AWS Security ChangesHomeSearch

AWS workspaces high security documentation change

Service: workspaces · 2025-03-05 · Security-related high

File: workspaces/latest/adminguide/certificate-based-authentication.md

Summary

Changed ObjectSid attribute configuration from optional to required in SAML assertions and added Microsoft KB note about mandatory requirement

Security assessment

Directly addresses authentication requirements tied to Microsoft security update KB5014754, indicating a security-related change in certificate-based authentication enforcement

Diff

diff --git a/workspaces/latest/adminguide/certificate-based-authentication.md
index b9fb88c88..9d57f1a3a 100644
--- a/workspaces/latest/adminguide/certificate-based-authentication.md
+++ b/workspaces/latest/adminguide/certificate-based-authentication.md
@@ -43 +43,5 @@ Complete the following steps before enabling certificate-based authentication.
-  3. Configure the `ObjectSid` attribute in your SAML assertion. This is optional to perform strong mapping to the Active Directory user. Certificate-based authentication will fail if the attribute does not match the Active Directory security identifier (SID) for user specified in the SAML_Subject `NameID`. For more information, see [Create Assertions for the SAML Authentication Response](https://docs.aws.amazon.com/workspaces/latest/adminguide/setting-up-saml.html#create-assertions-saml-auth).
+  3. Configure the `ObjectSid` attribute in your SAML assertion. This is required to perform strong mapping to the Active Directory user. Certificate-based authentication will fail if the attribute does not match the Active Directory security identifier (SID) for user specified in the SAML_Subject `NameID`. For more information, see [Create Assertions for the SAML Authentication Response](https://docs.aws.amazon.com/workspaces/latest/adminguide/setting-up-saml.html#create-assertions-saml-auth).
+
+###### Note
+
+According to [Microsoft KB5014754](https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16), the `ObjectSid` attribute will become mandatory for certificate-based authentication after September 10, 2025