Configure single sign-on using OneLogin for Amazon Connect

Single sign-on (SSO) enables users to access multiple applications securely via a single ID and password. This reduces the headache of remembering multiple username and passwords for users in an organization. Contact Centers are no different and the ability to utilize SSO for contact center applications is a common requirement. Amazon Connect support’s identity federation with Security Assertion Markup Language (SAML) 2.0 to enable web-based single sign-on (SSO) from your organization to your Amazon Connect instance.

One of the common identity providers most organizations want to use to enable SSO with AWS is OneLogin. This post provides a detailed guidance on how to enable SSO using OneLogin for Amazon Connect.

Overview of solution

The following architecture diagram depicts two OneLogin Applications that federate via Identity Provider initiated SSO to AWS Identity and Access Management (IAM). This helps grant access to your Amazon Connect Instance. The first application is created for Administrators of your contact center. The second application is created for agents.

Prerequisites

For this walk through, it is assumed you have the following prerequisites:

• An AWS account
• An Amazon Connect instance with SAML 2.0 as the chosen Identity Provider
• Basic understanding of Amazon Connect
• Basic understanding of IAM and privileges required to create the following; IAM identity provider, roles, policies, and users
• A OneLogin subscription
• A user created in OneLogin that will act as your Amazon Connect administrator
• An administrator user defined in Amazon Connect with the name exactly matching its counterpart in OneLogin (as mentioned in the above step)

Create the OneLogin SAML Application

The OneLogin SAML application along with an AWS IAM identity provider will enable the federation between OneLogin and your AWS IAM users. As a part of this blog post you will end up creating two OneLogin applications- one for your Amazon Connect administrators and another for your Amazon Connect agents. At this moment we will begin by creating an application for your agents.

1. Log in to Onelogin portal
2. Choose Administration
3. Choose Applications > Applications
   
4. Choose Add App
   
5. In the search box type ‘SAML custom’
   
6. Choose ‘SAML Custom Connector (Advanced)’
   
7. Change the Display Name to ‘Amazon Connect Agent’
8. Choose Save
   
9. Choose ‘More Actions’ and select ‘SAML metadata’
   
10. Save the meta file to your local machine.

Create an IAM identity provider

You will create an IAM identity provider in AWS Management Console and upload this metadata file to the OneLogin Application.

1. Login to the AWS Management Console and choose IAM
2. In the navigation pane, choose Identity Providers
3. Choose Create provider
4. Choose SAML as the Provider Type
5. For Provider Name, enter ‘OneLogin_Connect’
6. In the Metadata Document section, choose the metadata.xml document you downloaded in a previous step.
   
7. Choose Add provider
8. Choose the identify provider created ‘OneLogin_Connect’
9. Copy the identify provider ARN and keep it for later

Create the IAM Federation Policy

The policy enables federation for all users in a specific Amazon Connect instance.

1. Login to the AWS Management Console and choose IAM
2. In the navigation pane, choose Policies
3. Choose Create policy
4. Select the JSON tab
5. Paste the following policy into the editor, replacing the existing content:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "Statement1",
               "Effect": "Allow",
               "Action": "connect:GetFederationToken",
               "Resource": [
                   "YOUR ARN/user/${aws:userid}"
               ]
           }
       ]
   }
   

6. Replace **YOUR ARN** with the ARN for your instance. To find your ARN:
   a. Open a new browser tab and log into your Amazon Connect Consoleb.
   b. Choose your Instance Alias
   c. Copy value of your Instance ARN
7. Paste the value of the Instance ARN and choose Review Policy
8. Name your policy ‘onelogin_federation_policy’, or something similar
9. Optionally, provide a description for the policy
10. Choose Create policy

Create the IAM OneLogin Role

An IAM role is created to allow programmatic access to AWS resources.

