AWS IAM Identity Center (successor to AWS SSO) Integration Guide for Amazon Connect

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for Amazon Connect using SAML.

Topics

• Prerequisites

• Setup instructions

• Verification

• Troubleshooting

Prerequisites

You'll need the following to set up SSO access to Amazon Connect:

• Access to the IAM Identity Center console with permissions to manage applications.

• An Amazon Connect instance in AWS account with admin permissions.

Setup instructions

1. On the Configure page, in the Details section, fill in the Display name and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

2. Download the IAM Identity Center SAML metadata and save it.

3. Under Application metadata, choose If you don't have a metadata file, you can manually type your metadata values. to display the application metadata settings.

4. Insert these values:

Field	Value
Application ACS URL	https://signin.aws.amazon.com/saml
Application SAML audience	urn:amazon:webservices

5. Choose Save Changes.

6. Follow the process described here for setting up your Connect application: https://docs.aws.amazon.com/connect/latest/adminguide/configure-saml.html#enable-saml-federation

6a. Create a SAML Identity provider in IAM console and upload the metadata file that was download earlier.

6b. Create an IAM policy for allowing access to the Amazon Connect instance.

6c. Create an IAM role for SAML Federation trusting the new SAML Identity provider, and attach this new policy.

7. Go back to the IAM Identity Center console page where you are configuring the Application.

8. Choose Edit Configuration. Under Application properties, Insert these values:

Field	Value
Relay State	https://region-id.console.aws.amazon.com/connect/federate/instance-id

Note

You can find the instance ID for your instance by choosing the instance alias in the Amazon Connect console. The instance ID is the set of numbers and letters after '/instance' in the Instance ARN displayed on the Overview page. For example, the instance ID in the following Instance ARN is 123a12a3-b3de-1234-a4aa-e321aexample.

arn:aws:connect:region:12-digit-account-id:instance/123a12a3-b3de-1234-a4aa-e321aexample

9. Choose Save Changes.

10. Choose Attribute Mappings tab. Click on Add a new attribute mapping. Add an attribute for the Role.

Field	Value	Format
https://aws.amazon.com/SAML/Attributes/Role	arn:aws:iam::ACCOUNTID:role/ROLENAME,arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME	unspecified

Limitations

You can only map one IAM role per Amazon Connect Instance and one IAM role attribute mapping per IAM Identity Center application instance.

11. Assign a user to the application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Note

Users will not be able to login using SSO unless the user exists in both your directory and Amazon Connect, and the user is assigned to the application.

Verifying SSO from IAM Identity Center

1. Access the AWS access portal using the credentials of a user assigned to the Amazon Connect application.

2. In the list of applications, choose Amazon Connect to initiate a login to Amazon Connect.

3. If login was successful you will be signed-in to the Amazon Connect network.

Note

Amazon Connect does not support SP initiated SSO.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error	Issue	Solution
Your user account has not been added to Amazon Connect. Please ask your admin to add you and then try again	The user does not exist in the Amazon Connect instance.	Create a user with the required email in Amazon Connect instance.
Other	When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' field (if they are present) from the connected directory to populate the 'Email' in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields.	Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of:

• Preprovisioned users

  Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.

• JIT users

  JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.