Workspaces SSO sign on causes client to say its out of date?

0

I am trying to get DUO SSO to work with AWS workspaces. I have followed the AWS Guide "Amazon WorkSpaces SAML Authentication Implementation Guide" When we have the user sign into duo SSO and click the AWS WORKSPACES tile. It asks for duo code. Passes the code to AWS and the client says "Click to proceed to login" it passes it back to duo and verifies again but when the client goes to sign in again you see the cricle processing icon and then it says

"The current version of the Amazon WorkSpaces Windows client you are using is no longer supported. In order to continue and access the latest features and improvements, download and install the latest Amazon WorkSpaces Windows client version from the download website below or contact your administrator."

The client is 100% the newest client. I downloaded it again after this to try again and it any time you use the SSO it says client is out of date but if you use the client direct it works fine. IS there any way i can figure out what is causing this? I have no logs and no google results to go off.

Thanks everyone!

UPDATE TO QUESTION:

I am using "Managed AD" not simple AD. I have MFA with DUO working. But not SSO. So we have MFA already running but we want to give the option for SSO.

Workspaces with DUO mfa : Works fine no issues Workspaces with DUO sso: Fails with client out of date message (it's not)

I used the AWS SAML Workspaces guide.

This is how the flow goes:

  • Sign into duo security with the credentials for the workspaces which is synced by DUO AD Sync to AWS Managed AD (workspaces directory)
  • User logs in to the DUO CENTRAL after a push notification
  • User is in duo central and can click the AWS workspaces application tile we made.
  • Another duo push is made and it logs into aws, relay state opens and asks to open workspaces client.
  • Workspaces client opens up and says "Click here to sign into your workspace"
  • Clicking the link goes back to duo security another push is done
  • Link says " sending you back to client to log in"
  • Workspaces starts signing in a just straight away errors out with "The current version of the Amazon WorkSpaces Windows client you are using is no longer supported.In order to continue and access the latest features and improvements, download and install the latest Amazon WorkSpaces Windows client version from the download website below or contact your administrator."

The client is the latest version of the client and you can manually login with the duo mfa method. When you use SSO to sign in it errors out with the client version error. If you try to sign in a second time the username path is filled in with some kind of token string but you can not interact. So it might be a AWS issue?

techq
preguntada hace 3 meses133 visualizaciones
1 Respuesta
0

Hi there!

If you're facing issues with AWS WorkSpaces and Duo SSO, it might be due to using AWS Simple AD, which I'm assuming based on your description. Simple AD doesn't support multifactor authentication (MFA), essential for Duo integration.

Switching to an AD Connector could solve this. It connects your on-premises Active Directory with AWS, allowing MFA with Duo. This setup involves primary authentication through AWS, followed by secondary authentication with Duo, ensuring secure access to WorkSpaces.

Also you can check this guideline from duo to integrates duo with AWS WorkSpaces: https://duo.com/docs/awsworkspaces#prerequisites

If this resolves the issue, please let me know. If not, also inform me so we can continue to explore other solutions together.

profile picture
EXPERTO
respondido hace 3 meses
  • Unfortunelty not. DUO MFA is working and we are using managed AD. I have updated the question with more information. Thank you!

  • On February 28, a new release for Amazon WorkSpaces was rolled out. Could you please attempt to download your Amazon WorkSpaces again? Here's the link to the release notes for your convenience: Amazon WorkSpaces Windows Client Release Notes. It's worth noting that this update includes the integration of WebAuthn support for in-session authentication, which might be instrumental in successfully setting up DUO SSO with AWS WorkSpaces using Managed AD.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas