Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Close
Guides
Deploying Engage
4
.

Google Workspaces

GUIDE

Deploying Engage

A Technical Guide to Configuring your Account for Amazon Connect.

Next Module
4
Engage Admin
Icon arrow left
All Modules

Both Amazon Connect and Local Measure Engage can be configured for SSO with Google Workspaces as the SAML-based identity provider. Amazon Connect and Local Measure Engage will each require a SAML application. The required SAML applications are created and configured in the Google Workspace admin console.

The Google Workspaces SAML application along with an AWS IAM identity provider will enable the federation between Google and your AWS IAM users.

No items found.

Configure SSO for Amazon Connect

The following AWS guide describes in detail how to configure Amazon Connect SSO with Google Workspaces as the identity provider:
https://catalog.workshops.aws/amazon-connect-sso/en-US/4-sso-amazonconnect-google-workspace

It is recommended to use Service Control Policies (SCPs) to manage permissions regarding what users and roles can do in Amazon Connect, protecting important resources and making your system more secure.

[.callout-primary--book]Recommended reading: Security Best Practices for Amazon Connect [.callout-primary--book]

Below is an example SCP that can be used to prevent the deletion of the Amazon Connect instance and associated Role:


<pre><code class="language-json">
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AmazonConnectRoleDenyDeletion",
      "Effect": "Deny",
      "Action": [
        "iam:DeleteRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/***Amazon Connect user role***"
      ]
    },
    {
      "Sid": "AmazonConnectInstanceDenyDeletion",
      "Effect": "Deny",
      "Action": [
        "connect:DeleteInstance"
      ],
      "Resource": [
        "***Amazon Connect instance ARN***"
      ]
    }
  ]
}
</pre></code>

Configure SSO for Local Measure Engage

Single Sign On (SSO) for Local Measure Engage is implemented by configuring the Cognito Userpool to use a SAML application for sign-in. The Cognito Userpool in question is the one which was created by the Local Measure Engage CloudFormation template.

The following summarizes the high-level process which needs to be followed:

  1. Gather the required Cognito Userpool details
  2. Create and configure the SAML application
  3. Configure an identity provider in the Cognito Userpool
  4. Specify this identity provider to be used for agent authentication

The below will guide you through the detailed process.

Step 1: Gather the required Cognito Userpool details

Log into the AWS account in which the Local Measure Engage CloudFormation stack has been created. Navigate to the Cognito service (ensure that you are in the correct region) and open the UserPool which was created when the Local Measure Engage CloudFormation stack has been created. Note down the User pool ID as per the below image.

Click on the 'App Integration' tab and note down the Cognito domain prefix. This is the first part of the Cognito domain, before the '.auth.regionxxx' as highlighted in the image below. This is also the value that was specified in the CloudFormation template so can also be copied from the CloudFormation parameters tab if preferred.

Step 2: Create and configure the SAML application

Create the SAML application in Google Workspace

Open the Admin console in Google Workspace. In the left-most navigation panel, select the ‘Apps’ dropdown arrow and navigate to ‘Web and mobile apps’. Click on ‘Add app’ and select ‘Add Custom SAML app’.

Configure SAML integration for your Google Workspace app

In the ‘App details’ section, enter a name for your app, an optional description and icon. Choose Continue.

Click on the ‘Download Metadata’ button under Option 1. This file will be used to complete the Cognito configuration in AWS. Click on Continue.

Fill in the following fields under the ‘Service provider details’:

  • ACS URL: https://${yourDomainPrefix}.auth.{region}.amazoncognito.com/saml2/idpresponse.
  • Entity ID: urn:amazon:cognito:sp:${yourUserPoolId}
  • NAME ID format: ENTITY
  • Name ID: Basic Information> Primary email

[.callout-primary--alert-message]Note: Replace ${yourDomainPrefix}, ${region} and ${yourUserPoolId} with the values for your Cognito user pool. [.callout-primary--alert-message]

Click on Continue.

Under ‘Attribute Mapping’,  add a Google Directory attribute with the following attribute:

| Google Directory attributes | Value | |-----------------------------|--------------------------------------------------------------------| | Primary email | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |

Click on ‘Finish’.

Grant access to users in Google Workspace

When you create a SAML app, it is turned off by default. This means for users logged in to their Google Workspaces account, the SAML app will not be visible to them. You will now enable the Engage app to your Google Workspaces users.

Navigate to ‘User Access’ under the Engage app configuration. Click on ‘View details’ To turn on a service for everyone in your organization, click ON for everyone, and then click Save. 

If you do not want to activate this application for all users, you can take advantage of Google Workspaces organizational units  and activate the Engage app for only a subset of users.

Step 3: Configure an identity provider in the Cognito User pool

Log into the AWS account which contains the Cognito Userpool. Navigate to Cognito and open the Userpool.

Select the 'Sign-in experience' tab and then click on 'Add identity provider' as indicated on the below image:

 

On the resulting page, select 'SAML'.

Under 'Set up SAML federation with this user pool':

  • Provider name - enter a name for this identity provider. It is recommended to not use any spaces in the name e.g. google.
  • Metadata document source - Upload the Metadata file downloaded in the Google Workspace console.

Under 'Map attributes between your SAML provider and your user pool', set the following attribute:

| User pool attribute | SAML attribute | |---------------------|--------------------------------------------------------------------| | email | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |

Click 'Add identity provider'. At this point the required identity provider has been created. The last step in the Cognito configuration is to specify that the App Client should use this identity provider. 

Step 4: Specify this identity provider to be used for agent authentication

Select 'App integration' from the tabbed view, scroll to the bottom and click on the 'app-client' to open it.  Once the app-client has been opened, scroll down to the 'Hosted UI' section and click 'Edit' as illustrated below:

Under 'Hosted sign-up and sign-in pages' scroll down to the 'Identity providers' dropdown box. Click on this and select the identity provider that was configured in the previous step. Click 'Save changes'.

Local Measure will require the name of the IDP (as configured under 'Sign-in experience') to complete the setup of your account. Please include this along with the CloudFormation outputs information shared with Local Measure.