Amazon Workspaces - Cert-based authentication on Ubuntu Workspaces & support for non-hardcoded audiences in SAML integrations
- Is certificate-based authentication coming to Ubuntu Workspaces?
Certificate-based auth: a. I understand that this cannot work with Azure AD DS, since the DCs deployed by this service do not support Certificate Services ruling out the use of smart card authentication, is this correct? b. Requirement for certificate-based auth coming to Ubuntu Passwords become irrelevant and the key reason why we need to tie into Azure AD / AD DS goes away. If we don’t need AD DS, then the need for the rest of the Azure side goes away and we could run an AWS-managed AD with Certificate Services enabled.
- Is support for non-hardcoded audiences in SAML integrations planned to be released?
a. Reason for ask: o Each deployment of Workspaces has its own SAML integration and a unique relay state endpoint we need to hit on the way back from Azure AD o Different regions => different endpoints o The above really means we need multiple SAML apps in our IDP, one per region/deployment. o However, the SAML audience/EntityID is hardcoded on the AWS side and is always urn:amazon:webservices. o Azure AD really does not like this as it enforces EntityIDs to be unique within a tenant, implying we can’t have two SAML apps for Workspaces. o We could rely on AWS Identity Centre, but layering two IDPs isn’t something we want to do as it’s a potentially a lot of complexity and security headaches
Any help on these challenges are much appreciated!
- Le plus récent
- Le plus de votes
- La plupart des commentaires
- Is certificate-based authentication coming to Ubuntu Workspaces?
- We can't share any roadmap information on a public form. CBA is supported with Windows WorkSpaces on WorkSpaces Streaming Protocol (WSP) bundles using the latest client applications.
- Is support for non-hardcoded audiences in SAML integrations planned to be released?
- You can append a number to make the entity ID unique in Azure AD. For example, URN:AMAZON:WEBSERVICES2. You can see the example in this blog under Configure the Azure AD Seamless SSO Application.
- In this blog, Create a Single Identity Provider for all your Amazon AppStream 2.0 Stacks with Azure AD I describe how you can use enterprise applications. You create one for the identity provider for AWS. You can create linked enterprise applications with different relay states. This lets you use a single identity provider provider for multiple applications. You can use groups or other Azure AD features to show or hide the relevant apps to your users.
- If you are provisioning multiple WorkSpaces in different Regions for business continuity, review Business continuity for Amazon WorkSpaces.
Contenus pertinents
- demandé il y a 5 mois
- demandé il y a un an
- demandé il y a 10 mois
AWS OFFICIELA mis à jour il y a un an- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
Hi Jeremy, thanks for the quick response. I'm happy to share my alias if point 1 is something we can share with a customer under NDA?