How to configure MFA for Amazon WorkSpaces using ADSelfService Plus

In this article

• Objective
• Steps to configure MFA for Amazon WorkSpaces using ADSelfService Plus
• Validation and confirmation
• Related topics and articles
• How to reach support

Objective

This article provides step-by-step instructions to configure MFA for Amazon WorkSpaces using ADSelfService Plus to strengthen security and protect user access.

Steps to configure MFA for Amazon WorkSpaces using ADSelfService Plus

Step 1: Configure SSO for Amazon WorkSpaces in ADSelfService Plus

1. Log in to ADSelfService Plus as an administrator.
2. Navigate to Configuration > Self-Service > Password Sync/Single Sign-On.
3. In the Configured Applications section, click Add Application.
4. In the All Applications page that opens, click Custom Application from the left menu.
5. In the Create Custom Application page, enter the Application Name and Description
6. Enter the Domain Name of the email address you use to log in to the application. For example, if your email address is johndoe@mydomain.com, then mydomain.com is the domain name.
7. Use the Assign Policies drop-down to select the policies to which you want this SSO configuration to apply. To learn more about creating an OU or a group-based policy, see this guide.
8. Upload a Small Icon and Large Icon mage to represent the Amazon WorkSpaces app in the ADSelfService Plus portal.
9. In the SSO section, the Enable Single Sign-On checkbox is selected by default. SAML is preselected in the Select Sign-On Method field.
10. From the Supported SSO Flow(s) drop-down, select IdP Initiated.
11. In the Upload Metadata field, you can upload the metadata available at AWS SAML Metadata, or manually enter the Entity ID and ACS URL corresponding to your AWS region from the provided link.

    Note: Ensure that the value provided for the Entity ID matches the SAML:aud condition specified in the Trust Policy editor shown in the image under step 5.

12. Under IdP Settings:
    • Choose the RSA-SHA256 algorithm as the signature algorithm.
    • Choose the SIGNED as the SAML Response.
    • Choose the Exclusive Canonicalization with comments as the Canonicalization Method.
    • Choose Email Address as the Name ID Format.
13. Click IdP Details in the top-right corner of the page.
14. In the pop-up that opens download the IdP Metadata and copy the Login URL for use in the AWS configuration.
15. Click Create Custom Application to save the configuration.

    

Step 2: Configure MFA for Amazon WorkSpaces in ADSelfService Plus

To enhance Amazon WorkSpaces security using MFA, follow the steps below:

1. In ADSelfService Plus, navigate to Configuration > Self-Service > Multi-factor Authentication.
2. From the Choose the Policy drop-down, select a policy for which Amazon Workspaces SSO has been assigned.
3. Navigate to MFA for Endpoints.
4. In the MFA for Enterprise Applications section, select Enable __ authentication factor(s) for application logins. Choose the number of authentication methods to be enforced.

   

5. Select the desired authentication methods from the drop-down.
6. Click the asterisk (*) symbol next to an authentication method to set it as mandatory.
7. Click Save Settings.

Step 3: Create a SAML identity provider in Amazon WorkSpaces

1. Sign in to the AWS Management Console and open the AWS IAM Console.
2. In the left-hand navigation pane, select dentity providers under the Access management section, then click Add provider.

   

3. Under Add provider:
   • Choose SAML as the provider type.
   • Enter the Provider name.
   • Upload the metadata XML file downloaded from ADSelfService Plus under the Metadata document section.
4. Click Add provider to complete the setup.

   

   

Step 4: Create a SAML federated IAM role

1. In the IAM console, navigate to Roles and click Create role.
2. Choose SAML 2.0 federation as the trusted entity type

   

3. Select the SAML Provider created in the previous step.
   • Do not select the following options:
     • Allow programmatic access only
     • Allow programmatic and AWS Management Console access
4. Select SAML:sub_type as the Attribute and enter persistent as the Value.

   

5. Set a Role name and Description

   

6. Review the role details and click Create role.

Step 5: Modify the trust policy for the IAM role

1. Select the newly created IAM role and click the Trust relationships tab.
2. Click Edit trust policy

   

3. Replace the placeholders in the JSON trust policy with the following:
   • <ACCOUNT-ID-WITHOUT-HYPHENS> → Replace the Account ID with the value you obtain from the Profile section.
   • <PROVIDER-NAME> → Replace with the name of the SAML provider you created in Step 1.
4. Ensure that the Action field includes both sts:AssumeRoleWithSAML and sts:TagSession permissions.
5. Click Update policy.

Step 6: Embed an inline policy for Amazon WorkSpaces SAML access

To allow SAML-based access to Amazon WorkSpaces, you need to add an inline policy to the IAM role.

1. In the IAM role, click the Permissions tab.In the Permissions policies section, find the Add permissions drop-down and select Create inline policy.

   

2. In the Policy editor wizard, click the JSON tab.
3. Replace the following placeholders:
   • <REGION-CODE> → Replace this with the AWS Region where your WorkSpaces directory is located. You can locate the current region in the top-right corner of the AWS Management Console.
   • <DIRECTORY-ID> → Replace the Directory ID with the value you obtain from the WorkSpaces management console.
   • <ACCOUNT ID> → Replace the Account ID with the value you obtain from the Profile section.

   Refer to the image below to identify the Directory ID placeholder.

   

   Refer to the image below to identify the Account ID placeholder.

   

4. Review the policy and click Create policy to apply it.

   

Step 7: Enable integration with SAML 2.0 on your WorkSpaces directory

1. Sign in to the AWS Management Console and open the Amazon WorkSpaces console.
2. In the navigation pane, select Directories.
3. Choose the Directory ID for your WorkSpaces.

   

4. Under the Authentication section, choose Edit authentication.

   

5. Choose Edit SAML 2.0 Identity Provider to configure SAML settings.

   

6. Check Enable SAML 2.0 authentication.
7. Paste the Login URL copied from ADSelfService Plus into the User Access URL field, as outlined above in Step 1.
8. Manage fallback settings based on your preference by checking or unchecking Allow clients that do not support SAML 2.0 to login.

   

9. Choose Save

   

Validation and confirmation

To validate the Amazon WorkSpaces MFA setup, attempt to access the Amazon WorkSpaces application. When the SSO process is initiated, ADSelfService Plus prompts the user to complete the configured MFA methods before access is granted. This ensures that MFA for Amazon WorkSpaces is properly enforced during the authentication process. After successfully completing the required authentication methods, the user is seamlessly redirected to Amazon WorkSpaces and signed in to their assigned WorkSpace session, confirming that MFA enforcement is functioning as expected.

Related topics and articles

• Configuring MFA for web applications
• Configure Dropbox MFA using ADSelfService Plus
• Configuring SSO and MFA for Cisco ASA

How to reach support

For further assistance, contact our support team here.