cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
295
Views
0
Helpful
3
Replies

Duo SSO with AWS workspaces using simple AD

ankur-sharma
Level 1
Level 1

I want to setup DUO SSO for AWS workspaces using Simple AD directory. I am having trouble identifying what authentication source do I  need to setup in duo in order for this setup to work. 

I have tried setting up AWS IAM Identity center as authentication source in DUO and then setup AWS workspaces app in duo using the official duo docs but when I try to connect to aws workspace using workspaces client it just keeps spinning on sign-in button and does not redirect me to duo sso link that has been added in the Simple AD SAML auth tab.

Can you help me find the correct authentication source that I need to setup in duo in order to make workspaces simple AD work with duo?

1 Accepted Solution

Accepted Solutions

The Amazon WorkSpaces SAML app needs values for email address and username sent in the assertion. Step 10 of the Google Workspace SAML IdP setup https://duo.com/docs/sso#saml mentions the mappings needed to sent attributes. If your attributes are mapped correctly, I am not really sure what the problem could be. If your Duo SSO auth succeeds but on redirect back Amazon is rejecting the SAML response, the logging that would help figure out why would be on the Amazon side, not the Duo side. You likely would have better luck contacting Amazon support at this point.

Duo, not DUO.

View solution in original post

3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

You may not be able to use AWS IAM as the SAML authentication source for this configuration. We have seen with some other instances where someone tries to protect an application in a platform that is also the IdP, such as trying to protect Google Workspace with Duo SSO while pointing to Google directory, or trying to protect Office 365 with Duo SSO while pointing to Entra ID directory, You basically get stuck in a redirect loop where it keeps trying to refer the login to that platform to itself i.e. Amazon > Duo > Amazon > Duo > Amazon > Duo, etc. https://help.duo.com/s/article/3578 describes this situation for Google.

Is there logging in AWS IAM that may help you see what's happening? Or is there any logging in the Workspaces client that might show if it's in a redirect loop?

In this situation we'd recommend using an AD authentication source for Duo SSO via Duo Authentication Proxy https://duo.com/docs/sso#active-directory. But, IIRC that Simple AD is Samba, and does not have all the attributes or classes we require to identify users https://help.duo.com/s/article/3129?language=en_USAWS Managed Microsoft AD does.

Duo, not DUO.

Hi 

So instead of using IAM identity center as authentication source for DUO, I ended up using SAML google workspace as an authentication source for DUO (as described in duo sso guide). And used DUO generic SAML service provider SSO app to connect it to AWS workspaces and created an application tile for this app in duo central.

Now when I try to login from this app, SSO and MFA passes through and I get workspace client login page. But the login to AWS amazon linux workspace fails with an AUTH error while I can login to AWS workspace using the same user that is getting passed from DUO SSO NameID field.

Again AWS workspace if linked to Simple AD and DUO is using google workspace as authentication source. Do you see any challenges with this setup or it can work and there is something that I am missing ?



The Amazon WorkSpaces SAML app needs values for email address and username sent in the assertion. Step 10 of the Google Workspace SAML IdP setup https://duo.com/docs/sso#saml mentions the mappings needed to sent attributes. If your attributes are mapped correctly, I am not really sure what the problem could be. If your Duo SSO auth succeeds but on redirect back Amazon is rejecting the SAML response, the logging that would help figure out why would be on the Amazon side, not the Duo side. You likely would have better luck contacting Amazon support at this point.

Duo, not DUO.
Quick Links