In these times when most organizations are transforming their businesses with immense cloud adoption and become as much as cloud native, it becomes utmost imperative to also follow lean practices on configurations.
If we talk about Contact Center segment, then there are various established players already in market but feature rich Amazon Connect and it lucrative pricing places it right on the spot.
Customers have various needs and limitations but still want to gain benefits of cloud telephony and maintain right security and governance model for such digital technologies.
In this article, I am going to share how you can integrate a fresh Amazon Connect instance with Azure AD as external SAML/IDP.
What was needed?
- A Cloud based telephony setup to offer cutting edge experience to their clients.
- Leaner user governance with existing Identity Solution (no extra expense on new technology stack).
- Brief on technical configurations for better up-keep and long-term management.
Technical Prerequisites
- An existing Azure AD tenant.
- Right Access (Application Administrator) on Azure AD to register Apps in Azure AD.
- Admin/Full IAM access on AWS account to configure IAM roles and IDP.
- An Amazon Connect instance with SAML 2.0-based authentication
- An Admin user account in Amazon Connect with matching attributes in Azure AD.
Let’s get started
- Start with Initial Configurations that are required on Azure Active Directory side.
- Login to Azure AD Tenant as ‘Application Administrator’ and navigate to Enterprise Applications on left and search for app named ‘AWS Single-Account Access’.
- Click on the App, give the suitable name (this is the Name which will appear on https://myapp.microsoft.com portal for users) and click Create.
- Once the app is created, from the Overview page, select 2nd option which is ‘Set up single sign on’.
- Click on SAML widget.
- Now edit the ‘Basic SAML Configuration’ and supply the URLs as shown.
- In ‘Identifier (Entity ID)’, use URL like : https://signin.aws.amazon.com/saml
Note: The Amazon Connect instance that you would want to integrate with Azure AD must have a unique URL. For every next connect instance should also use another unique URL like below:
https://signin.aws.amazon.com/saml#1
https://signin.aws.amazon.com/saml#2
.
.
https://signin.aws.amazon.com/saml#n
- For ‘Reply URL (Assertion Consumer Service URL)’ URL will be: https://signin.aws.amazon.com/saml
Note: This URL can be same for all the Enterprise Apps you configure for various Amazon Connect instances.
For ‘Sign on URL (Optional)’ — Leave this option as this configuration is for identity provider-initiated single sign-on.
For ‘Relay State (Optional)’ — This is **important **to configure as post the authentication, user will land on this URL and access Amazon Connect provided he also got the right security profile mapped in Connect CCP by an Admin (details to be covered later in this article).
Format to use in this field is below:
https://.console.aws.amazon.com/connect/federate/?destination=%2Fconnect%2F
· regionid is the one where you have deployed your Connect instance.
· Instance ID is from the Connect Instance you are using. It is the ID which is after ‘/’ in the arn of your connect instance. For, eg - arn:aws:connect:us-east-1:987123654:instance/aaaaaa-bbbb-cccc-dddd-12345678
For ‘Logout Url (Optional)’ — Leave this option as it is not mandatory in our case.
Then ‘Save’ the configuration.
Verify the configuration once.
- Navigate on page Set up Single Sign-On with SAML to SAML Signing Certificate and Download the Federation Metadata XML.
You will use this Metadata file at the time of IDP creation at AWS IAM.
Prepare the ground at AWS end
- This section talks about creation of AWS IAM Policies, a User, IDP and Role.
Create the IAM policy which enables federation for all the users which you provision from Azure AD to the specific Amazon Connect instance.
Sample Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": "connect:GetFederationToken",
"Resource": [
"Here you will use your connect instance arn/user/${aws:userid}"
]
}
]
}Proceed with Review Policy followed by a custom name you want to give to the policy and Create Policy.
- Create another IAM policy which allows Azure Active Directory to read the IAM roles from AWS account where your Connect Instance is deployed. Sample Policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListAccountAliases" ], "Resource": "*" } ] }
- Now using above two policies, create a programmatic AWS IAM User that helps authenticating Azure AD and its users to access defined resources in AWS account.
- Attach the Policies and Create User.
