Optimize your Amazon Connect call audio path with Amazon AppStream 2.0

In this post, we will show you how to use Amazon AppStream 2.0 to provide a non-persistent, secure desktop streaming solution for your Amazon Connect agents, and optimize call audio direct to the agent’s local system.

Contact centers need the flexibility to enable agents, regardless of their physical location and endpoint, to access services securely. This presents a challenge to ensure outstanding audio quality for agents, while keeping customer data secure. Services like AppStream 2.0 are a great option for encapsulating data securely, allowing agents to bring their own device. Still, a remote desktop can increase real-time audio latency. To address this, you can separate the path taken by the agent’s call audio from their remote desktop’s streaming data.

Time to read	15 minutes
Time to complete	120 minutes
Cost to complete (estimated)	$10
Learning level	Advanced (300)
Services used	Amazon AppStream 2.0 Amazon Connect Amazon S3 AWS Single Sign-On

Prerequisites

AWS Single Sign-On (AWS SSO) configured with your corporate identity source.
Permission to create additional AWS SSO applications.
Permission to create and configure an Amazon Connect instance for SAML authentication with AWS SSO.
An already created Amazon AppStream 2.0 fleet and stack, with enabled federation with AWS SSO and Amazon AppStream 2.0.
Permission to create an S3 bucket with public objects.
An S3 bucket for code based on Amazon Connect API GitHub repository.
Permission to create an IAM identity provider, IAM roles, and IAM policies.
A VPC with private subnets and a NAT Gateway configured.

Walkthrough

Step 1: Create an Amazon Connect instance

First, create a new Amazon Connect instance. In this example, we will create an Amazon Connect instance with only basic functionality. You can learn more about configuring your Amazon Connect instance further by visiting the Admin guide.

Open the Amazon Connect console.
If this is your first time visiting the console, select Get Started. If this is not your first time, choose Add an Instance.
Select the SAML 2.0-based authentication. Enter a unique name for your instance, then select Next Step.
Add a new admin, then select Next Step.
Keep the default options for Telephony Options, then select Next Step.
Keep the default options for Data storage, and select Next Step.
Review your options, then select Create Instance.
Open the Amazon Connect console, and choose the hyperlink for your instance.
In the navigation pane, select Overview.
1. Note your Instance ID. Your Instance ID is the last part of the Instance ARN. It is the string after the final forward slash (/). For example, if your ARN is arn:aws:connect:region-code:account-id:instance/bae1b13e-6e52-4e0b-9e13-769c27XXXXX then your Instance ID is bae1b13e-6e52-4e0b-9e13-769c27XXXXX
Follow the steps to set up phone numbers for your contact center.
Add at least one test user to your instance by following these steps. Note: The Login name must match your AWS SSO identity source exactly.

Step 2: Create an AWS SSO custom SAML application

Open the AWS Single Sign-On console.
In the navigation pane, select Applications, then Add a new application.
Choose Add a Custom SAML 2.0 application.
1. Change the Display name to match your application.
2. (Optionally) Update the Description field.
3. In the AWS SSO metadata section, choose Download. You use this metadata file to create the IAM Identity Provider in a following step.
4. For Application properties, enter the Relay State.
  1. Update the Relay State with the following: https://[region-code].console.aws.amazon.com/connect/federate/[instance-id]?destination=%2Fconnect%2Fccp-v2
  2. Replace [region-code] with your Region code.
  3. Replace [instance-id] with your Instance ID from step 1:7.
5. For Application metadata, select If you don’t have a metadata file, you can manually type your metadata values. Update the fields with the following.
  1. Application ACS URL: https://signin.aws.amazon.com/saml
  2. Application SAML audience: urn:amazon:webservices
Select Save changes.

Step 3: Configure AWS Identity and Access Management

Open the IAM Console.
In the navigation pane, select Identity providers.
Select Add provider.
Keep SAML selected, and enter a Provider name. For example: connect-integration
Under Metadata document, select Choose file. Select the XML metadata file you downloaded in the previous section.
Select Add provider.
Take note of the IdP ARN.
Select Policies, then Create policy.
1. Select the JSON tab. Paste in the following code block. Be sure to replace the resource ARN with the Amazon Connect instance ARN from Step 1. Replace REGION-CODE and ACCOUNT-ID to match your Region code and account for the Amazon Connect instance you created. Select Next.

{
   "Version": "2012-10-17",
   "Statement": [
    {
    "Sid": "Statement1",
    "Effect": "Allow",
    "Action": "connect:GetFederationToken",
    "Resource": [
    "arn:aws:connect:REGION-CODE:ACCOUNT-ID:instance/bae1b13e-6e52-4e0b-9e13-769c27XXXXX/user/${aws:userid}"
    ]
    }
   ]
}

1. (Optional) Add tags.
2. On the tags tab, select Next.
3. Name the policy (for example: sso-split-ccp-for-euc), select Create policy.

