How to configure Desktop Single Sign-On using OKTA with audio optimization for Amazon Connect on Amazon Workspaces

Today, organizations employ agents who utilize applications running in a Virtual Desktop Environment (VDI) such as Amazon Workspaces  that allows agents to use multiple applications in the cloud without incurring high costs of hardware procurement.

In a VDI environment the Amazon Connect CCP (Contact Control Panel) can cause impact to audio quality, and is required to run media(audio) on the local desktop with the standard CCP and signaling in the virtual desktop using a customized CCP built using the Amazon Connect Streams API.

When you have to run two separate Amazon Connect CCP environments, challenge arises where agent login twice into the separate Amazon Connect CCP. Organizations can setup Single Sign-On which allows their agents to access Amazon Connect CCP application without entering any credentials.

This blog describes how to configure desktop single sign-on with OKTA and allow audio optimization for Amazon Connect on Amazon Workspaces.

What is Desktop single Sign on ?

With Desktop Single Sign-on (DSSO), users are automatically authenticated by your identity provider when they sign in to your Windows network. When your identity provider receives a Kerberos ticket from the browser, it validates the ticket against the domain defined in the Desktop SSO configuration. If validation succeeds, it retrieves the required information from the ticket; generates a SAML assertion with the username and required variables and passes it to the Service provider.
In this way, users can access applications without entering additional usernames or passwords. DSSO improves the user experience because users sign in a single time and don’t need separate credentials for each application, they access through identity provider.

Overview of solution

In this solution, we will demonstrate how you can apply desktop single sign on, using OKTA, as your identity provider with Amazon Workspaces as the virtual desktop environment and Amazon Connect.

User authentication flow:

1. To authenticate with Amazon Workspaces, users will enter their username and password via Amazon Workspace client. If you have configured Single Sign-On with Amazon Workspaces, then you will be authenticated with your identity provider.
2. After the successfully authentication on workspace client, this workflow will split in 2 different ways.
   2a) On the endpoint, a browser will open with the pre-defined URL of media CCP.
   2b) All the group policies will apply on the Amazon Workspaces and once the desktop loads, a browser will open with pre-defined URL of medialess CCP.
3. MediaCCP and medialess CCP will redirect the browser to authenticate with OKTA url. Both browsers within the Amazon Workspace(3b) or outside of the Workspaces(3a) will connect to OKTA for desktop SSO.
4. After successful authentication of OKTA, OKTA will send SAML token (4a and 4b) to the browser along with redirection URLs of the media and medialess CCP.
5. 5a) On the endpoint, the browser will redirect to the mediaCCP.
   5b) In the Amazon Workspaces, the browser will redirect the medialess CCP.
6. You are now successfully logged into Amazon Connect CCPs from the endpoint and Amazon Workspaces without any passport prompt.

Walkthrough

For this scenario you will perform the following steps :

• Configure desktop single sign on in OKTA.
• Configure required group policies in Active Directory and apply this group policy on end user desktops and Amazon Workspaces.
• Configure Amazon Connect audio optimization for Amazon Workspaces.
• SSO testing of media less CCP within Amazon Workspace and media based CCP from the end user’s endpoint.

Prerequisites

For this walkthrough, you should have the following:

• An AWS account.
• An Amazon Connect instance configured with SAML 2.0 based authentication with OKTA Identity for Single Sign On – If you don’t have this configured, you can do so by following the instructions in the Configure Single Sign-On for Amazon Connect Using Okta blog written by my colleagues.
• AWS Managed Active Directory or AWS AD Connector.
• An Amazon Workspace that is a domain member of standalone Active Directory using AD Connector or AWS Managed Active Directory.
• End user desktop must be a domain member of same standalone Active Directory or AWS Managed Active Directory. It is required for implementation of desktop SSO and seamless Single-Sign on Amazon Connect media CCP on desktop and media less CCP on Amazon Workspaces.
• Knowledge of configuring a Contact Center using Single Sign On, and Kerberos.
• Admin should have Super Administrative role on the OKTA.
• Domain Admin privilege or delegated permissions to create group policies, create user account and modify service principal name will be require on Active Directory. In case of AWS managed AD, user ID must be a member of “AWS Delegated Administrators” AD group.
• Experience in creating and managing Active Directory Group Policies.

