Configure Amazon WS Workspace to interoperate with Okta via RADIUS

AWS WorkSpaces (AWSW) supports RADIUS for MFA authentication.

The Amazon WorkSpace app allows use of the Okta RADIUS agent for multi-factor authentication on Amazon WorkSpaces. End-users can sign into Amazon WorkSpaces using factors registered with Okta. This integration shows how to configure AWS WorkSpaces using Active Directory to support authentication using Okta MFA and Okta Verify Push..

Before you begin

Before installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity:

Source	Destination	Port/Protocol	Description
Okta RADIUS Agent	Okta Identity Cloud	TCP/443 HTTP	Configuration and authentication traffic
Client Gateway	Okta RADIUS Agent	UDP/1812 RADIUS (Default, may be changed in RADIUS app install and configuration)	RADIUS traffic between the gateway (client) and the RADIUS Agent (server)

In addition, you must configure Amazon Web Services as:

In addition, you must configure Amazon Web Services as:
Amazon Web Services instances, configured as: Instance A - represents the Amazon Directory Service virtual machine instance. Instance B - represents the Windows 2012r2 host where the Okta RADIUS agent will be installed. The AWS Directory Service will require the private IP address of Instance B to delegate the MFA challenge over RADIUS..
AWS Directory Service instance, configured and pointing to Instance A, running Active Directory. Note: You must have the Directory ID of the AWS Directory Service. The Directory ID is used to determine the name of the Security Group. Note: The AWS Directory service will require the private IP address of Instance B to delegate the MFA challenge over RADIUS. If that private IP changes the AWS Directory MFA configuration must be updated to reflect the new private IP.

Amazon Web Services instances, configured as:

Instance A - represents the Amazon Directory Service virtual machine instance.
Instance B - represents the Windows 2012r2 host where the Okta RADIUS agent will be installed.
The AWS Directory Service will require the private IP address of Instance B to delegate the MFA challenge over RADIUS..

AWS Directory Service instance, configured and pointing to Instance A, running Active Directory.
Note: You must have the Directory ID of the AWS Directory Service. The Directory ID is used to determine the name of the Security Group.

Note: The AWS Directory service will require the private IP address of Instance B to delegate the MFA challenge over RADIUS. If that private IP changes the AWS Directory MFA configuration must be updated to reflect the new private IP.

Supported factors

The following MFA Factors are supported by AWSWS:

Duo

DUO MFA with Push/SMS/Call is not supported for Amazon Workspaces with RADIUS.
When an end user, enrolled in Okta with DUO MFA, attempts to access Amazon Workspaces configured with RADIUS, they must provide the six digit MFA passcode displayed on the DUO mobile app in addition to their primary password.

Google Authenticator

Okta Verify (TOTP and PUSH)

SMS authentication

Voice Call

Typical workflow

Task	Description
Configure AWS	Preconfigure Amazon WS instances with required Active Directory, EC2 and workspace.
Download and install the RADIUS agent	Download and install the Okta RADIUS agent on Instance B. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.
Create inbound AWS rules	Create inbound rules to allow the RADIUS agent to communicate with an AWS Directory Service instance.
Configure application	In your Okta org, configure the Amazon WorkSpaces application and required factors
Configure Amazon WorkSpaces for MFA	Amazon WorkSpaces must be configured for MFA.
Provision Users	AWS WorkSpace users are managed in Active Directory but must be provisioned into Okta.

Configure Amazon WS Workspace to interoperate with Okta via RADIUS

Topics

Before you begin

Supported factors

Typical workflow

Related topics