Local Measure Resource Center

Overview

Local Measure Engage leverages Amazon Cognito for agent authentication, including Single Sign On (SSO). The benefits of this approach are:

No agent data is stored in the Local Measure environment as all agent data resides within Amazon Cognito within the client's own AWS account
Amazon Cognito caters for user pools where users can manually be created, or
Amazon Cognito caters for SAML federation, which enables SSO, with most SAML providers

‍

Instructions

The following sections detail how to configure Cognito for a variety of SAML providers. The high-level requirement for configuring SSO can however be summarized as follows and can be used as guidance for configuration of any new SAML providers that have not yet been documented.

[.callout-primary--alert]To set up Single Sign-On (SSO) for Amazon Connect, you'll configure the SAML application in the IAM Identity Center, which is often in a separate AWS account and region. However, the Identity Provider, Role, and Policy should be established within the same AWS account as Amazon Connect.[.callout-primary--alert]

A SAML application (and associated xml configuration file) will be required.
The SAML application must have the following specified:

|Attribute|Value| |---|---| | ACS URL | https://${yourDomainPrefix}.auth.${region}.amazoncognito.com/saml2/idpresponse| | Application SAML audience | urn:amazon:cognito:sp:${yourUserPoolID}| | Application start URL (optional) | Engage login url |

The SAML application must have the following two SAML attributes:

| SAML Attribute | Maps to this string value or user attribute | Format | |---|---|---| | Subject | ${user:email} | Persistent | | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | ${user:email} | |

The Identity Provider in Cognito must be configured with the following attributes:

| User pool attribute | SAML Attribute | |---|---| | email | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |