How do I set up SAML 2.0-based authentication for my Amazon Connect instance using AWS IAM Identity Center?

5 minute read
0

I want to set up SAML 2.0-based authentication for my Amazon Connect instance using AWS Identity and Access Management (IAM) Identity Center (successor to AWS Single Sign-On).

Short description

To set up SAML 2.0-based authentication for your Amazon Connect instance, do the following:

  1. Create an Amazon Connect instance that uses SAML 2.0-based authentication.
  2. Create an IAM Identity Center cloud application to connect to your Amazon Connect instance.
  3. Create an AWS Identity and Access Management (IAM) identity provider (IdP)
  4. Create an IAM policy for your Amazon Connect instance that allows the GetFederationToken action.
  5. Create an IAM role that grants federated users access to your Amazon Connect instance.
  6. Map your Amazon Connect instance's user attributes to IAM Identity Center attributes.
  7. Create users in IAM Identity Center and assign them to your IAM Identity Center cloud application.
  8. Test your setup by logging in to Amazon Connect using your IdP and one of the IAM Identity Center user credentials that you created.

Important: Make sure that you follow these steps in the same AWS Region that your Amazon Connect instance is in.

Resolution

Create an Amazon Connect instance that uses SAML 2.0-based authentication

Follow the instructions in Create an Amazon Connect instance. When you configure the instance, make sure that you do the following:

Create an IAM Identity Center cloud application to connect to your Amazon Connect instance

Follow the instructions in Add and configure a cloud application in the IAM Identity Center user guide. When you configure your cloud application, make sure that you do the following:

  • Choose Amazon Connect as the cloud application's service provider.
  • Under IAM Identity Center metadata, download the IAM Identity Center and the IAM Identity Center Certificate.
    Note: You need these files to set up an IAM IdP. If you use an IdP other than IAM Identity Center, you must get the SAML metadata files from that IdP.
  • Under Application properties, accept the default Relay state.

Create an IAM IdP

Follow the instructions in Creating and managing an IAM identity provider (console). When you create the IdP, make sure that you do the following:

  • For Provider name, enter ConnectIAM Identity Center.
  • For Metadata document, choose the IAM Identity Center SAML metadata file that you downloaded in the previous step.

Important: Note the Amazon Resource Name (ARN) of the IdP. You need it to map your Amazon Connect instance's user attributes to IAM Identity Center attributes.

Create an IAM policy for your Amazon Connect instance that allows the GetFederationToken action

Use the following JSON template to create an IAM policy named ConnectIAM-Identity-Center-Policy. Replace <connect instance ARN> with your Amazon Connect instance's ARN.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Action": "connect:GetFederationToken",
      "Resource": [
        "<connect instance ARN>/user/${aws:userid}"
      ]
    }
  ]
}

For more information, see Creating IAM policies and GetFederationToken.

Create an IAM role that grants federated users access to your Amazon Connect instance

Follow the instructions in Creating a role for SAML in the AWS IAM user guide. When you create the IAM role, make sure that you do the following:

  • For SAML provider, enter ConnectIAM Identity Center.
  • Choose Allow programmatic and AWS Management Console access.
  • For Policy, choose the ConnectIAM-Identity-Center-Policy that you created in the previous step.
  • For Role name, enter ConnectIAM-Identity-Center.

Important: Make note of the IAM role's ARN. You need it to map your Amazon Connect instance's user attributes to IAM Identity Center attributes.

Map your Amazon Connect instance's user attributes to IAM Identity Center attributes

Follow the instructions in Map attributes in your application to IAM Identity Center attributes. When you map your attributes, make sure that add the following attributes and values. Replace <IAM role ARN> with your IAM role's ARN. Replace <IAM IdP ARN> with your IAM IdP's ARN.

  • Attribute: Subject Value: ${user:email}
  • Attribute: https://aws.amazon.com/SAML/Attributes/RoleSessionName Value: ${user:email}
  • Attribute: https://aws.amazon.com/SAML/Attributes/Role Value: <IAM role ARN>,<IAM IdP ARN>

For more information, see Attribute mappings.

Create users in IAM Identity Center and assign them to your IAM Identity Center cloud application

Follow the instructions in Manage identities in IAM Identity Center.

Test your setup by logging in to Amazon Connect using your IdP and one of the IAM Identity Center user credentials that you created

Follow the instructions in Signing in to the AWS access portal in the IAM Identity Center user guide.

Related information

Troubleshoot SAML with Amazon Connect

Configure IAM Identity Center using Microsoft Azure Active Directory for Amazon Connect

Configure IAM Identity Center for Amazon Connect using Okta

AWS OFFICIAL
AWS OFFICIALUpdated a year ago