AWS & Gsuite authentication integration
Step 1: Create a SAML 2.0 application in the G Suite management console
Log in into your G Suite admin console using your admin account and choose Apps, Web and mobile Apps, Add app, then Add custom SAML app
Provide a name for your SAML 2.0 application, description, and an optional logo to easily identify the application in the user login portal. After entering the inputs, choose Next.
Download the IdP metadata and save it locally. This needs to be emailed to ByteSpeed(email@example.com) Choose Next.
Provide the following input for various fields and then choose Next.
- ACS URL — https://signin.aws.amazon.com/saml
- Entity ID — urn:amazon:webservices
- Start URL — Relay state URL of your AppStream 2.0 stack. ByteSpeed Needs to provide this Value.
- Signed Response — Leave it unchecked.
- Name ID — Basic Information, Primary Email.
- Name ID Format — Persistent.
Skip the next page, Attribute Mapping, and choose Finish.
Step 3: Create a custom user attribute category in the G Suite admin console
Navigate to the users dashboard by choosing Directory, Users.
From the top right corner in the Users dashboard, choose More options, Manage Custom Attributes. On the next screen click ADD CUSTOM ATTRIBUTE from the upper right corner.
Name the category AppStream_Bytespeed and add a description(ex. custom attributes for appstream), add the SAML attribute as defined below, and then choose Add.
- Attribute name — FederationRole, Text, Visible to user and admin, Single Value
Step 4: Add custom SAML attribute mappings
Navigate to the newly created SAML app. Choose Main menu, Apps, Web and mobile Apps and select the newly created application.
Choose Configure SAML Attribute Mapping, Add Mapping, add two mappings as defined below, and then choose Save.
- Application attribute — FederationRole — https://aws.amazon.com/SAML/Attributes/Role
- Application attribute — Primary Email — https://aws.amazon.com/SAML/Attributes/RoleSessionName
Step 5: Assign the SAML application to the user
Choose the SAML application from the Apps dashboard.
From the details page, you can choose to do one of the following:
- Turn on the app for every user in your G Suite account.
- Turn on the app for a selective organization under your G Suite account.
- Assign to a group (this is recommended, required for attribute automation) o Create a new group and add all users whom you want to access AppStream
Step 6: Populate the values of the custom SAML attributes for a user
Select a user whose custom attribute values have to be updated from the Users dashboard. In the User details page, choose User Information.
Edit the values for AppStream_Bytespeed, the custom attribute category, as defined below, and choose Save.
- Federation Role — Comma-separated string of the IAM federation role ARN and IdP
ARN in the following format: <Role-ARN>,<IDP-ARN> <–ByteSpeed will provide this
Repeat the steps for other users to whom to assign this SAML application.
Test the federation by choosing the SAML apps from the Google Apps menu. Click on Test SAML Login