AWS Contact Center

Multiple SAML identity providers for a single Amazon Connect instance

Identity management is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. Identity management for an Amazon Connect instance can be configured in one of the three ways:

  • By storing users in Amazon Connect
  • By linking to an existing directory
  • By using SAML 2.0-based authentication

Amazon Connect supports identity federation with Security Assertion Markup Language (SAML) 2.0 to allow web-based single sign-on (SSO) from your organization to your Amazon Connect instance. This enables users to access multiple applications securely via a single ID and password.

By default, Amazon Connect allows a 1:1 mapping from an Amazon Connect instance to an identity provider (IdP). Companies often have multiple identity providers (IdPs) within their environment, either serving different applications with their own unique use case or as a backup mechanism if their primary IdP fails.

This blog post details the steps required to configure additional identity providers for a single Amazon Connect instance.

Solution overview

Below is a summary of the steps required to configure an additional IdP for your Amazon Connect Instance:

  1. Create an Amazon Connect SSO Application for the additional SAML identity provider (IdP) in your SSO environment.
  2. Create an identity provider reference in AWS IAM for the additional SAML IdP.
  3. Re-Use the existing IAM role that is being used with the existing SAML IdP by updating the trust relationship to include the new IdP.
  4. Configure the SAML IdP application to utilize the amended role for Amazon Connect.
  5. Test SSO using both IdP applications with Amazon Connect.

This blog post uses Okta and AWS Identity Center as the example IdPs, but the steps apply for any SAML 2.0 compliant identity providers.

High Level Architecture Diagram

High Level Architecture Diagram

Sequence Diagram

The diagram below details the steps the SAML requests go through:

  1. The user browses to an internal portal that includes a link to log into Amazon Connect.
  2. The federation service requests authentication from the organisations identity store.
  3. The identity store authenticates the user and returns the authentication response to the federation service.
  4. When authentication is successful, the federation service posts the SAML assertion to the user’s browser.
  5. The user’s browser posts the SAML assertion to the AWS sign in SAML endpoint. AWS sign in receives the SAML request, processes the request, authenticates the user, and forwards the authentication token to Amazon Connect.
  6. Using the authentication token from AWS, Amazon Connect authorizes the user and opens Amazon Connect in their browser.

Sequence Diagram

A pre-requisite to configuring an additional IdP is an Amazon Connect Instance with an existing SAML 2.0 IdP is already setup.

Step 1: Configure Amazon Connect SAML Application for the additional IdP in your SSO environment

This step creates an Amazon Connect Application within your additional SAML IdP and exports the meta data.

  1. Create an Amazon Connect Application within your SAML 2.0 IdP for the default relay enter: https://region-id.console.aws.amazon.com/connect/federate/instance-id

Replace region-id with the region of your Amazon Connect Instance, such as us-east-1 for US East (North Virginia).

  1. Export the metadata for the application

For more information on how to create an application and extract IdP metadata from your IdP, please consult the IdP’s documentation.

Step 2: Create an Identity Provider reference in IAM for the additional IdP

This step creates the identity provider configuration for your additional IdP within IAM.

  1. Open the IAM console .
  2. Under Access management, choose Identity providers.
  3. Choose Add provider.

Add provider

  1. Select SAML
  2. Provide a name for the Provider under Provider name. Example: Backup-IdentityCenter-SSO-Admin
  3. Upload the Metadata file you downloaded from the IAM Identity Center / your SSO application
  4. Choose Add provider
  5. Open the Identity Provider and note down the ARN

SSO Provider Name

Step 3: Edit existing IAM role for your primary IdP to add in the additional identity provider (edit trust relationship)

This step re-uses the existing role associated with the Amazon Connect user for the primary IdP, editing the trust relationship to reference the new identity provider.

  1. Navigate to IAM under your AWS account.
  2. Choose Roles.
  3. Select the existing IAM role being used for your primary IdP.
  4. Select Edit trust policy.
  5. Add the ARN for the identity provider for the additional IdP.
{   "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": [
                    "arn:aws:iam::<AWS Account ID>:saml-provider/AWSIdentityCenter-SSO-Agent",
                    "arn:aws:iam::445149420241:saml-provider/Okta_Connect_Agent"
                ]
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        }
    ]
}

Edit trust policy

  1. Make a note of the Role ARN, you can find this under IAM > Roles > search for and then Select your role

Role ARN

Step 4: Configure the SAML IdP application to utilize the amended role for Amazon Connect.

This step will vary depending on which SSO identity provider you are using, the following steps are for AWS Identity Center IdP. For further details on how to reference the IAM role within your chosen SSO IdP, see configure SSO for Amazon Connect.

  1. Login to IAM Identity Center as an Administrator.
  2. Under Application Assignments select Applications.

Configure SAML Application

  1. Select your Amazon Connect SSO application name
  2. Navigate to Actions
  3. Select Edit attribute mappings

Attribute Mapping

  1. Select Add new attribute mapping and set the following:
    • Add a user attribute of https://aws.amazon.com/SAML/Attributes/Role and map it to <IDENTITY CENTER ROLE ARN YOU COPIED EARLIER>,<AGENT IAM IDENTITY CENTER IDENTITY PROVIDER ARN YOU COPIED EARLIER>

    • Save your changes
    • Assign your user to the application

Step 5: Test SSO using both IdP applications with Amazon Connect.

  1. Login to your primary SSO IdP to launch Amazon Connect

Login to primary SSO Application

  1. Login to your additional SSO IdP to launch Amazon Connect

Login to additional SSO ApplicationLogin to additional SSO Application

Conclusion
In this post you learned how to enhance your Amazon Connect instance by adding an additional SAML 2.0 identity providers.
This means that in the event of any issues with your primary IdP, users can still easily login to your Amazon Connect instance using alternative identity providers, ensuring uninterrupted access and a seamless customer experience.

For more information about Amazon Connect, see the Amazon Connect documentation.

Author Bio

Mo Miah is a Solution Architect specializing in Amazon Connect. He has over 16 years experience working with contact center technologies. Based in London, United Kingdom, he enjoys helping customers achieve their business outcomes using the powerful AI/ML features of Amazon Connect. Outside of work Mo enjoys keeping active, and has two young daughters who keep him busy.
Sutapa Dasgupta is a Senior Consultant at AWS Professional Services specializing in Amazon Connect. She is experienced in the design and migration of large contact centers to the cloud and helping customers modernize their customer engagement workloads on cloud.