AWS Security ChangesHomeSearch

AWS appstream2 documentation change

Service: appstream2 · 2025-11-07 · Documentation low

File: appstream2/latest/developerguide/external-identity-providers-setting-up-saml.md

Summary

Updated product name references from 'AppStream 2.0' to 'WorkSpaces Applications' throughout the document, including console references, API names, and documentation links. No functional changes to SAML configuration steps or security requirements were made.

Security assessment

The changes are purely branding updates with no modifications to security protocols, IAM policies, or authentication flows. All security-related instructions about SAML configuration, session duration, and principal tags remain unchanged except for product name substitutions.

Diff

diff --git a/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.md b/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.md
index 2f4338a05..12fcd8f1c 100644
--- a//appstream2/latest/developerguide/external-identity-providers-setting-up-saml.md
+++ b//appstream2/latest/developerguide/external-identity-providers-setting-up-saml.md
@@ -3 +3 @@
-[Documentation](/index.html)[Amazon AppStream 2.0](/appstream2/index.html)[Administration Guide](what-is-appstream.html)
+[Documentation](/index.html)[Amazon WorkSpaces Applications](/appstream2/index.html)[Administration Guide](what-is-appstream.html)
@@ -9 +9 @@ PrerequisitesStep 1: Create a SAML Identity Provider in AWS IAMStep 2: Create a
-To enable users to sign in to AppStream 2.0 by using their existing credentials, and start streaming applications, you can set up identity federation using SAML 2.0. To do this, use an IAM role and a relay state URL to configure your SAML 2.0-compliant identity provider (IdP) and enable AWS to permit your federated users to access an AppStream 2.0 stack. The IAM role grants users the permissions to access the stack. The relay state is the stack portal to which users are forwarded after successful authentication by AWS.
+To enable users to sign in to WorkSpaces Applications by using their existing credentials, and start streaming applications, you can set up identity federation using SAML 2.0. To do this, use an IAM role and a relay state URL to configure your SAML 2.0-compliant identity provider (IdP) and enable AWS to permit your federated users to access an WorkSpaces Applications stack. The IAM role grants users the permissions to access the stack. The relay state is the stack portal to which users are forwarded after successful authentication by AWS.
@@ -36 +36 @@ Complete the following prerequisites before configuring your SAML 2.0 connection
-     * Inside your organization's network, configure your identity store to work with a SAML-based IdP. For configuration resources, see [AppStream 2.0 Integration with SAML 2.0](./external-identity-providers-further-info.html).
+     * Inside your organization's network, configure your identity store to work with a SAML-based IdP. For configuration resources, see [WorkSpaces Applications Integration with SAML 2.0](./external-identity-providers-further-info.html).
@@ -40 +40 @@ Complete the following prerequisites before configuring your SAML 2.0 connection
-  2. Use the AppStream 2.0 management console to create an AppStream 2.0 stack. You need the stack name to create the IAM policy and to configure your IdP integration with AppStream 2.0, as described later in this topic.
+  2. Use the WorkSpaces Applications management console to create an WorkSpaces Applications stack. You need the stack name to create the IAM policy and to configure your IdP integration with WorkSpaces Applications, as described later in this topic.
@@ -42 +42 @@ Complete the following prerequisites before configuring your SAML 2.0 connection
-You can create an AppStream 2.0 stack by using the AppStream 2.0 management console, AWS CLI, or AppStream 2.0 API. For more information, see [Create an Amazon AppStream 2.0 Fleet and Stack](./set-up-stacks-fleets.html).
+You can create an WorkSpaces Applications stack by using the WorkSpaces Applications management console, AWS CLI, or WorkSpaces Applications API. For more information, see [Create an Amazon WorkSpaces Applications Fleet and Stack](./set-up-stacks-fleets.html).
@@ -130 +130 @@ Replace `IDENTITY-PROVIDER``` with the name of the SAML IdP you created in Step
-Next, embed an inline IAM policy for the role that you created. When you embed an inline policy, the permissions in that policy can't be accidentally attached to the wrong principal entity. The inline policy provides federated users with access to the AppStream 2.0 stack that you created.
+Next, embed an inline IAM policy for the role that you created. When you embed an inline policy, the permissions in that policy can't be accidentally attached to the wrong principal entity. The inline policy provides federated users with access to the WorkSpaces Applications stack that you created.
@@ -136 +136 @@ Next, embed an inline IAM policy for the role that you created. When you embed a
-  3. Copy and paste the following JSON policy into the JSON window. Then, modify the resource by entering your AWS Region Code, account ID, and stack name. In the following policy, `"Action": "appstream:Stream"` is the action that provides your AppStream 2.0 users with permissions to connect to streaming sessions on the stack that you created. 