1. Login to the AWS Management Console and choose IAM
2. In the navigation pane, choose Roles
3. Choose SAML 2.0 federation under ‘Select type of trusted entity’.
4. Select ‘OneLogin_Connect’ in SAML Provider
5. Choose Allow programmatic and AWS Management Console access
6. Choose Next: Permissions
   
   
7. In the Filter policies section type OneLoginPoicy and select the previously created policy.
   
8. Choose Next: Tags
9. Optionally add tags, then choose Next: Review
10. Name the role ‘onelogin_role’, or something similar
11. Choose Create role
12. Search for the role created ‘onelogin_role’ and click on the name
13. Copy the role ARN and keep it for later

Complete configuration of the OneLogin SAML Application

1. Log in to Onelogin portal
2. Choose Administration
3. Choose Applications > Applications
4. Choose the created previously named ‘Amazon Connect Agent’
   
5. Optionally change the icons, then choose Configuration from the vertical menu
6. For RelayState enter the following
   https://<regionid>.console.aws.amazon.com/connect/federate/<instance-id>?destination=%2Fconnect%2Fccp-v2
   a. Replace the <region-id> with the Region name where you created your Amazon Connect instance. For example ‘us-east-1’ for US East (N. Virginia).
   b. Replace the <instance-id> with the instance ID for your instance. To find your instance ID:
   c. Open a new browser tab and go to the Amazon Connect Console
   d. Choose your Instance Alias
   e. The instance ID is everything after the last forward slash ‘/’ in the Instance ARN. For example, in bold: arn:aws:connect:us-east-1:123456789:instance/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
7. For Audience (EntityID) enter ‘urn:amazon:webservices’
8. For Recipient enter ‘https://signin.aws.amazon.com/saml’
9. For ACS (Consumer) URL Validator* enter ‘^https:\/\/signin.aws.amazon\.com\/saml\/$ ’
10. For ACS (Consumer) URL* enter ‘https://signin.aws.amazon.com/saml’
    
11. For SAML issuer type select ‘Assertion’
12. Choose Save
    
    
13. Choose Parameters from the vertical menu
14. You will need to add 3 parameters
    a. Name ‘Subject’ Value ‘Email’
    
    b. Name ‘https://aws.amazon.com/SAML/Attributes/Role’ Value ‘Macro’ ‘<ARN Role>,<ARN Identify Provider>’. Ensure no spaces and a comma separating the two ARNs. Flags ‘Include in SAML assertion’.
    
    c. Name ‘https://aws.amazon.com/SAML/Attributes/RoleSessionName’ , Value ‘Email’, Flags ‘Include in SAML assertion’
    
15. Choose Save on the application

Map User to OneLogin Application

1. Log in to Onelogin portal
2. Choose Administration
3. Choose Users > Users
   
   
4. Search for your user
5. Choose Applications from the vertical menu
6. Choose + and select Amazon Connect Agent
   
   Note: You must have an Amazon Connect user also created with the exact same user login between amazon Connect and OneLogin.
   

Test your new OneLogin application

1. Log in to Onelogin portal
2. Select the Amazon Connect Agent application
   
3. A new tab will open to Amazon Connect CCP
   

Administrators OneLogin Application

The previously create OneLogin application “Amazon Connect Agent” is intended for agents to access Amazon Connect CCP. Contact Centre administrators will require access to the Amazon Connect portal. To create a OneLogin application for administrators the configuration is exactly the same except a change to the relay state.

1. Repeat the steps for “Complete configuration of the OneLogin SAML Application”
2. Name the Application “Amazon Connect Admin” and choose Save.
   
3. On step 6 when you specify the relay state remove “ccp-v2” from the end of the URL
   
   
   Accessing the OneLogin “Amazon Connect Admin” application will now redirect to your Amazon Connect portal
   
   

Conclusion

In this post you have learnt how to set up single sign on using OneLogin for Amazon Connect for both your contact centre administrators and agents. If you have additional user types that access other areas of the console directly, you may consider building additional OneLogin applications. For example, an application for contact centre managers accessing Metrics and Quality, allowing them to launch directly into specific metric reports at sign on. For more information regarding Amazon Connect users, see the Amazon Connect Administration Guide.