked.
  • Name ID— Basic Information, Primary Email.
  • Name ID Format— Persistent.

aws1

 

Skip the next page, Attribute Mapping, and choose Finish.

Step 2: Create a custom user attribute category in the G Suite admin console

Navigate to the users dashboard by choosing Directory, Users.

From the top right corner in the Users dashboard, choose Manage User Attributes, Add Custom Category.

Provide a name for the category and a description, add the SAML attributes as defined below, and then choose Add.

  • Attribute name— FederationRole, Text, Visible to user and admin, Single Value
  • Attribute name — SessionDuration, Text, Visible to user and admin, Single Value

aws2

Step 3: Add custom SAML attribute mappings

Navigate to the newly created SAML app. Choose Main menu, Apps, SAML Apps and select the newly created application.

 

Choose Attribute Mapping, Add New Mapping, add three mappings as defined below, and then choose Save.

aws3

Step 4: Populate the values of the custom SAML attributes for a user

Select a user whose custom attribute values have to be updated from the Users dashboard. In the User details page, choose User Information.

Edit the values for SAML-USER-ATTRIBUTES, the custom attribute category, as defined below, and choose Save.

  • Federation Role— Comma-separated string of the IAM federation role ARN and IdP ARN in the following format: <Role-ARN>,<IDP-ARN> <–ByteSpeed will provide this
  • SessionDuration— The maximum duration of the AppStream 2.0 session in seconds. Enter 3600.

Repeat the steps for other users to whom to assign this SAML application.

Step 5: Assign the SAML application to the user

Choose the SAML application from the Apps dashboard.

From the details page, you can choose to do one of the following:

  • Turn on the app for every user in your G Suite account.
  • Turn on the app for a selective organization under your G Suite account.

Test the federation by choosing the SAML apps from the Google Apps menu. Click on Test SAML Login