+  3. Copy and paste the following JSON policy into the JSON window. Then, modify the resource by entering your AWS Region Code, account ID, and stack name. In the following policy, `"Action": "appstream:Stream"` is the action that provides your WorkSpaces Applications users with permissions to connect to streaming sessions on the stack that you created. 
@@ -161 +161 @@ JSON
-Replace `REGION-CODE` with the AWS Region where your AppStream 2.0 stack exists. Replace `STACK-NAME` with the name of the stack. `STACK-NAME` is case-sensitive, and must match the exact case and spelling as the stack name shown in the the **Stacks** dashboard of the AppStream 2.0 management console. 
+Replace `REGION-CODE` with the AWS Region where your WorkSpaces Applications stack exists. Replace `STACK-NAME` with the name of the stack. `STACK-NAME` is case-sensitive, and must match the exact case and spelling as the stack name shown in the the **Stacks** dashboard of the WorkSpaces Applications management console. 
@@ -190 +190 @@ If this information is not already configured in your IdP, provide the following
-For stacks with domain-joined fleets, the NameID value for the user must be provided in the format of "``domain`\username`" using the sAMAccountName or "`[email protected]`" using userPrincipalName. If you are using the sAMAccountName format, you can specify the ``domain`` by using either the NetBIOS name or the fully qualified domain name (FQDN). The sAMAccountName format is required for Active Directory one-way trust scenarios. For more information, see [Using Active Directory with AppStream 2.0](./active-directory.html).
+For stacks with domain-joined fleets, the NameID value for the user must be provided in the format of "``domain`\username`" using the sAMAccountName or "`[email protected]`" using userPrincipalName. If you are using the sAMAccountName format, you can specify the ``domain`` by using either the NetBIOS name or the fully qualified domain name (FQDN). The sAMAccountName format is required for Active Directory one-way trust scenarios. For more information, see [Using Active Directory with WorkSpaces Applications](./active-directory.html).
@@ -198 +198 @@ For stacks with domain-joined fleets, the NameID value for the user must be prov
-  * **`Attribute` element with the `Name` attribute set to https://aws.amazon.com/SAML/Attributes/PrincipalTag:SessionContext (optional)** – This element contains one `AttributeValue` element that provides parameters that can be used to pass session context parameters to your streaming applications. For more information, see [Session Context in Amazon AppStream 2.0](./managing-stacks-fleets-session-context.html).
+  * **`Attribute` element with the `Name` attribute set to https://aws.amazon.com/SAML/Attributes/PrincipalTag:SessionContext (optional)** – This element contains one `AttributeValue` element that provides parameters that can be used to pass session context parameters to your streaming applications. For more information, see [Session Context in Amazon WorkSpaces Applications](./managing-stacks-fleets-session-context.html).
@@ -210 +210 @@ Although `SessionDuration` is an optional attribute, we recommend that you inclu
-If your users access their streaming applications in AppStream 2.0 by using the AppStream 2.0 native client or using the web browser on the new experience, their sessions are disconnected after their session duration expires. If your users access their streaming applications in AppStream 2.0 by using a web browser on the old/classic experience, after the users' session duration expires and they refresh their browser page, their sessions are disconnected.
+If your users access their streaming applications in WorkSpaces Applications by using the WorkSpaces Applications native client or using the web browser on the new experience, their sessions are disconnected after their session duration expires. If your users access their streaming applications in WorkSpaces Applications by using a web browser on the old/classic experience, after the users' session duration expires and they refresh their browser page, their sessions are disconnected.
@@ -219 +219 @@ For more information about how to configure these elements, see [Configuring SAM
-Finally, use your IdP to configure the relay state of your federation to point to the AppStream 2.0 stack relay state URL. After successful authentication by AWS, the user is directed to the AppStream 2.0 stack portal, defined as the relay state in the SAML authentication response.
+Finally, use your IdP to configure the relay state of your federation to point to the WorkSpaces Applications stack relay state URL. After successful authentication by AWS, the user is directed to the WorkSpaces Applications stack portal, defined as the relay state in the SAML authentication response.
@@ -228 +228 @@ Construct your relay state URL from your Amazon Web Services account ID, stack n
-Optionally, you can specify the name of the application that you want to launch automatically. To find the application name, select the image in the AppStream 2.0 console, choose the **Applications** tab, and note the name that displays in the **Application Name** column. Alternatively, if you haven't yet created the image, connect to the image builder where you installed the application, and open Image Assistant. The names of applications display in the **Add Apps** tab.