Select Roles, choose Create role.
1. Select SAML 2.0 Federation, and choose the Identity Provider you created in the previous step.
2. Set attribute to SAML:aud and add https://signin.aws.amazon.com/saml in the Value field.
3. Select Next: Permissions.
4. Use the search bar to find the policy you created in step 13. Select it, and select Next.
5. (Optional) Add tags.
6. Select Next on the tags tab.
7. Name your role, then select Create. Once created, take note of the Role ARN.

Step 4: Configure the AWS SSO Application

Open the AWS SSO Console.
Select Applications, then choose your Connect application.
Select the Attribute mappings tab at the top of the page. Add the following three attributes:
1. User attribute: Subject maps to this string value: ${user:email} with Format: persistent
2. User attribute: https://aws.amazon.com/SAML/Attributes/RoleSessionName maps to this string value: ${user:email} with Format: unspecified
3. For this attribute, replace [Role ARN] with the Role ARN created in Step 3. Replace [IdP ARN] with the IdP ARN created in Step 3.
  1. User attribute: https://aws.amazon.com/SAML/Attributes/Role maps to this string value: [Role ARN],[IdP ARN] with Format: unspecified Note: The role ARN and IdP ARN are separated with a comma. For example: arn:aws:iam::account-id:role/RoleName,arn:aws:iam::account-id:saml-provider/IdPName
Select Save changes.
Assign Amazon Connect users, or groups of Amazon Connect users. Only assigned users can access the CCP.

Step 5: Set up your Amazon S3 bucket

Now we will create the contact control panels (CCPs). This allows you to build a separate experience for when Amazon Connect is accessed inside AppStream 2.0 and on the local system. In an AppStream 2.0 session, agents see the full CCP including data and call control. On their local endpoint, they only have audio input and output. Both CCPs consist of static webpages hosted in S3.

Open the S3 console.
Select Create Bucket, then provide a unique name.
Secure your bucket. Select the Permissions tab. Select the Edit button:
1. Uncheck Block all public access.
2. Uncheck Block public access to buckets and objects granted through new access control lists (ACLs).
3. Uncheck Block public access to buckets and objects granted through any access control lists (ACLs).
4. Select Save changes.

Step 6: Get the AWS SSO Application link

Get the direct link to your AWS SSO application.

Open the AWS Single Sign-On console.
Select Applications, then select the Amazon Connect application you created
Assign the custom Application to at least one test user.
In the navigation pane, select Dashboard. Note the User portal URL.
In a separate browser session, open the User portal URL, then login.
Choose the hyperlink for your Amazon Connect application, and copy the link address. Save this Amazon Connect URL for later.

Step 7: Build the base files for the two CCPs

Open your HTML editor of choice.
Copy and paste the following code into the editor.

<html>
    <head>
    <title>Custom CCP</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta content="utf-8" http-equiv="encoding">
    <script src="https://code.jquery.com/jquery-3.1.0.min.js"></script>
    <script type="text/javascript" src="./connect-streams.js"></script>
    </head>

    <body>
    <style>
    #ccpContainer {
    width:265px;
    height:465px;
    overflow:hidden;
    float:left;
    margin-left:22px;
    padding:25px;
    }
    #section-main {
    padding:10px;
    width:960px;
    height:495px;
    margin-left:0px;
    float:left;
    overflow: hidden;
    }
    </style>

    <h1>Custom CCP</h1>
    <section id="ccpContainer">
    <script>
    //----------------init CCP-----------------------------
    var container = document.getElementById("ccpContainer");
    connect.core.initCCP(
    container, {
    ccpUrl: "https://CCP-NAME/connect/ccp-v2/",
    loginPopup: true,
    loginPopupAutoClose: true,
    loginUrl: "URL-Gathered-From-SSO-Dashboard",
    softphone: {
    allowFramedSoftphone: false,
    disableRingtone: false
    }
    }
    )
    //-----------------End init CCP-------------------------
    </script>
    </section>
    </body>
</html>

Replace “CCP-NAME” with the unique name you created for your Amazon Connect instance in Step 1.
For loginURL, use the URL for your Amazon Connect application you obtained in the previous Step 6.
Save two copies of the HTML file. One will be your Audio-Only CCP. One will be your CCP without audio. For example, create a file AudioOnly.html, and a file InSession.html.
In the HTML file for the Audio-Only CCP (AudioOnly.html) change allowFramedSoftphone (line 45) from false to true.
(Optional) Hide the controls in the audio only CCP (AudioOnly.html) by adding display: none; in both the #ccpContainer and #section-main sections.

