How do I set up SAML 2.0-based authentication for my Amazon Connect instance using AWS SSO?

Last updated: 2021-08-05

I want to set up SAML 2.0-based authentication for my Amazon Connect instance using AWS Single Sign-On (AWS SSO). How do I do that?

Short description

To set up SAML 2.0-based authentication for your Amazon Connect instance, do the following:

Important: Make sure that you follow these steps in the same AWS Region that your Amazon Connect instance is in.

Resolution

Create an Amazon Connect instance that uses SAML 2.0-based authentication

Follow the instructions in Create an Amazon Connect instance. When you configure the instance, make sure that you do the following:

Create an AWS SSO cloud application to connect to your Amazon Connect instance

Follow the instructions in Add and configure a cloud application in the AWS SSO user guide. When you configure your cloud application, make sure that you do the following:

  • Choose Amazon Connect as the cloud application's service provider.
  • Under AWS SSO metadata, download the AWS SSO SAML metadatafile and the AWS SSO Certificate.
    Note: You need these files to set up an IAM IdP. If you use an IdP other than AWS SSO, you must get the SAML metadata files from that IdP.
  • Under Application properties, accept the default Relay state.

Create an IAM IdP

Follow the instructions in Creating and managing an IAM identity provider (console). When you create the IdP, make sure that you do the following:

  • For Provider name, enter ConnectSSO.
  • For Metadata document, choose the AWS SSO SAML metadata file that you downloaded in the previous step.

Important: Make a note of the IdP's Amazon Rsource Name (ARN). You need it to map your Amazon Connect instance's user attributes to AWS SSO attributes.

Create an IAM policy for your Amazon Connect instance that allows the GetFederationToken action

Use the following JSON template to create an IAM policy named Connect-SSO-Policy.

Important: Replace <connect instance ARN> with your Amazon Connect instance's ARN.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": "connect:GetFederationToken",
            "Resource": [
                "<connect instance ARN>/user/${aws:userid}"
            ]
        }
    ]
}

For more information, see Creating IAM policies and GetFederationToken.

Create an IAM role that grants federated users access to your Amazon Connect instance

Follow the instructions in Creating a role for SAML in the AWS IAM user guide. When you create the IAM role, make sure that you do the following:

  • For SAML provider, enter Connect-SSO.
  • Choose Allow programmatic and AWS Management Console access.
  • For Policy, choose the Connect-SSO-Policy that you created in the previous step.
  • For Role name, enter Connect-SSO.

Important: Make note of the IAM role's ARN. You need it to map your Amazon Connect instance's user attributes to AWS SSO attributes.

Map your Amazon Connect instance's user attributes to AWS SSO attributes

Follow the instructions in Map attributes in your application to AWS SSO attributes. When you map your attributes, make sure that add the following attributes and values:

Important: Replace <IAM role ARN> with your IAM role's ARN. Replace <IAM IdP ARN> with your IAM IdP's ARN.

Attribute Value
Subject ${user:email}
https://aws.amazon.com/SAML/Attributes/RoleSessionName ${user:email}
https://aws.amazon.com/SAML/Attributes/Role <IAM role ARN>,<IAM IdP ARN>

For more information, see Attribute mappings.

Create users in AWS SSO and assign them to your AWS SSO cloud application

Follow the instructions in Manage identities in AWS SSO.

Test your setup by logging in to Amazon Connect using your IdP and one of the AWS SSO user credentials that you created

Follow the instructions in How to sign in to the user portal in the AWS SSO user guide.