Using Lex Bot v2 embedded iframe with SAML authentication

Question

We are attempting to use the Amazon Lex bot in our customer facing website. We use Okta for our IAM and have properly configured a SAML federation with Congnito.
The bot is integrated with the site and is functioning fine in anonymous mode. When the user selects the Login link in the bot, the user is authenticated but result is that the user is directed to a parent page and not back to the iframe. The chat needs to remain in the iframe and not full page.
At this time the redirectURL in Congnito is set to the Iframe URL. What should the redirectURL be set to and how do we pass the authentication from the parent page into the iframe?

The current flow is
1. User navigates to the site.
2. the user then selects a protected link and signs in
3. after successful sign-in the user lands on the selected page and the bot "Help" link shows in the lower right of the page.
4. The user selects the "Help" link and the iframe expands to allow the chat
5. The user then selects the action menu and selects Login
6. The federation "approves" the login request and redirects to a full page chat session and not back to the iframe.

Since the user has already authenticated, can we make the bot be authenticated automatically when the page (and the iframe) are rendered?
If not, then how can we make the bot login link "stay" within the iframe and not take over the parent page?

re:Post Agent · Answer

When integrating an Amazon Lex V2 chatbot with SAML authentication in an iframe, there are a few challenges to address regarding authentication flow and page redirection.

The issue you're experiencing is that after SAML authentication through Okta and Cognito, the user is being redirected to a full page rather than returning to the iframe where the bot is embedded. This is disrupting your desired user experience.

There are two potential approaches to solve this:

1. **Automatic Authentication**: Since your users are already authenticated on the main site, you could pass this authentication to the bot when the iframe loads. This would eliminate the need for users to click the "Login" link in the bot. You would need to implement this by having your parent page pass the authentication tokens or credentials to the iframe when it initializes the bot.

2. **Proper Redirect Configuration**: If you need to maintain the explicit login flow, you'll need to ensure the redirect URL in Cognito is properly configured. Instead of setting the redirect URL to the iframe URL directly, you might need to:
- Set up a specific redirect handler page that knows how to communicate with the parent page
- Use window.postMessage() or similar techniques to communicate between the authentication redirect page and the parent page
- Have the parent page then update the iframe with the authenticated session

For the iframe to maintain its state during authentication, you'll need to handle the authentication flow differently than a standard full-page redirect. This typically involves using techniques like:
- Using a popup window for authentication instead of redirecting the iframe itself
- Implementing a message-passing system between the parent page and iframe
- Storing authentication state that can be retrieved when returning to the iframe

Since your users are already authenticated on the main site, the first approach (automatic authentication) would likely provide the best user experience, eliminating the need for a second login action within the bot interface.  
**Sources**  
[Single sign-on SSO for Amazon OpenSearch Service using SAML and Keycloak | AWS Big Data Blog](https://aws.amazon.com/blogs/big-data/single-sign-on-sso-for-amazon-opensearch-service-using-saml-and-keycloak/)

Using Lex Bot v2 embedded iframe with SAML authentication

Add your answer

Relevant content