Enable extension for single sign-on (optional) - Amazon WorkSpaces Secure Browser

Enable extension for single sign-on (optional)

You can enable an extension for your end users to have a better portal sign-on experience. For example, if you use Okta as your portal’s SAML 2.0 identity provider (IdP), and you also use it as the IdP for the websites you want users to visit during a session, you can pass the Okta sign-in cookie to the session with the extension. Afterwards, when users visit a website that requires the Okta domain cookie, they can access the website without having to sign in during the session.

The extension is supported in Chrome and Firefox browsers. The extension enables cookie synchronization for the allowed domains from the users sign-in to the session. The extension does not require the user to sign in, and it works behind the scenes to enable cookie synchronization without requiring the user to take any actions after installation. No data is stored by the extension.

Users are prompted to install the extension when they sign into a portal. .

By default, extensions are not enabled in Chrome in Incognito windows or Firefox Private Browsing windows. Users can enable them manually. For more information about Chrome, see Extensions in Incognito mode. For more information about Firefox, see Extensions in Private Browsing.

You can update a portal’s existing user setting configuration, or when creating a web portal for the first time. First, determine which domains you need for your SAML IdP and websites. You can add up to 10 domains.

You are responsible for testing and identifying the appropriate domain for the cookies to be synchronized. Changes might be required at the IdP or website authentication level to ensure single sign-on works as expected.

To see which domains to use with most common IdP, refer to the following table:

IdP and domains
IdP Domain

Okta

 okta.com
Entra ID microsoftonline.com
AWS Identity Center awsapps.com
One Login onelogin.com
Duo duosecurity.com

Next, visit your web portal in the console. Then, allow the extension and add which domains’ cookies should be synchronized. Follow the steps below to create a new portal with the extension allowed, or to update an existing portal.

To allow the extension when creating a new web portal, follow these steps:

  1. Follow the steps in Step 1: Create a web portal until you get to Configure user settings.

  2. For step 1 of Configure user settings, under User permissions, choose Allowed to enable the extension for your web portal.

  3. Enter the domain for cookie synchronization, and choose Add new domain.

  4. Complete the steps in Configure user settings and the remaining sections in Step 1: Create a web portal to create your web portal.

To add the extension to an existing web portal, follow these steps:

  1. Open the WorkSpaces Secure Browser console at https://console.aws.amazon.com/workspaces-web/home.

  2. Select the web portal to edit.

  3. Choose User settings, Users permissions, and Allowed to enable the extension for your web portal.

  4. Enter the domain for cookie synchronization, choose Add new domain.

  5. Save your portal changes. The portals will prompt users to install the extension within 15 minutes.

To edit domains or remove the extension, follow these steps:

  1. Open the WorkSpaces Secure Browser console at https://console.aws.amazon.com/workspaces-web/home.

  2. Select the web portal to edit.

  3. Choose User settings, Users permissions, and Not allowed to remove the extension for your web portal.

  4. Remove or edit individual domains.

  5. Once removed, sessions will no longer synchronize cookies, even if the user has the WorkSpaces Secure Browser extension installed in their browser.

For details about the user experience with the extension, see Extension for single sign-on.