Both Amazon Connect and Local Measure Engage can be configured for SSO with Microsoft Azure Active Directory (Azure AD) as the SAML-based identity provider. Amazon Connect and Local Measure Engage will each require a SAML application. The required SAML applications are created and configured in the Azure AD portal.
The Azure AD AWS SAML application along with an AWS IAM identity provider will enable the federation between Azure AD and your AWS IAM users.
Configure SSO for Amazon Connect
The following AWS guide describes in detail how to configure Amazon Connect SSO with Azure AD as the identity provider: https://catalog.workshops.aws/amazon-connect-sso/en-US/3-sso-amazonconnect-azuread
It is recommended to use Service Control Policies (SCPs) to manage permissions regarding what users and roles can do in Amazon Connect, protecting important resources and making your system more secure.
[.callout-primary--book]Recommended reading: Security Best Practices for Amazon Connect [.callout-primary--book]
Below is an example SCP that can be used to prevent the deletion of the Amazon Connect instance and associated Role:
Configure SSO for Local Measure Engage
Single Sign On (SSO) for Local Measure Engage is implemented by configuring the Cognito Userpool to use a SAML application for sign-in. The Cognito Userpool in question is the one which was created by the Local Measure Engage CloudFormation template.
The following summarizes the high-level process which needs to be followed:
- Gather the required Cognito Userpool details
- Create the SAML application in the Azure AD portal.
- Configure an identity provider in the Cognito Userpool
- Specify this identity provider to be used for agent authentication
The steps below will guide you through the detailed process.
Step 1: Gather the required Cognito Userpool details
Log into the AWS account in which the Local Measure Engage CloudFormation stack has been created. Navigate to the Cognito service (ensure that you are in the correct region) and open the UserPool which was created when the Local Measure Engage CloudFormation stack has been created. Note down the User pool ID as per the below image.
Click on the 'App Integration' tab and note down the Cognito domain prefix. This is the first part of the Cognito domain, before the '.auth.regionxxx' as highlighted in the image below. This is also the value that was specified in the CloudFormation template so can also be copied from the CloudFormation parameters tab if preferred.
Step 2: Create the SAML application in the Azure AD portal.
Log in to the Azure Portal and in the Azure Service section, choose Azure Active Directory. Navigate to the left sidebar and choose Enterprise applications. Choose ‘New application’ and ‘Create your own application’. Fill in the following fields:
Input name: Give your application a name e.g. Engage Production. Select ‘Integrate any other application you don’t find in the gallery (Non-gallery)’. Select ‘Create’.
It will take few seconds for the application to be created in Azure AD, then you should be redirected to the ‘Overview’ page for the newly added application.
To set up Single Sign-on using SAML
On the ‘Getting Started’ page, in the ‘Set up single sign on’ tile, choose ‘Get started’, as shown below. On the next screen, select SAML.
In the middle pane under ‘Set up Single Sign-On with SAML’, in the ’Basic SAML Configuration’ section, choose the edit icon.
Enter the following field values:
- Identifier (Entity ID): urn:amazon:cognito:sp:${pool ID}
- Reply URL (Assertion Consumer Service URL): https://${DomainPrefix}.auth.${RegionID}.amazoncognito.com/saml2/idpresponse
[.callout-primary--alert-message]NB: Be sure to replace all the above placeholders with the values copied from the Cognito Userpool. [.callout-primary--alert-message]
Navigate to the middle pane under ‘Set up Single Sign-On with SAML’, in the ‘User Attributes & Claims’ section, select Edit.
Choose 'Add a group claim'. On the User Attributes & Claims page, in the right pane under Group Claims, select 'Groups assigned to the application', leave Source attribute as Group ID, as shown in the figure below. Choose Save.
Close the User Attributes & Claims screen. You’ll be redirected to the ‘Set up Single Sign-on with SAML’ page.
Scroll down to the SAML Signing Certificate section, and copy the App Federation Metadata Url by choosing the copy into clipboard icon. Keep this URL in a text editor, as you’ll need it in the next step.
Step 3: Configure an identity provider in the Cognito Userpool
Log into the AWS account which contains the Cognito Userpool. Navigate to Cognito and open the Userpool.
Select the 'Sign-in experience' tab and then click on 'Add identity provider' as indicated on the below image:
On the resulting page, select 'SAML'.
Under 'Set up SAML federation with this user pool':
- Provider name - enter a name for this identity provider. It is recommended to not use any spaces in the name.
- Metadata document source -Paste the Metadata URL, from the previous step, in metadata endpoint URL field.
Under 'Map attributes between your SAML provider and your user pool', set the following attribute:
Click 'Add identity provider'. At this point the required identity provider has been created. The last step in the Cognito configuration is to specify that the App Client should use this identity provider.
Step 4: Specify this identity provider to be used for agent authentication
Select 'App integration' from the tabbed view, scroll to the bottom and click on the 'app-client' to open it. Once the app-client has been opened, scroll down to the 'Hosted UI' section and click 'Edit' as illustrated below:
Under 'Hosted sign-up and sign-in pages' scroll down to the 'Identity providers' dropdown box. Click on this and select the identity provider that was configured in the previous step. Click 'Save changes'.
Local Measure will require the name of the IDP (as configured under 'Sign-in experience') to complete the setup of your account. Please include this along with the CloudFormation outputs information shared with Local Measure.