+Optionally, you can specify the name of the application that you want to launch automatically. To find the application name, select the image in the WorkSpaces Applications console, choose the **Applications** tab, and note the name that displays in the **Application Name** column. Alternatively, if you haven't yet created the image, connect to the image builder where you installed the application, and open Image Assistant. The names of applications display in the **Add Apps** tab.
@@ -232 +232 @@ If your fleet is enabled for the **Desktop** stream view, you can also choose to
-With an identity provider (IdP) -initiated flow, in the system default browser, after users sign into the IdP and select the AppStream 2.0 application from the IdP user portal, they are redirected to an AppStream 2.0 sign-in page in the system default browser with the following options:
+With an identity provider (IdP) -initiated flow, in the system default browser, after users sign into the IdP and select the WorkSpaces Applications application from the IdP user portal, they are redirected to an WorkSpaces Applications sign-in page in the system default browser with the following options:
@@ -236 +236 @@ With an identity provider (IdP) -initiated flow, in the system default browser,
-  * **Open AppStream 2.0 client**
+  * **Open WorkSpaces Applications client**
@@ -241 +241 @@ With an identity provider (IdP) -initiated flow, in the system default browser,
-On the page, users can choose to start the session either in the browser, or with the AppStream 2.0 client application. Optionally, you can also specify which client should be used for a SAML 2.0 federation. To do this, specify either `native` or `web` at end of the relay state URL, after `&client=`. When the parameter is present in a relay state URL, the corresponding sessions will start in the specified client automatically, without users making the choice.
+On the page, users can choose to start the session either in the browser, or with the WorkSpaces Applications client application. Optionally, you can also specify which client should be used for a SAML 2.0 federation. To do this, specify either `native` or `web` at end of the relay state URL, after `&client=`. When the parameter is present in a relay state URL, the corresponding sessions will start in the specified client automatically, without users making the choice.
@@ -245 +245 @@ On the page, users can choose to start the session either in the browser, or wit
-This feature is only available if you use the new relay state region endpoints (in Table 1 below) to construct the relay state URL, and use the AppStream 2.0 client version 1.1.1300 and later. Also, users should always use their system default browser to sign into the IdP. The feature will not work if they use a non-default browser.
+This feature is only available if you use the new relay state region endpoints (in Table 1 below) to construct the relay state URL, and use the WorkSpaces Applications client version 1.1.1300 and later. Also, users should always use their system default browser to sign into the IdP. The feature will not work if they use a non-default browser.
@@ -252 +252 @@ With attribute-based application entitlements using a third-party SAML 2.0 ident
-When users federate to the AppStream 2.0 application catalog, they will be presented with all of the stacks where application entitlements have matched one or more applications to the user for the account ID and relay state endpoint associated with the Region in which your stacks are located. When a user selects a catalog, application entitlements will only display the applications the user is entitled to.
+When users federate to the WorkSpaces Applications application catalog, they will be presented with all of the stacks where application entitlements have matched one or more applications to the user for the account ID and relay state endpoint associated with the Region in which your stacks are located. When a user selects a catalog, application entitlements will only display the applications the user is entitled to.
@@ -260 +260 @@ For more information, see [Attribute-Based Application Entitlements Using a Thir
-Table 1 below lists the relay state endpoints for the Regions where AppStream 2.0 is available. The relay state endpoints in Table 1 are compatible with [AppStream 2.0 Web Browser Access (Version 2)](./web-browser-access-v2.html) and the Windows client application version 1.1.1300 and later. If you are using older versions of the Windows client, you should use the old relay state endpoints listed in Table 2 to configure your SAML 2.0 federation. If you want your users to stream using a FIPS-compliant connection, you must use a FIPS-compliant endpoint. For more information about FIPS endpoints, see [Protecting Data in Transit with FIPS Endpoints](./protecting-data-in-transit-FIPS-endpoints.html).