Step 8: Generate the javascript for your custom CCPs

To generate the connect-streams.js file for your CCPs, clone the GitHub repository and build the file.

Open a local command console.
Clone the amazon-connect-streams GitHub repository, and build the file with the following commands:

git clone https://github.com/aws/amazon-connect-streams
cd amazon-connect-streams
make

Note: GitHub has detailed instructions for downloading streams.

Rename the generated connect-streams file to connect-streams.js.
Open the S3 console and upload all three files to the S3 bucket you created in step 5.
Select the files you uploaded, then choose Actions -> Make Public -> Confirm. (Note: This makes the files readable from the internet)
Select the Audio-Only HTML file. Take note of each file’s Object URL. This URL is your Bucket URL + the file name.
Select the InSession HTML file. Take note of each file’s Object URL. This URL is your Bucket URL + the file name.
Open the Amazon Connect Console, then select your Amazon Connect instance.
Select on Approved origins in the navigation pane, and then +Add origin.
Enter your Bucket URL in the textbox, then select Add.

Step 9: Test the configuration

With the CCP files uploaded to S3, test to make sure they are accessible, and the login process is working.

Note: You must allow pop-ups within your browser for the authentication request to populate.

Open your Object URLs from Step 8 for each of the two CCP HTML files, then log in.

Step 10: Create an Amazon AppStream 2.0 base image for your agents

Now that you have configured and tested your CCPs, you can configure your AppStream 2.0 streaming desktop. The desktop will contain a web browser to run the control (non-audio) CCP for agents. In this blog, you apply policy locally in the image. You can configure your AppStream 2.0 fleet to use instances joined to an Active Directory domain. With instance joined to the domain you can use Group Policies to apply the configuration. For more information, review using Active Directory with AppStream 2.0.

In this step, you will create an image builder with the necessary settings and software for your agents to access the CCP. This is the golden image for all Connect Fleet instances.

Open the Amazon AppStream 2.0 Console.
From the navigation pane, select Images.
Select the Image Builder tab.
Choose Launch Image Builder.
Select a base image and instance family. For example, the latest AppStream-Win-Server2019 public image for a General Purpose instance type. Then, select Next.
Provide a Name. (Optionally) provide a Display Name and Tags. Select the instance type configuration. For example, stream.standard.medium. Then, select Next.
Select the VPC, subnet, and Security Groups you want associated with your Image builder, then select Review.
Verify your settings, then select Launch.
Wait until the Image Builder is provisioned.
Connect to your Image Builder as an Administrator.

Amazon recommends using either the latest version link of Google Chrome or Mozilla Firefox. Use the following instructions that match your browser preference before capturing the image.

Google Chrome

From the Image Builder desktop, download the latest Google Chrome policy template.
Copy the chrome administrative template ADMX and language ADML files to C:\Windows\PolicyDefinitions and C:\Windows\PolicyDefinitions\en-US, respectively.
Select ‘Continue’ to permit the copy operation to continue.
Choose Start, select Run, and enter gpedit.msc then select OK.
In the Local Policy Editor configure the following:
1. Select Computer Configuration → Administrative Templates → Google→ Google Chrome → Set Google Chrome as Default Browser
  1. Select Disabled, then choose OK.
2. Select Computer Configuration → Administrative Templates → Google→ Google Chrome → Content Settings → Allow pop-ups on these sites
  1. Select Enabled, then choose Show…
  2. Enter the Object URL for the InSession.html page hosted within your S3 bucket.
  3. Choose OK to complete the change.
  4. Choose OK to save the policy.
3. Select Computer Configuration → Administrative Templates → Google→ Google Chrome → Content Settings → Allow cookies on these sites
  1. Select Enabled, and choose Show…
  2. Enter the domain portion for your Object URL for the InSession.html page hosted within your S3 bucket. For example, if your Object URL was https://connect-ccp-testing.s3.amazonaws.com/InSession.html enter https://connect-ccp-testing.s3.amazonaws.com into the group policy setting.
  3. Enter your Amazon Connect Access URL as a second entry on the policy.
  4. Select OK
  5. Select OK to save the policy.
4. Select Computer Configuration → Administrative Templates → Google→ Google Chrome → Content Settings → Allow JavaScript on these sites
  1. Select Enabled, then select Show…
  2. Enter the domain portion for your Object URL for the InSession.html page hosted within your S3 bucket. For example, if your Object URL was https://connect-ccp-testing.s3.amazonaws.com/InSession.html enter https://connect-ccp-testing.s3.amazonaws.com into the group policy setting.
  3. Enter your Amazon Connect Access URL as a second entry on the policy. For example, https://ccplab.my.connect.aws
  4. Select OK
  5. Choose OK to save the policy.
5. Select Computer Configuration → Administrative Templates → Google→ Google Chrome → Content Settings → Allow Notifications on these sites
  1. Select Enabled and select Show…
  2. Enter the Object URL for the InSession.html page hosted within your S3 bucket.
  3. Select OK, and OK to save the policy.

