I'm prototyping deployment of an application via AWS AppStream. Access to the stream is managed via a web portal (using SAML). My application needs to know the identity of the user. I could prompt them but I don't want to make them login to both the portal and the application. I want to get the credentials they supplied at the portal. (AppStream instances run under the "PhotonUser" account, so I can't get the username from the OS.)
The AWS SDK has a Session class which contains the user ID but I can't find a way to get an instance of it for the current streaming session.
Have the portal pass a token identifying the user into the AppStream as session context. The token can be anything you want (subject to an unenforced 1024 byte limit) but should probably include a timestamp so that it can be expired and a signature to ensure that it hasn't been forged or tampered with.
Modify your portal to create a custom URL for each user via the CreateStreamingURL API to supply the token as session context. The application in your AppStream will see the session context a command-line argument. Parse and validate the token (i.e. check it for expiration and verify the signature).