Certificate-Based Authentication - Amazon WorkSpaces
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Certificate-Based Authentication

You can use certificate-based authentication with WorkSpaces Pools joined to Microsoft Active Directory. This removes the user prompt for the Active Directory domain password when a user logs in. By using certificate-based authentication with your Active Directory domain, you can:

  • Rely on your SAML 2.0 identity provider to authenticate the user and provide SAML assertions to match the user in Active Directory.

  • Create a single sign-on logon experience with fewer user prompts.

  • Enable passwordless authentication flows using your SAML 2.0 identity provider.

Certificate-based authentication uses Amazon Private Certificate Authority (Amazon Private CA) resources in your Amazon Web Services account. With Amazon Private CA, you can create private certificate authority (CA) hierarchies, including root and subordinate CAs. You can also create your own CA hierarchy and issue certificates from it that authenticate internal users. For more information, see What is Amazon Private CA.

When you use Amazon Private CA for certificate-based authentication, WorkSpaces Pools requests certificates for your users automatically at session reservation for each WorkSpace in a WorkSpaces Pool. It authenticates users to Active Directory with a virtual smart card provisioned with the certificates.

Certificate-based authentication is supported on domain-joined WorkSpaces Pools that run Windows instances.

Contents