Mozilla Firefox

From the Image Builder desktop, download the latest Mozilla Firefox policy template.
Copy the Mozilla and Firefox administrative template ADMX and language ADML files from the Windows folder within downloaded .zip file to C:\Windows\PolicyDefinitions and C:\Windows\PolicyDefinitions\en-US, respectively.
Select ‘Continue’ to permit the copy operation to continue.
Right-select Start, select Run, and enter gpedit.msc then select OK.
In the Local Policy Editor configure the following:
1. Select Computer Configuration → Administrative Templates → Mozilla→ Firefox→ Don’t Check Default Browser
  1. Select Enabled and select OK.
2. Select Computer Configuration → Administrative Templates → Mozilla→ Firefox → Popups → Allowed Sites
  1. Select Enabled and select Show…
  2. Enter the Object URL for the InSession.html page hosted within your S3 bucket.
  3. Select OK and OK to save the policy.
3. Select Computer Configuration → Administrative Templates → Mozilla→ Firefox→ Cookies → Allowed Sites
  1. Select Enabled and select Show…
  2. Enter the domain portion for your Object URL for the InSession.html page hosted within your S3 bucket. For example, if your Object URL was https://connect-ccp-testing.s3.amazonaws.com/InSession.html enter https://connect-ccp-testing.s3.amazonaws.com into the group policy setting.
  3. Enter your Amazon Connect Access URL as a second entry on the policy.
  4. Select OK and OK to save the policy.

Complete and capture the image.

Once you have configured the policy for your chosen browser, create your image.

Install Google Chrome, or ensure that Mozilla Firefox in the image is up to date. To ensure an optimal experience for your users, AWS recommends the latest release of either browser.
Launch the Image Assistant.
Select Add App.
Browse to the executable for the browser. For example, c:\Program Files\Google\Chrome\Application\chrome.exe or c:\Program Files (x86)\Mozilla Firefox\firefox.exe.
Enter a name in the Name field – for example, AmazonConnect.
Enter a Display Name. for example, Amazon Connect
Add the InSession Object URL as the Launch Parameter. For example, https://<S3-bucket-url>/InSession.html
Select Save.
(Optional) Add additional applications required in your fleet
Complete the standard AppStream 2.0 image creation process.

Step 11: Deploy your image

Associate your created image with your fleet and test the experience.

Browse to the Amazon AppStream 2.0 Console.
In the navigation pane, select Fleets.
Choose the fleet to deploy the image to.
Select Actions, then select Edit
If the fleet is running, select Stop.
Select Actions, then select Edit
For the fleet Name, select the image you created in step 10
(Optional) Set the Stream View to Desktop to present a full desktop to the agent
Select Update Fleet.
With the fleet still selected, choose Actions and select Start.

Step 12: Test what you have built

With everything in place, you can test the workflow.

Open either Firefox or Chrome on your local system.
Enter your Audio Only CCP URL. This establishes the session with Amazon Connect to direct the audio channel to your local machine.
Open an additional tab in your browser. Enter the AppStream 2.0 application URL, and authenticate to the application using your AppStream 2.0 user.
Once connected to AppStream 2.0 streaming instance, log in to the Amazon Connect session that is launched in the streaming instance.
Set the agent to be Available.
Place a test call into the queue that agent is assigned to.
Accept to answer the call when the call come into the Amazon Connect browser within the AppStream 2.0 streaming session.
Confirm that you can hear and respond to the call.
If you close the local AudioOnly page, you cannot hear the caller, even though the call remains open. The Amazon Connect interface within the AppStream 2.0 streaming session does not change.

Conclusion

Remote desktops, like AppStream 2.0 desktop view, are a great option for encapsulating data, controls, policies, and network paths. They allow agents to bring their own device in a secure way. A remote desktop can increase real-time audio latency. To address this, administrators have the option to separate the path taken by the agent’s call audio from their remote desktop’s streaming data.

In this post, you configured Amazon Connect and Amazon AppStream 2.0 to provide a secure and optimized experience for your agents. In this model, agents can take advantage of the most direct audio path available while keeping customer data inside a secure, managed remote desktop.

Desktop and Application Streaming