- Make sure you have downloaded the IAM User CLI credentials.
Now we are set with IAM user and Policies. It’s time to create the IDP and IAM role.
Navigate to Identity Providers page on IAM console and create new IDP, assign a name of your choice for this IDP and upload the Metadata file which you downloaded from Azure AD App, then Choose Create.
- Now we need to create an IAM role with Trusted entity type as SAML 2.0 federation which will enable Azure AD users to access Connect instance in this AWS account.
- Click **Next **and select the Policies which you created earlier.
- Provide a suitable name to the IAM role with description and Create role. This role will be listed in Azure AD while enabling user provisioning in upcoming steps.
Completing Essential steps at Azure side
- Now we need to complete the remaining configurations at Enterprise App that we created in Azure AD earlier.
- Select the App which you registered and go to Provisioning on the left and click Get Started.
- It is better to go for Automatic Provisioning Mode since it reduces the administrative effort. Select **Automatic **from the drop down.
- Once you select Automatic **from drop down, it will ask for Admin credentials. Use the Access Key and Secret Key which you downloaded for programmatic IAM user from AWS console and mention it in **Clientsecret **and **Secret Token respectively.
Click on Test Connection and you should get a successful test message.
Now we need to define which user should be provisioned to Amazon Connect. As a best practice, it is always better to use an Active Directory security group to manage such accesses.
Navigate to Users and Groups on the left and click on Add user/group.
- Select the Security Group which contains the users to gain access on Connect and select the Role, then click Assign.
Now whoever is part of the group which you added above will be able to access Connect Instance using below highlighted link from AzureAD App OR users can also login to https://myapps.microsoft.com with their AD account from where they can launch the Publish App (identity provider-initiated single sign-on).
Till here, user authentication part will be taken care by Azure AD but now we need to complete authorization piece which will be done at AWS end. For that, we need to perform few more steps and then we are all set. These steps are very important which I learnt during my setup.
Finishing the final configuration
- By default, Amazon Connect doesn’t list the users which gets provisioned by Azure AD. You need to create the user accounts. To enable authorization of users in various Connect Security Profile, you need to assign them one, so they land on to the respective CCP page with the right privileges.
- Login to Amazon Connect instance as Admin or you can also gain Admin access from ‘Emergency Access’ though it is not recommended for general Admin tasks.
- Navigate to User management as below.
- Then click on Add new users and provide First Name, Last Name and Login information exactly which is is mentioned in the User’s profile in Azure Active Directory. You may upload a bulk user list to create multiple users at the same time by importing the template available on this page.
- Scroll on the page, under Setting **and select the appropriate **Security Profile to which the respective user should be mapped for correct authorization in Connect CCP. Click Save to create the user. (Most Important)
Once above user setup is done, users can easily access respective CCP page based on their security profiles.
Here if you noticed; you need not to provide any custom password for the users which is for the very obvious reason that users will be authenticating with their Azure AD credentials. Again, less user management overhead for Administrators. In non-SAML integrated Connect instance, user accounts remaining within Connect instance for authentication and authorization on Connect CCP.
There is another important learning that I want to share that we created only single Enterprise App in Azure AD tenant and the same app can be used for all the users who wants to access CCP with various security profiles. Eventually CCP Admin needs to assign users to the respective security profile in Connect CCP and it works seamlessly fine. Else, you would end up creating 4 different apps for respective security profiles which will load you heavily on configuration part, governance and management.
Conclusion
In this article, we learnt below key things:
- Azure AD is used as Authentication mechanism whereas Authorization and level of user access is defined and maintained at Amazon Connect CCP layer.
- Same Azure AD Enterprise App can be used for all the types of users for respective CCP access.
- User Management needs an extra step to be followed at Connect CCP end to ensure right authorization. May this be covered in next release from AWS.
I know it is to much of the configurations but believe me guys, it is worth doing it yourself and once you do it couple of times more, then you can easily do it without any reference.
Hope this document will help in your use cases similar to this one. Please feel free to comment below, share your queries and suggestions which I will certainly respond and will be mindful in my upcoming articles.
Top comments (0)