By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Amazon WorkSpaces SAML integration with JumpCloud

0

Hi there, I'm setting up SSO between JumpCloud and AWS WorkSpaces. I'm using the official guide (https://d1.awsstatic.com/workspaces-saml-guide.pdf). The issue is that after clicking the custom SAML app in JumpCloud, I'm being redirected to the WorkSpaces login page instead of being automatically logged in. It's asking for a password, which shouldn't happen with proper SSO. Any ideas what could be misconfigured?

Topics
End User ComputingSecurity, Identity, & Compliance
Tags
Amazon WorkSpacesAWS Directory ServiceAWS IAM Identity Center
Language
English
Farida
asked 6 days ago105 views
2 Answers
0
Accepted Answer

The SAML assertions for WorkSpaces personal cannot perform kerberos authentication to the operating system. For that, you will need Certificate Based Authentication.. This will perform the login to the operating system for a true SSO experience.

profile pictureAWS
Robert_F
answered 6 days ago
profile pictureAWS
EXPERT
Jordan Sandri
reviewed 4 days ago
  • Farida
    5 days ago

    Thanks for the answer. Could you also clarify if certificate-based authentication is supported on the linux workspaces for ubuntu 22.04?

  • Farida
    5 days ago

    Can you please confirm if the password prompt is expected behavior when authenticating to WorkSpaces from JumpCloud via SAML? (without enabling certificate based auth)

-1

It sounds like there may be an issue with your SAML configuration between JumpCloud and Amazon WorkSpaces. Here are a few things to check:

  1. Verify attribute mapping: Ensure that the attributes being sent from JumpCloud to Amazon WorkSpaces are correctly mapped. The username attribute in particular needs to be properly configured in both JumpCloud and WorkSpaces.

  2. Check the SAML response: Review the SAML response in your browser to make sure all required attributes are present and correctly formatted. The NameID element should have a persistent value and match the WorkSpaces username and Active Directory's samaccountname. The Role attribute should start with the IAM role ARN, followed by a comma and the IdP ARN. The RoleSessionName value should be an email address or user principal name that matches the user's Active Directory email.

  3. IAM role permissions: Verify that the IAM role used for SAML authentication has the necessary permissions, including the workspaces:Stream action.

  4. Trust relationship policy: Check the trust relationship policy in your IAM role to ensure it includes the sts:AssumeRoleWithSAML and sts:TagSession actions, with the SAML:sub_type value set to persistent.

  5. Relay state configuration: Make sure the relay state is properly configured to pass along necessary information, including the username, to Amazon WorkSpaces.

  6. Test with different users: Try the SSO process with multiple user accounts to determine if the issue is specific to one user or a general configuration problem.

If you've verified these settings and the issue persists, you may want to check the logs in both JumpCloud and Amazon WorkSpaces for any error messages that could provide more specific information about the problem. Remember that when properly configured, the WorkSpaces username should be automatically populated from the JumpCloud SAML assertion, allowing for a seamless login experience.
Sources
Username Prefill for WorkSpaces SAML Configuration JumpCloud | AWS re:Post
Configure SAML 2.0 authentication for WorkSpaces | AWS re:Post
Troubleshoot SAML 2.0 authentication issues in WorkSpaces | AWS re:Post

profile picture
re:Post Agent
answered 6 days ago
  • Farida
    6 days ago

    In section 5, you mention that the relay state should be configured to pass the ‘username’ to Amazon WorkSpaces. Can you clarify how that value should be passed in the SAML assertion?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content