Desktop and Application Streaming

Simplifying Amazon WorkSpaces access with JumpCloud Go: a secure, passwordless approach

Managing passwords is a hassle, similar to how people misplace their keys. In the world of on-premises Active Directory (AD) environments, passwords represent a potential security risk and are a complicated issue to tackle. This is especially true for remote users that utilize Amazon WorkSpaces. They may encounter difficulties when it comes to password management—particularly newcomers or those who forget their passwords. These individuals lack access to manage their Active Directory passwords when disconnected from WorkSpaces as their primary desktop.

Passwords in on-premises Active Directory environments often pose additional challenges:

  • Password fatigue. The Software-as-a-Service (SaaS) expansion forces users to juggle multiple credentials or authentication workflows alongside Active Directory, leading to security concerns and user frustrations.
  • Password complexity. Administrators are challenged to enforce strict password policies, which often leads users to frequently forget or reset their passwords.
  • Password vulnerabilities. Conventional password-reliant systems are at risk from phishing and brute-force attacks, among other security breaches associated with passwords.

Adopting a passwordless approach for WorkSpaces effectively addresses these issues. Users won’t need to enter their passwords each time they access WorkSpaces, instead they rely on their devices’ security features, including biometrics.

This blog outlines the basics of a passwordless authentication solution for on-premises Active Directory users of WorkSpaces, powered by JumpCloud Go. JumpCloud is an AWS Partner and identity provider (IdP) supported by AWS IAM Identity Center.

High Level Architecture

Amazon WorkSpaces - JumpCloud High Level Architecture

JumpCloud’s Open Directory Platform

JumpCloud’s open directory platform streamlines technology stack integration, offering a unified solution for identity, access, and device management across your organization. JumpCloud provides centralized identity management, ensuring consistent user identities across the organization, regardless of their source. JumpCloud deployed as a primary identity provider enables the syncing of users, groups, and passwords between JumpCloud and on-premises Active Directory.

A key capability of JumpCloud is its JumpCloud Go feature that enables passwordless access to protected resources such as WorkSpaces from devices managed by JumpCloud. Users are able to use device biometric such as Apple Touch ID or Windows Hello, to reduce password issues and streamline multi-factor authentication (MFA). This allows for secure and seamless access to protected resources without the hassle of repetitive password logins.

WorkSpaces Integration with JumpCloud

With WorkSpaces SAML 2.0 authentication, end users access WorkSpaces by authenticating to JumpCloud using their default web browser. This brings the security features available from JumpCloud to WorkSpaces, including passwordless authentication, multi-factor authentication (MFA), and conditional access policies. SAML 2.0 authentication for WorkSpaces, using AWS Directory Service AD Connector, precedes on-premises Active Directory logon, ensuring compatibility and boosting security with modern cloud-based features.

WorkSpaces Certificate-Based Authentication

Certificate-based authentication (CBA) removes the user prompt for the Active Directory password during WorkSpaces desktop logon. By using CBA, you leverage JumpCloud to authenticate the user and provide SAML assertions to strongly map to the user in Active Directory. In addition, with CBA and access features included with JumpCloud, you can enable single sign-on (SSO). CBA uses AWS Private CA resources in your AWS account. When using AWS Private CA for certificate-based authentication, WorkSpaces requests certificates for your users automatically during session authentication. Users are authenticated to Active Directory using a virtual smart card provisioned with the certificates.

AWS Private CA Connector for Active Directory

AWS Private CA simplifies the creation of private certificate authority (CA) hierarchies, including root and subordinate CAs, without the overhead and costs of maintaining an on-premises CA. When using your private CAs to issue end-entity X.509 certificates, these are easily integrated into WorkSpaces CBA. The AWS Private CA Connector for Active Directory streamlines integrating Private CA resources with Active Directory, fulfilling CBA requirements, including domain controller enrollment, via the AD Connector.

Conclusion

This blog serves as a foundational overview of a passwordless authentication solution for on-premises Active Directory users of WorkSpaces, powered by JumpCloud Go. By leveraging JumpCloud Go, WorkSpaces SAML 2.0 authentication, CBA, and the AWS Private CA Connector for Active Directory, you achieve:

  • Passwordless logins. Users enjoy passwordless authentication to WorkSpaces once they are authenticated via JumpCloud Go.
  • Interoperability and ease of management. The solution integrates with on-premises Active Directory using fully managed cloud services from AWS and JumpCloud.
  • MFA assurance. Users can utilize hardware-protected device-bound authenticators on macOS and Windows combined with JumpCloud Go that represents up to three factors for authentication (knowledge, possession, biometric/inherence).
  • Phishing-resistant access. JumpCloud Go reduces password and authentication fatigue by allowing users to access resources using trusted device biometrics, after cryptographic verification by JumpCloud, minimizing phishing risks.
  • Seamless, safe experience. The JumpCloud Go user login experience is simple and secure, and promotes safer login habits.

To learn more and get started with WorkSpaces, visit the WorkSpaces management console or review the WorkSpaces Administration Guide. For JumpCloud, visit the AWS Marketplace or the JumpCloud website.

Andrew Defoe With more than 20 years of experience in the tech industry, Andrew is a Principal Product Manager at AWS. In his role, he is focused on shaping the vision and direction for AWS End User Computing services including Amazon WorkSpaces and AppStream 2.0, providing the security, features, availability, and resiliency users need to get their work done.
John serves as an AWS Partner Solution Architect, taking charge of creating, driving, and implementing technical strategies for ISV partners. As a trusted advisor, he plays a pivotal role in designing scalable, flexible, and resilient cloud architectures. John takes the lead on go-to-market activities for ISV partner’s products built-on and/or integrated with AWS.