Configure Amazon WorkSpaces

AWS WorkSpaces (WS) supports RADIUS for MFA authentication.

The Amazon WorkSpace app allows use of the Okta RADIUS agent for multifactor authentication on Amazon WorkSpaces. End users can sign into Amazon WorkSpaces using factors registered with Okta. This integration shows how to configure AWS WorkSpaces using Active Directory to support authentication using Okta MFA and Okta Verify Push.

Before you begin

Meet the following network connectivity requirements before you install the Okta RADIUS agent:

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud TCP/443


Configuration and authentication traffic.
Client Gateway Okta RADIUS Agent UDP/1812 RADIUS (Default, you can change this when you install and configure the RADIUS app) RADIUS traffic between the gateway (client) and the RADIUS agent (server).

In addition, you must configure Amazon Web Services as:

In addition, you must configure Amazon Web Services as:

Amazon Web Services instances, configured as:

  • Instance A: represents the Amazon Directory Service virtual machine instance.
  • Instance B: represents the Windows 2012r2 host on which to install the Okta RADIUS agent.

    The AWS Directory Service requires the private IP address of Instance B to delegate the MFA challenge over RADIUS.

AWS Directory Service instance, configured and pointing to Instance A, running Active Directory. You must have the Directory ID of the AWS Directory Service. Directory ID is used to determine the name of the Security Group.

The AWS Directory service requires the private IP address of Instance B to delegate the MFA challenge over RADIUS. If that private IP changes the AWS Directory MFA configuration must be updated to reflect the new private IP.


Enroll only a single Okta Verify device. Adding more Okta Verify devices can cause undefined or unexpected behavior.

If you've migrated a RADIUS-configured org from Classic Engine and you configure the Okta Verify authenticator with the number challenge, the challenge may be presented to RADIUS users even though it's not supported. To prevent this, enable the Early Access feature Disable number matching challenge for RADIUS. See Enable self-service features.

Supported authenticators

WorkSpaces supports the following authenticators:


DUO MFA with Push/SMS/Call isn't supported for Amazon Workspaces with RADIUS. When an end user that's enrolled in Okta with DUO MFA attempts to access Amazon Workspaces configured with RADIUS, they must provide the six digit MFA passcode displayed on the DUO mobile app in addition to their primary password.

Google Authenticator
Okta Verify (TOTP and PUSH)
SMS and Voice authentication

Typical workflow



Configure AWS Preconfigure Amazon WS instances with required Active Directory, EC2 and workspace.
Download and install the RADIUS agent Download and install the Okta RADIUS agent on Instance B.

For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

Create inbound AWS rules Create inbound rules to allow the RADIUS agent to communicate with an AWS Directory Service instance.
Configure application In your Okta org, configure the Amazon WorkSpaces application and required factors.
Configure Amazon WorkSpaces for MFA Amazon WorkSpaces must be configured for MFA.
Provision Users AWS WorkSpace users are managed in Active Directory but must be provisioned into Okta.

Related topics