Service account support in AWS AppStream

The NameID that is authenticated is passed through uniquely, so one name means on unique session. Therefore one account would never have multiple unique concurrent sessions, only one.

I think there's two parts to your question: 1/ how to use a homegrown user management solution to access AppStream 2.0, and 2/ using a service account within AppStream 2.0.

For 1/ - AppStream 2.0 supports 3 different access modes: 1/ User Pools, intended for proof of concepts and evaluations, 2/ SAML2.0 IdP-initiated federation when a customer has their own identity provider/user management solution that supports SAML2.0 federation, and 3/ Custom solutions through the use of the StreamingURL API. If your IdP doesn't support SAML2.0 federation, you can use the CreateStreamingURL API to generate a shortlived URL that users can use to access after authenticating them with your user management solution. Note that the CreateStreamingURL doesn't support accessing fleets that are joined to Active Directory Domains. AppStream 2.0 has a workshop that can help you visualize and deploy this workflow: https://aws.amazon.com/appstream2/getting-started/isv-workshops/. Specifically: Create a SaaS Portal with Amazon AppStream 2.0 (though replace Cognito with your user management solution.)

For 2/ - can you provide more details on what you mean by service account? Do you mean an Active Directory service account, or something else? AppStream 2.0 identifies users based on the NameID that is provided with the streaming URL or SAML (and automatically uses email address when using User Pools). Multiple users with the same NameID means they will all connect to the same instances, and have the same S3 home folder and app settings persistence, which is not supported. Providing unique nameid values gives every user their own instance when they connect with their own S3 home folder and app settings persistence.

Hope this helps.

Murali