Steps to configure desktop single sign on with Amazon Workspace, Amazon Connect using OKTA.

Step 1: Creation of service account in the AWS Managed Active Directory or standalone Active Directory for Desktop SSO.

1. Create a service account in Active Directory. Clear “User must change password at next logon” checkbox during account creation.
2. Open a command prompt and run this command to configure an SPN for the service account:

setspn -S HTTP/<myorg>.kerberos.<oktaOrg >.com <ServiceAccountName>

Select the configuration as below:

• <myorg> is the value of your unique OKTA domain. For example : if https://atko.okta.com is your OKTA login URL, then atko will be the value for <myorg>
• <oktaOrg> is your Okta org (either oktapreview, okta-emea or okta).
• HTTP/<myorg>.kerberos.<oktaOrg>.com is the SPN.
• <ServiceAccountName> is the value you used when configuring Agentless DSSO

For example, setspn -S HTTP/atko.kerberos.okta.com atkospnadmin.

Step 2: Turn On Desktop SSO feature in OKTA console

1. Login to Okta admin console.
2. In the navigation pane, Select Security and choose delegated authentication.
3. Scroll down to Agentless Desktop SSO.
4. Click Edit and Select a Desktop SSO mode : ON.
5. Select “edit” option under Active Directory instances where you want to turn on  Agentless Desktop SSO.
6. Choose “Enabled from the Desktop SSO drop down list. Provide username and password of the service account created earlier in the steps.
7. Select Save.
8. In the navigation pane, select Security and choose Identity Providers.
9. Select Routing Rules and then select the AgentlessDSSO rule.
10. Click Edit.
11. Select the settings as below
    • User’s IP is – Select “Anywhere” to apply the rule to any user location. This setting will ensure that DesktopSSO to be initiate, If request for DSSO receives from any IP address.
    • User’s device platform is – Select “Any device” to apply the rule to users with any device type. This setting will ensure that DesktopSSO to be initiated, If request for DSSO receives from any user device platform.
    • User is accessing – Select “Any application” to apply the rule when a user accesses any OKTA application.
    • Use this identity provider – Select AgentlessDSSO.
12. Click Update Rule to save your changes.
13. You can also restrict the above rules with desired filters using this documentation.
14. Select “Inactive”, choose “Activate”, and then “Activate” in the “Activate Rule” dialog box to activate the rule.

Step 3. Configure domain group policy for agentless Desktop Single Sign-on on Windows browsers.

Chrome browser:

1. Download Google chrome bundle.
2. Extract the bundle.
3. Copy ADML and ADMX files to Sysvol policy definition folder. (\\<domain>\sysvol\<domain>\policies\policydefinitions)
4. Create a group policy in the Active Directory and link it to the OU where computer objects of workspaces and desktops are created.
5. Edit the group policy and navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Google > Google Chrome > HTTP Authentication
6. Modify “Authentication server Allowlist” and add the URL <myorg>.kerberos.<oktaOrg>.com

Select the configuration for URL as below:

<myorg> is the value of your unique OKTA domain. For example : if https://atko.okta.com is your OKTA login URL, then atko will be the value for <myorg>. <oktaOrg> is your Okta org (either oktapreview, okta-emea or okta).

For example : atko.kerberos.okta.com

Firefox browser:

1. Download Firefox policy template bundle.
2. Extract the bundle.
3. Copy ADML and ADMX files to Sysvol policy definition folder. (\\<domain>\sysvol\<domain>\policies\policydefinitions)
4. Create a group policy in the Active Directory and link it to the OU where computer objects of workspaces and desktops are created.
5. Edit the group policy and navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Mozilla > Firefox > Authentication
6. Modify SPNEGO settings and add the URL <Okta-org>.kerberos.okta.com

Select configuration for URL as below:

<myorg> is the value of your unique OKTA domain. For example : if https://atko.okta.com is your OKTA login URL, then atko will be the value for <myorg>. <oktaOrg> is your Okta org (either oktapreview, okta-emea or okta).