+Table 1 below lists the relay state endpoints for the Regions where WorkSpaces Applications is available. The relay state endpoints in Table 1 are compatible with [WorkSpaces Applications Web Browser Access (Version 2)](./web-browser-access-v2.html) and the Windows client application version 1.1.1300 and later. If you are using older versions of the Windows client, you should use the old relay state endpoints listed in Table 2 to configure your SAML 2.0 federation. If you want your users to stream using a FIPS-compliant connection, you must use a FIPS-compliant endpoint. For more information about FIPS endpoints, see [Protecting Data in Transit with FIPS Endpoints](./protecting-data-in-transit-FIPS-endpoints.html).
@@ -262 +262 @@ Table 1 below lists the relay state endpoints for the Regions where AppStream 2.
-Table 1: AppStream 2.0 relay state region endpoints (Recommended) Region | Relay state endpoint  
+Table 1: WorkSpaces Applications relay state region endpoints (Recommended) Region | Relay state endpoint  
@@ -281 +281 @@ AWS GovCloud (US-East) |  `https://appstream2.euc-sso.us-gov-east-1.amazonaws-us
-For more information about using AppStream 2.0 in AWS GovCloud (US) Regions, see [Amazon AppStream 2.0](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-appstream2.html) in the _AWS GovCloud (US) User Guide_.  
+For more information about using WorkSpaces Applications in AWS GovCloud (US) Regions, see [Amazon WorkSpaces Applications](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-appstream2.html) in the _AWS GovCloud (US) User Guide_.  
@@ -286 +286 @@ AWS GovCloud (US-West) |  `https://appstream2.euc-sso.us-gov-west-1.amazonaws-us
-For more information about using AppStream 2.0 in AWS GovCloud (US) Regions, see [Amazon AppStream 2.0](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-appstream2.html) in the _AWS GovCloud (US) User Guide_.  
+For more information about using WorkSpaces Applications in AWS GovCloud (US) Regions, see [Amazon WorkSpaces Applications](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-appstream2.html) in the _AWS GovCloud (US) User Guide_.  
@@ -289 +289 @@ South America (São Paulo) | `https://appstream2.euc-sso.sa-east-1.aws.amazon.co
-Table 2 below lists the old relay state endpoints that are still available. However, it is recommended that you use the new relay state endpoints listed in Table 1 to configure your SAML 2.0 federations. In particular, with the new relay state endpoints, you can enable your users to launch the AppStream 2.0 client application (version 1.1.1300 and later) from IdP-initiated streaming sessions. The new relay state endpoints in Table 1 also allow users to sign into other AWS applications in different tabs of the same web browser, without impacting the ongoing AppStream 2.0 streaming session. The old relay state endpoints in Table 2 do not support this. For more information, see [My AppStream 2.0 client users are getting disconnected from their AppStream 2.0 session after every 60 minutes.](./troubleshooting-user-issues.html#troubleshooting-client-users-disconnected-every-60-minutes)
+Table 2 below lists the old relay state endpoints that are still available. However, it is recommended that you use the new relay state endpoints listed in Table 1 to configure your SAML 2.0 federations. In particular, with the new relay state endpoints, you can enable your users to launch the WorkSpaces Applications client application (version 1.1.1300 and later) from IdP-initiated streaming sessions. The new relay state endpoints in Table 1 also allow users to sign into other AWS applications in different tabs of the same web browser, without impacting the ongoing WorkSpaces Applications streaming session. The old relay state endpoints in Table 2 do not support this. For more information, see [My WorkSpaces Applications client users are getting disconnected from their WorkSpaces Applications session after every 60 minutes.](./troubleshooting-user-issues.html#troubleshooting-client-users-disconnected-every-60-minutes)
@@ -291 +291 @@ Table 2 below lists the old relay state endpoints that are still available. Howe
-Table 2: Old AppStream 2.0 relay state region endpoints (Not recommended) Region | Relay state endpoint  
+Table 2: Old WorkSpaces Applications relay state region endpoints (Not recommended) Region | Relay state endpoint  
@@ -309 +309 @@ AWS GovCloud (US-East) |  `https://appstream2.us-gov-east-1.amazonaws-us-gov.com
-For more information about using AppStream 2.0 in AWS GovCloud (US) Regions, see [Amazon AppStream 2.0](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-appstream2.html) in the _AWS GovCloud (US) User Guide_.  
+For more information about using WorkSpaces Applications in AWS GovCloud (US) Regions, see [Amazon WorkSpaces Applications](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-appstream2.html) in the _AWS GovCloud (US) User Guide_.  
@@ -314 +314 @@ AWS GovCloud (US-West) |  `https://appstream2.us-gov-west-1.amazonaws-us-gov.com
-For more information about using AppStream 2.0 in AWS GovCloud (US) Regions, see [Amazon AppStream 2.0](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-appstream2.html) in the _AWS GovCloud (US) User Guide_.  
+For more information about using WorkSpaces Applications in AWS GovCloud (US) Regions, see [Amazon WorkSpaces Applications](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-appstream2.html) in the _AWS GovCloud (US) User Guide_.  
@@ -334 +334 @@ Example Authentication Workflow
-AppStream 2.0 Integration with SAML 2.0
+WorkSpaces Applications Integration with SAML 2.0