Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Can Amazon Connect Agent Workspace support direct login (SSO) using only AWS Cognito (no external IdP)?

0

My application uses AWS Cognito User Pools for authentication (users log in via Cognito and receive tokens).

After logging into my app, users see a button “Agent View”.

When an agent clicks “Agent View”, I want to open the Amazon Connect agent workspace (CCP) without asking for credentials again.

My Amazon Connect instance is configured with:

IdentityManagementType: "SAML"

So Connect uses SAML SSO for agent login. Here’s the AWS CLI describe-instance output:

"IdentityManagementType": "SAML", "InstanceAccessUrl": "https:/awsconnectzxcvnzvc.my.connect.aws"

I do not want to use any external identity provider like Okta, Microsoft Entra ID, Google, or similar — only AWS Cognito user pool.

My question:

Can AWS Cognito act as the SAML identity provider directly for Amazon Connect, such that after my app login, clicking the “Agent View” button opens the Connect agent workspace without a separate login?

If this is possible:

What exact AWS configuration is required?

What SAML settings / metadata / trust relationships must be created?

Is Cognito capable of generating a valid SAML assertion that Amazon Connect will accept?

How do I structure the redirect from my app to Connect’s CCP with SSO using Cognito?

If this is not possible, please clarify:

What AWS-supported identity configurations exist for SSO into Amazon Connect that do not require external IdPs?

Is AWS SSO (IAM Identity Center) the only alternative?

Goal: Agents click a button in my Cognito-authenticated app and are automatically logged into the Connect Agent Workspace without any additional credential prompt.

Topics
Machine Learning & AIBusiness ApplicationsSecurity, Identity, & Compliance
Tags
Amazon CognitoAmazon Cognito User PoolsAmazon Connect Agent Workspace
Language
English
asked a month ago87 views
1 Answer
0

Yes, AWS Cognito can act as a SAML identity provider for Amazon Connect, enabling single sign-on from your application to the Amazon Connect agent workspace without requiring a separate login.

Amazon Cognito user pools support SAML 2.0 and can be configured to act as a SAML identity provider for your Amazon Connect instance. This allows your users to authenticate once through Cognito and then access Amazon Connect without having to provide credentials again.

To implement this solution:

  1. Configure your Amazon Connect instance with SAML 2.0-based authentication (which you've already done).

  2. Set up your Cognito user pool as a SAML identity provider:

  • In your Cognito user pool, configure it to support SAML assertions
  • Ensure the user attributes in Cognito map correctly to the attributes Amazon Connect expects, particularly the RoleSessionName SAML attribute which must match the user name in Amazon Connect
  1. Create an identity provider in IAM to enable SAML federation between Cognito and AWS:
  • In the IAM console, create a SAML identity provider
  • Upload the SAML metadata document from your Cognito user pool
  • Configure the trust relationship between Cognito and Amazon Connect

  1. Configure the relay state and authentication response in your Cognito setup to direct users to the Amazon Connect agent workspace.

  2. For the "Agent View" button in your application, implement the flow to:

  • Generate a SAML assertion from Cognito
  • Direct the user to Amazon Connect with this assertion
  • Amazon Connect will validate the SAML assertion and automatically log the user in

When implementing this solution, ensure that:

  • The user names in Cognito match exactly with the user names in Amazon Connect
  • The SAML assertion contains all required attributes for Amazon Connect
  • The session duration is properly configured (Amazon Connect sessions expire after 12 hours)

This approach allows you to maintain a single authentication system using only AWS services without requiring any external identity providers like Okta or Microsoft Entra ID.
Sources
Configure SAML with IAM for Amazon Connect - Amazon Connect
Using SAML identity providers with a user pool - Amazon Cognito
Identity providers and federation into AWS - AWS Identity and Access Management

answered a month ago
  • Chetan
    a month ago

    AWS Cognito cannot act as a SAML IdP for Connect. Cognito only generates JWT tokens, not SAML assertions.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content