Amazon Workspaces - Cert-based authentication on Ubuntu Workspaces & support for non-hardcoded audiences in SAML integrations

1. Is certificate-based authentication coming to Ubuntu Workspaces?

Certificate-based auth: a. I understand that this cannot work with Azure AD DS, since the DCs deployed by this service do not support Certificate Services ruling out the use of smart card authentication, is this correct? b. Requirement for certificate-based auth coming to Ubuntu  Passwords become irrelevant and the key reason why we need to tie into Azure AD / AD DS goes away.  If we don’t need AD DS, then the need for the rest of the Azure side goes away and we could run an AWS-managed AD with Certificate Services enabled.

2. Is support for non-hardcoded audiences in SAML integrations planned to be released?

a. Reason for ask: o Each deployment of Workspaces has its own SAML integration and a unique relay state endpoint we need to hit on the way back from Azure AD o Different regions => different endpoints o The above really means we need multiple SAML apps in our IDP, one per region/deployment. o However, the SAML audience/EntityID is hardcoded on the AWS side and is always urn:amazon:webservices. o Azure AD really does not like this as it enforces EntityIDs to be unique within a tenant, implying we can’t have two SAML apps for Workspaces. o We could rely on AWS Identity Centre, but layering two IDPs isn’t something we want to do as it’s a potentially a lot of complexity and security headaches

Any help on these challenges are much appreciated!