Establishing a SAML 2.0-compliant identity provider for your contact service can be quite challenging if you don’t already have one in place. Amazon Connect facilitates SAML 2.0-compliant identity providers (IdPs) for single sign-on (SSO) capabilities. AWS Single Sign-On (AWS SSO) streamlines the process of centrally managing SSO access across various AWS accounts and business applications. With AWS SSO, you can efficiently oversee user permissions and SSO access for all your accounts within AWS Organizations.
In this article, I will guide you through the steps required to enable SAML 2.0 federation with AWS SSO and Amazon Connect, simplifying the SSO experience with Amazon Connect.
Solution Overview
Here’s a summary of the steps you will follow:
- Create an Amazon Connect instance that uses SAML 2.0-based authentication.
- Set up an AWS SSO application to connect with the Amazon Connect instance.
- Create an IAM identity provider, IAM policy, and IAM role.
- Complete the configuration of the AWS SSO application.
- Add users and import them into Amazon Connect.
- Test the SSO functionality using AWS SSO with Amazon Connect.
Prerequisites
Before you proceed with this guide, ensure that you have completed the following:
- Meet the AWS SSO prerequisites.
- Enable AWS SSO. For further details, refer to How to create and manage users within AWS Single Sign-On.
- Connect an AWS SSO directory. For this guide, I utilized an AWS Managed Microsoft AD directory in the us-east-1 Region (N. Virginia).
- Familiarize yourself with Amazon Connect.
For the examples discussed here, I will reference the us-east-1 Region.
Step 1: Create an Amazon Connect Instance with SAML 2.0-Based Authentication
In the Amazon Connect console, create a new Amazon Connect instance. For more details, see Configure SAML for Identity Management in Amazon Connect. Accept the default options except for the following:
- Admin account—Name it Connect-Admin.
- Telephony options—Select both incoming and outgoing call options.
You can modify your instance settings later if needed.
Step 2: Create an AWS SSO Application to Connect with the Amazon Connect Instance
In the AWS SSO console, create a new application for Amazon Connect. Accept the default values except for:
- For Relay state, provide a relay state URL:
https://region-id.console.aws.amazon.com/connect/federate/instance-id
For this guide, we will use the Amazon Connect console as the destination. You may specify an Amazon Connect Control Panel (CCP) link for Relay state. For more details, see Use a Destination in Your Relay State URL. The Region ID can be found in the Amazon Connect instance ARN. Remember to note the ARN for future use.
The AWS SSO metadata is required when setting up a new IAM identity provider. On the Configuration tab, under AWS SSO metadata, select Download metadata file. Save this file on your local device. This setup allows AWS SSO to authenticate users from the corresponding directory and issues SAML 2.0 tokens for them to log into Amazon Connect.
Step 3: Create an IAM Identity Provider, IAM Policy, and IAM Role
To federate users, you need to establish an IAM IdP, IAM policy, and IAM role. The IAM identity provider configures AWS SSO as an IdP for SAML 2.0 federation. The IAM policy and role enable directory users to assume an IAM role and access an Amazon Connect instance.
In the IAM console, create a new IdP with provider type SAML. Name it Connect-SSO, or another name that fits within 128 alphanumeric and ‘._-‘ characters. Upload the AWS SSO application metadata.
Switch to JSON view and create an IAM policy using the following template. Name it Connect-SSO-Policy. Replace <connect instance ARN> with your Amazon Connect instance ARN. GetFederationToken allows the federated user to retrieve a token for federation.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": "connect:GetFederationToken",
"Resource": [
"<connect instance ARN>/user/${aws:userid}"
]
}
]
}Next, establish an IAM role for federated users to access the newly created Amazon Connect instance. This is the role that users will assume. For more guidance, see Configure SAML for Identity Management in Amazon Connect. Accept the default options except for:
- For SAML provider, enter Connect-SSO.
- Choose Allow programmatic and AWS Management Console access.
- For Policy, select Connect-SSO-Policy.
- For Name, select Connect-SSO.
Make a note of the IAM role ARN for later use in the AWS SSO application configuration. For example:
arn:aws:iam:::role/Connect-SSO
Step 4: Finalize the AWS SSO Application Configuration
Now, wrap up the AWS SSO application setup by mapping attribute values. Add these attributes and their values:
- Attribute: Subject
Value: ${user:email} - Attribute: https://aws.amazon.com/SAML/Attributes/RoleSessionName
Value: ${user:email} - Attribute: https://aws.amazon.com/SAML/Attributes/Role
Value: ,
Example:arn:aws:iam::123456789012:role/Connect-SSO,arn:aws:iam::123456789012:saml-provider/Connect-SSO
In this article, we use the email attribute as a role session name and a username for Amazon Connect. The ${user:email} value in AWS SSO maps to ${dir:windowsUpn} in the connected directory by default. For more information, see Attribute Mappings.
Next, assign users or groups to the application.
Step 5: Add Users to Amazon Connect
After configuring the AWS SSO application, add users in Amazon Connect. Ensure that the login name matches the user’s Windows user principal name. This login name is case-sensitive. For example:
- First name: Connect
- Last name: SSO
- Login name: connect-sso@connect.local
Step 6: Test SSO Using AWS SSO with Amazon Connect
This is the final step of the guide. You can now log in to AWS SSO and test access to the Amazon Connect portal through SAML 2.0–based SSO. Log in using the credentials of a user you have assigned to the Amazon Connect application in AWS SSO.
Summary
Congratulations! You have successfully logged into the newly created Amazon Connect instance using AWS SSO and SAML 2.0 federation. You can begin adding more users to the directory registered with AWS SSO. With AWS SSO, there is no need to worry about maintaining Amazon EC2 instances or servers for IdPs, as it is all managed by AWS. This makes onboarding users to Amazon Connect effortless. For further insights, check out this another blog post here. Additionally, you can find more authoritative information here, and for a visual guide, this is an excellent resource here.
Leave a Reply