Home » OKTA


Enabling SAML Authentication for AWS AppStream 2.0 with OKTA

OKTA – Create Application

Step Description Screenshot
PRQ Generate metadata from Okta
 1 Be sure to be accessing the ‘Classic UI’ and not the developer console

2 Click Add Applications
3 Search for ‘appstream’

Click Add

4 Provide Application label

Click Done

 5 Click Sign On tab
6 Click Identity Provider metadata

Save the metadata file locally (you will upload this to AWS configuration)

AWS – Create SAML Provider

Step Description Screenshot
PRQ Generate metadata from Okta (above steps)
 1 Open AWS Console

Click IAM

2 Click Identity Providers

Click Create Provider

 3 Choose Provider Type: SAML

Give Provider a Name: <Name>

Upload your okta_metadata.xml file

4 Click Create

Note your ProviderARN

5 You will be taken back to the identity providers screen
6 Click on the provider name ‘Okta’

Take note of your Provider ARN

AWS – Create Policy and Role

Step Description Screenshot
7 In IAM Click Policies

Click Create Policy

8 Click Create Your Own Policy
 9 Give your policy a recognisable Name, Description and paste the policy details as provided

This will give users access to all published stacks

You can change the resource from* to your specific stacks like this:

“Resource”: “arn:aws:appstream:REGION-CODE:ACCOUNT-ID-WITHOUT-HYPHENS:stack/STACK-NAME“,

10 Policy Details:

This gives users access to stream AppStream apps and to access all Stacks and resources within.

“Version”: “2012-10-17”,
“Statement”: [
“Effect”: “Allow”,
“Action”: “appstream:Stream”,
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“appstream:userId”: “${saml:sub}”,
“saml:sub_type”: “persistent”
11 Click Roles

Click Create Role

 12 Click Saml 2.0 federation
13 Select your SAML Provider created previously

Tick ‘Allow programmatic access only’

Type in Attribute ‘SAML:aud’

Value: https://signin.aws.amazon.com/saml

Click Next: Permissions

 14 Select the Previously created AppStream Policy

Click Next: Review

 15 Click Create Role
16 Click onto the Role Name and take note of the ARN


OKTA – Configure Application

Step Description Screenshot
17 Take your ARN from both steps 12 and 22

And combine them separated with a comma

I.e. roleARN,providerARN


For example if your Role ARN is:

arn:aws:iam::123456789012:role/OktaAppStreamUsers and your IDP ARN is arn:aws:iam::123456789012:saml-provider/OKTA, enter (no white spaces):


18 In the Okta Console under your Application

Click the Sign On tab

19 Click Edit
20 Provide the Default Relay State for your appstream sessions


Appstream infrastructure is based in Ireland eu-west-1

AppStream stack is called Appstream

Account id is 123456789123

Our Relay State URL example


See AWS Documentation

21 Provide the Role ARN and Idp ARN


Select Application username format: Okta username

 22 Click Save
 23 Assign this application to your Okta users

Click Assignments Tab

Click Assign to People/groups

Click Assign button against each Okta user you want to have access to this new app.


Okta Guide –


AWS Guide – http://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-grantperms