Overview of Active Directory Domains - Amazon WorkSpaces
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Overview of Active Directory Domains

Using Active Directory domains with WorkSpaces Pools requires an understanding of how they work together and the configuration tasks that you'll need to complete. You'll need to complete the following tasks:

  1. Configure Group Policy settings as needed to define the end user experience and security requirements for applications.

  2. Create the domain-joined directory in WorkSpaces Pools.

  3. Create the WorkSpaces Pools application in the SAML 2.0 identity provider and assign it to end users either directly or through Active Directory groups.

User Authentication Flow

  1. The user browses to https://applications.exampleco.com. The sign-on page requests authentication for the user.

  2. The federation service requests authentication from the organization's identity store.

  3. The identity store authenticates the user and returns the authentication response to the federation service.

  4. On successful authentication, the federation service posts the SAML assertion to the user's browser.

  5. The user's browser posts the SAML assertion to the Amazon Sign-In SAML endpoint (https://signin.aws.amazon.com/saml). Amazon Sign-In receives the SAML request, processes the request, authenticates the user, and forwards the authentication token to the WorkSpaces Pools service.

  6. Using the authentication token from Amazon, WorkSpaces Pools authorizes the user and presents applications to the browser.

  7. The user chooses an application and, depending on the Windows login authentication method that is enabled on the WorkSpaces Pools directory, they're prompted to enter their Active Directory domain password or choose a smart card. If both authentication methods are enabled, the user can choose whether to enter their domain password or use their smart card. Certificate-based authentication can also be used to authenticate users, removing the prompt.

  8. The domain controller is contacted for user authentication.

  9. After being authenticated with the domain, the user's session starts with domain connectivity.

From the user's perspective, this process is transparent. The user starts by navigating to your organization's internal portal and is redirected to a WorkSpaces Pools portal, without having to enter Amazon credentials. Only an Active Directory domain password or smart card credentials are required.

Before a user can initiate this process, you must configure Active Directory with the required entitlements and Group Policy settings and create a domain-joined WorkSpaces Pools directory.