How do I set up SAML 2.0-based authentication for my Amazon Connect instance using AWS IAM Identity Center?
I want to set up SAML 2.0-based authentication for my Amazon Connect instance using AWS Identity and Access Management (IAM) Identity Center (successor to AWS Single Sign-On).
Short description
To set up SAML 2.0-based authentication for your Amazon Connect instance, do the following:
- Create an Amazon Connect instance that uses SAML 2.0-based authentication.
- Create an IAM Identity Center cloud application to connect to your Amazon Connect instance.
- Create an AWS Identity and Access Management (IAM) identity provider (IdP)
- Create an IAM policy for your Amazon Connect instance that allows the GetFederationToken action.
- Create an IAM role that grants federated users access to your Amazon Connect instance.
- Map your Amazon Connect instance's user attributes to IAM Identity Center attributes.
- Create users in IAM Identity Center and assign them to your IAM Identity Center cloud application.
- Test your setup by logging in to Amazon Connect using your IdP and one of the IAM Identity Center user credentials that you created.
Important: Make sure that you follow these steps in the same AWS Region that your Amazon Connect instance is in.
Resolution
Create an Amazon Connect instance that uses SAML 2.0-based authentication
Follow the instructions in Create an Amazon Connect instance. When you configure the instance, make sure that you do the following:
- When configuring identity management for your instance, choose SAML 2.0-based authentication.
- When specifying the administrator for your instance, select Add a new admin. Then, provide a name for the user account in Amazon Connect.
Note: The password for this user is managed through your IdP. - When configuring telephony options for your instance, accept the default options.
- When configuring the data storage settings for your instance, accept the default options.
Create an IAM Identity Center cloud application to connect to your Amazon Connect instance
Follow the instructions in Add and configure a cloud application in the IAM Identity Center user guide. When you configure your cloud application, make sure that you do the following:
- Choose Amazon Connect as the cloud application's service provider.
- Under IAM Identity Center metadata, download the IAM Identity Center and the IAM Identity Center Certificate.
Note: You need these files to set up an IAM IdP. If you use an IdP other than IAM Identity Center, you must get the SAML metadata files from that IdP. - Under Application properties, accept the default Relay state.
Create an IAM IdP
Follow the instructions in Creating and managing an IAM identity provider (console). When you create the IdP, make sure that you do the following:
- For Provider name, enter ConnectIAM Identity Center.
- For Metadata document, choose the IAM Identity Center SAML metadata file that you downloaded in the previous step.
Important: Note the Amazon Resource Name (ARN) of the IdP. You need it to map your Amazon Connect instance's user attributes to IAM Identity Center attributes.
Create an IAM policy for your Amazon Connect instance that allows the GetFederationToken action
Use the following JSON template to create an IAM policy named ConnectIAM-Identity-Center-Policy. Replace <connect instance ARN> with your Amazon Connect instance's ARN.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": "connect:GetFederationToken", "Resource": [ "<connect instance ARN>/user/${aws:userid}" ] } ] }
For more information, see Creating IAM policies and GetFederationToken.
Create an IAM role that grants federated users access to your Amazon Connect instance
Follow the instructions in Creating a role for SAML in the AWS IAM user guide. When you create the IAM role, make sure that you do the following:
- For SAML provider, enter ConnectIAM Identity Center.
- Choose Allow programmatic and AWS Management Console access.
- For Policy, choose the ConnectIAM-Identity-Center-Policy that you created in the previous step.
- For Role name, enter ConnectIAM-Identity-Center.
Important: Make note of the IAM role's ARN. You need it to map your Amazon Connect instance's user attributes to IAM Identity Center attributes.
Map your Amazon Connect instance's user attributes to IAM Identity Center attributes
Follow the instructions in Map attributes in your application to IAM Identity Center attributes. When you map your attributes, make sure that add the following attributes and values. Replace <IAM role ARN> with your IAM role's ARN. Replace <IAM IdP ARN> with your IAM IdP's ARN.
- Attribute: Subject Value: ${user:email}
- Attribute: https://aws.amazon.com/SAML/Attributes/RoleSessionName Value: ${user:email}
- Attribute: https://aws.amazon.com/SAML/Attributes/Role Value: <IAM role ARN>,<IAM IdP ARN>
For more information, see Attribute mappings.
Create users in IAM Identity Center and assign them to your IAM Identity Center cloud application
Follow the instructions in Manage identities in IAM Identity Center.
Test your setup by logging in to Amazon Connect using your IdP and one of the IAM Identity Center user credentials that you created
Follow the instructions in Signing in to the AWS access portal in the IAM Identity Center user guide.
Related information
Troubleshoot SAML with Amazon Connect
Configure IAM Identity Center using Microsoft Azure Active Directory for Amazon Connect
This guide only shows how to use SAML 2.0-based authentication for a brand new Amazon Connect instance. Is it possible to add SAML 2.0-based authentication for an existing instance?
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 2 anni fa