10-22-2024 11:38 PM
I want to setup DUO SSO for AWS workspaces using Simple AD directory. I am having trouble identifying what authentication source do I need to setup in duo in order for this setup to work.
I have tried setting up AWS IAM Identity center as authentication source in DUO and then setup AWS workspaces app in duo using the official duo docs but when I try to connect to aws workspace using workspaces client it just keeps spinning on sign-in button and does not redirect me to duo sso link that has been added in the Simple AD SAML auth tab.
Can you help me find the correct authentication source that I need to setup in duo in order to make workspaces simple AD work with duo?
Solved! Go to Solution.
10-25-2024 07:35 AM
The Amazon WorkSpaces SAML app needs values for email address and username sent in the assertion. Step 10 of the Google Workspace SAML IdP setup https://duo.com/docs/sso#saml mentions the mappings needed to sent attributes. If your attributes are mapped correctly, I am not really sure what the problem could be. If your Duo SSO auth succeeds but on redirect back Amazon is rejecting the SAML response, the logging that would help figure out why would be on the Amazon side, not the Duo side. You likely would have better luck contacting Amazon support at this point.
10-24-2024 08:28 AM
You may not be able to use AWS IAM as the SAML authentication source for this configuration. We have seen with some other instances where someone tries to protect an application in a platform that is also the IdP, such as trying to protect Google Workspace with Duo SSO while pointing to Google directory, or trying to protect Office 365 with Duo SSO while pointing to Entra ID directory, You basically get stuck in a redirect loop where it keeps trying to refer the login to that platform to itself i.e. Amazon > Duo > Amazon > Duo > Amazon > Duo, etc. https://help.duo.com/s/article/3578 describes this situation for Google.
Is there logging in AWS IAM that may help you see what's happening? Or is there any logging in the Workspaces client that might show if it's in a redirect loop?
In this situation we'd recommend using an AD authentication source for Duo SSO via Duo Authentication Proxy https://duo.com/docs/sso#active-directory. But, IIRC that Simple AD is Samba, and does not have all the attributes or classes we require to identify users https://help.duo.com/s/article/3129?language=en_US. AWS Managed Microsoft AD does.
10-24-2024 10:18 PM
Hi
So instead of using IAM identity center as authentication source for DUO, I ended up using SAML google workspace as an authentication source for DUO (as described in duo sso guide). And used DUO generic SAML service provider SSO app to connect it to AWS workspaces and created an application tile for this app in duo central.
Now when I try to login from this app, SSO and MFA passes through and I get workspace client login page. But the login to AWS amazon linux workspace fails with an AUTH error while I can login to AWS workspace using the same user that is getting passed from DUO SSO NameID field.
Again AWS workspace if linked to Simple AD and DUO is using google workspace as authentication source. Do you see any challenges with this setup or it can work and there is something that I am missing ?
10-25-2024 07:35 AM
The Amazon WorkSpaces SAML app needs values for email address and username sent in the assertion. Step 10 of the Google Workspace SAML IdP setup https://duo.com/docs/sso#saml mentions the mappings needed to sent attributes. If your attributes are mapped correctly, I am not really sure what the problem could be. If your Duo SSO auth succeeds but on redirect back Amazon is rejecting the SAML response, the logging that would help figure out why would be on the Amazon side, not the Duo side. You likely would have better luck contacting Amazon support at this point.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide