G Suite SAML 2.0 Federation with Amazon AppStream 2.0

Amazon AppStream 2.0 can be federated with G Suite third-party SAML 2.0 which will allow users to access the stack and start streaming applications. This blog post will walk you through the steps to successfully configure and enable federation for AppStream 2.0 stack using Google (G Suite) as the identity provider (IdP).
Before you begin, you must have:

  • An AWS account
  • An Amazon AppStream 2.0 stack, configured and working
  • A G Suite subscription with an admin account


I. Download Google Metadata

  1. Login to G Suite Admin Console – AppsSAML apps
  2.  Open SAML apps, click on (Enable SSO for SAML Applcation).
  3. Type “Amazon Web Services” in the search box and click on the arrow.
  4. Download and save the IDP metadata option to your local computer to be used later.

II. Create Google SAML 2.0 Identity Provider

  1. Login to AWS console and navigate to IAM dashboard.
  2. Click on Identity Providers -> Create Provider
  3. Select  the following:
  4. Provider Type: SAML
  5. Provider Name: Give it-a-name, for this demo, will name it GoogleSSO
  6. Metadata Document: upload the file you downloaded in #4 above.
  7. Click next, and create.

III. Configure AppStream IAM Role in AWS

The IAM role grants users the permissions to access the stack.

  1. In IAM dashboard, click on Role, Create role
  2. Role type, choose SAML 2.0 federation
  3. SAML Provider, select the SAML IdP that you created in #5 above.
  4. DO NOT choose either of the two SAML 2.0 access methods (Allow programmatic access only or Allow programmatic and AWS Management Console access)
  5. Attribute, choose SAML: sub_type.
  6. Value, type persistent
  7. Click next:permission, next:Tags,next:Review
  8. Type in role name and create. For this demo, it is named: DemoAppstreamAccessRole

IV. Create and embed an Inline Policy






The inline policy provides permission needed by federated users to access to the AppStream 2.0 stack. Create the policy using the below sample and embed in the role created in section V. above. Change the region code, account id, and stack name to reflect what you have.

  • REGION-CODE: AWS Region where your AppStream 2.0 stack exists
  • ACCOUNT-ID: Your AWS account ID with no space or hyphens 
  • STACK-NAME: The name of the stack. This is case sensitive and must be exact.
  • Example: arn:aws:appstream:us-west-2:123456789012:stack/DemoApps

               Example: arn:aws:appstream:us-west-2:123456789012:stack/

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "appstream:Stream",
"Resource": "arn:aws:appstream:REGION-CODE:ACCOUNT-ID:stack/STACK-NAME",
"Condition": {
"StringEquals": {
"appstream:userId": "${saml:sub}"

V. Configure Federation Relay State

Configure the relay state of your federation to point to the AppStream 2.0 URL. The relay state is the stack portal to which users are forwarded after successful authentication by AWS.

Use the below format and change the relay state region endpoint, stack name, and account id with yours. This will be used as the start URL for Google IdP configuration.

To find out the relay state endpoints for a particular region, refer to this link

Example: https://appstream2.us-west-2.aws.amazon.com/saml?stack=DemoApps&accountId=123456789012
Relay state URL format: https://relay-state-region-endpoint?stack=stackname&accountId=aws-account-id

VI. Create Attributes and SAML 2.0 In G Suite

  1. Login to G Suite Admin Console
  2. Select Users, click on “More” and select “Managed custom attributes
  4. Category: Enter name for example SAML-USER-ATTRIBUTE
    Description: Enter a description
    Custom Field 1: FederationRole, Text, Visible to user and admin, Single Value
    Custom Field 2: SessionDuration, Whole Number, Visible to user and admin, Single Value
  5. At the G Suite Admin Console, navigate to AppsSAML apps
  6. Open SAML apps, click on (Enable SSO for SAML Applcation).
  8. Click Next on the Google IdP Information
  9. Enter the application name and upload an optional logo if needed. Click Next.
  10. Enter the following in the Service Provider details and click Next
    ACS URL *: https://signin.aws.amazon.com/saml
    Entity ID *: https://signin.aws.amazon.com/saml
    Start URL: relay state url created in section V
    Certificate: Leave as is. No Change
    Signed Response: DO NOT Check. Leave blank
    Name ID: Basic Information, Primary Email
    Name ID Format: PERSISTENT
  11. Enter the following in Attribute Mapping and click Finish.
    https://aws.amazon.com/SAML/Attributes/RoleSessionName, Basic Information, Primary Email
    https://aws.amazon.com/SAML/Attributes/Role,SAML-USER-ATTRIBUTE, FederationRole
    https://aws.amazon.com/SAML/Attributes/SessionDuration, SAML-USER-ATTRIBUTE, SessionDuration
  12. Click OK to complete setup.
  13. At the G Suite Admin Console, navigate to Users, select a user, expand the user information, edit the the “SAML-USER-ATTRIBUTE” with the following information. and save once complete. The Role-ARN and IDP-ARN is what was created in section II and III above.
  14. FederationRole: Role-ARN, IDP-ARN
    Example: arn:aws:iam::123456789012:role/DemoAppstreamAccessRole,arn:aws:iam::123456789012:saml-provider/GoogleSAML
    SessionDuration: max duration in seconds of AppStream 2.0. Enter 3600 for this demo
    Example: 3600


VII. Turn on SAML 2.0 AppStream App

At the G Suite Admin Console, go to Apps, SAML Apps, Edit the AppStream 2.0 application and turn on for Everyone or by selective Organizational Unit

Test your AppStream 2.0 federation by clicking the application menu in the far right and launch the selected app.

A successful login should look something like this:

Additional Information:

  • https://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-relay-state


Leave a Reply

Your email address will not be published. Required fields are marked *