For example: atko.kerberos.okta.com

Step 4:  Configure Amazon Connect audio optimization for workspaces :

1. Get the embedded app URL from OKTA.
   1. Login to Okta Admin console and select Applications, and then choose Applications from the navigation pane.
   2. Select the Application created for SAML 2.0 based authentication with Amazon Connect.
   3. Select General.
   4. Under App Embed Link, copy the application URL. This will be used in a later step.
2.  Configure Amazon Connect audio optimization for workspaces using app URL.
   1. Open the Workspaces console at https://console.aws.amazon.com/workspaces/.
   2. In the navigation pane, choose Directories.
   3. Select your directory. (AWS Managed Directory)
   4. Under Connect Audio Optimization section, Select “Enable connect audio optimization.
   5. Enter Connect Control Panel(CCP) Name, any desired name.
   6. In the Connect Control Panel(CCP) URL field, enter App URL copied in the previous step.
   7. Select Save.
   8. Reconfigure your media less CCP URL to allow Desktop SSO with OKTA URL. For an example, see step 7 of Optimize your Amazon Connect call audio path with Amazon AppStream 2.0.

Cleaning up

1. Remove Amazon Connect audio optimization settings in Amazon Workspaces.
   1. Open the Workspaces console at https://console.aws.amazon.com/workspaces/.
   2. In the navigation pane, choose Directories.
   3. Select your directory. (AWS Managed Directory)
   4. Under Connect Audio Optimization section, Select Edit.
   5. Select “Delete Amazon Connect”.
2. Turn Off the Agentless Desktop SSO in the OKTA security console.
   1. Login to Okta admin console.
   2. In the navigation pane, Select Security and choose delegated authentication.
   3. Scroll down to Agentless Desktop SSO.
   4. Click Edit and Select a Desktop SSO mode : Off.
3. Delete service account created for OKTA SSO.
   Connect to Active Directory and delete the service account created in the Step 1 for OKTA SSO during the setup.
4. Cleanup of domain group policy settings of browser applied on local desktop and workspaces.

   Chrome Browser:

   1. Connect to Active Directory.
   2. Edit the group policy created in Step 3 during the setup.
   3. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Google > Google Chrome > HTTP Authentication.
   4. Modify “Authentication server Allowlist” and select “Not Configured”.
   5. Save the policy.

   Firefox:

   1. Connect to Active Directory.
   2. Edit the group policy created in Step 3 during the setup.
   3. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Mozilla > Firefox > Authentication
   4. Modify SPNEGO settings and select “Not configured”.
   5. Save the policy.

   By default, group policy is automatically refreshed every 90 minutes with randomized offset of upto 30 minutes. These changes will apply on all the computer objects of local desktop and Amazon Workspaces present in the OU to which this group policy was linked.

Conclusion

In this post, you learned how to configure desktop SSO and audio optimization in Amazon Workspaces for Amazon Connect using OKTA. The key goal of desktop SSO to remove a password prompt for the user to login to Amazon Connect.

We have outlined the authentication workflow from end user desktop, Workspaces, OKTA and Amazon Connect. By implementing this setup, you have streamlined and improved the end user experience. You have also reduced reliance on passwords with desktop SSO.

To learn more about Amazon Workspaces, please review the administration guide and you can get more information about Amazon Connect in VDI environment using this link.

If you’d like to discuss how to configure desktop single sign-on described in this blog for your specific use case, we’d love to hear from you. Just reach out to your account team.

	Ajay Saini is a End User Compute Specialist Solution Architect. He works with his customer to help them understand the best practices, accelerate their architecture design, migrate and modernize their existing Virtual Desktop Infrastructure (VDI) to AWS. In his spare time, he enjoys travel and spending time with his family
	Swaraj Kankipati is a Senior specialist solution architect for Amazon Connect based out of Glastonbury, Connecticut, helps with customer growth and adoption of Amazon Connect.