Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Workspaces Pools userspecific seamless login

0

At the moment, I understand the following regarding AWS Workspaces pools. Please correct me if I'm wrong.

Option 1: Without AD, Custom Bundle

  • I authenticate via an (external) IdP (IAM Identity Center is not working...).
  • It launches a new Workspace with the configured bundle.
  • A Home Folder and Settings Persistence can be enabled, which is uniquely tied to the NameId.

Option 2: With AD, Custom Bundle

  • I authenticate via an (external) IdP to access the Workspace.
  • Then, I authenticate against the AD.
  • I am logged into my domain, which can be extended with GPOs, FSx, etc.

However, I would like to know if more is possible without AD (as it can be quite expensive). Desired flow:

  • Login with Entra ID or Okta.
  • Launch a Workspace from a bundle that has Box Drive installed.
  • Each user is seamlessly logged into Box Drive with their Entra ID or Okta account.

I assume this isn't possible due to licensing issues, but this would be the ideal flow. An alternative would be if I could use Entra ID with a OneDrive license, where users are automatically logged into OneDrive within the Workspace with their own license.

Thank you to everyone who can help me with this problem.

Topics
End User ComputingSecurity, Identity, & Compliance
Tags
AWS IAM Identity CenterAmazon WorkSpacesAWS Directory Service
Language
English
asked a year ago121 views
1 Answer
0

Hi Samuel,

Let's dive into your issue.

Clarifying the Issue

Samuel, you’re looking to achieve a seamless login flow for AWS WorkSpaces where users access apps like Box Drive or OneDrive with Entra ID or Okta—all without relying on Active Directory (AD). The challenge stems from app licensing and authentication dependencies that traditionally require AD.

Your desired flow involves:

  1. Logging in with Entra ID or Okta.
  2. Launching a WorkSpace bundle with Box Drive pre-installed.
  3. Seamlessly logging into Box Drive with user-specific credentials.

Unfortunately, achieving this flow without AD introduces limitations. Let’s break it down and propose solutions.

Key Terms

  • Entra ID (Azure AD): Microsoft’s cloud-based identity service for managing user authentication.
  • Okta: A third-party Identity Provider (IdP) enabling Single Sign-On (SSO) for apps and systems.
  • OneDrive: Microsoft’s cloud storage platform requiring AD or Entra ID for seamless access.
  • Box Drive: A cloud-based file collaboration service that relies on AD for seamless login.
  • AWS IAM Identity Center: AWS’s SSO service, connecting external IdPs like Entra ID/Okta to AWS WorkSpaces.
  • Active Directory (AD): Microsoft’s directory service managing user access, licensing, and group policies.

Our Solution (The Recipe)

Here’s the recipe to work around the AD requirement while addressing your need for user-specific app login.

1. Use AWS IAM Identity Center as the SSO Bridge

  • Configure AWS IAM Identity Center to authenticate users via Entra ID or Okta.
  • Users log into AWS WorkSpaces through their IdP credentials.
  • Limitation: While IAM Identity Center handles WorkSpaces access, apps like Box Drive still require a manual login step.

2. Build a Pre-Configured WorkSpaces Bundle

  • Create a WorkSpaces image with Box Drive or OneDrive pre-installed.
  • Allow users to sign in manually within Box Drive or OneDrive using their Entra ID or Okta credentials.
  • This approach minimizes setup time and provides a consistent environment.

3. Implement a Lightweight AD Setup for Licensing

  • Use AWS Directory Service for Simple AD or AWS Managed AD as a lightweight AD solution.
  • This satisfies the app licensing and integration requirements without the expense of a full enterprise AD.
  • Authentication flow:
    • Users log into WorkSpaces via Entra ID or Okta.
    • Apps like Box Drive auto-authenticate through AD.

4. Automate App Login with Scripts

  • Deploy startup scripts (PowerShell or AWS Systems Manager) to automate app login within WorkSpaces.
  • Example: Pre-fill Box Drive credentials or initiate the login process on startup.
  • This creates a near-seamless experience while avoiding AD dependency.

Closing Thoughts

While AWS IAM Identity Center simplifies user authentication, the seamless login you’re seeking for Box Drive or OneDrive still requires AD due to licensing and app dependencies. By combining IAM Identity Center, a pre-configured WorkSpaces bundle, and a lightweight AD setup, you can minimize costs and achieve a functional solution.

If you’d like more details on configuring any of these steps, I’d be happy to dive deeper!

Cheers, Aaron 😊 🚀

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content