Every customer has different needs, sometimes leading to unexplored paths in system integration.<\/p>\n\n\n\n
In this article, we’ll describe a cross-account federation between Amazon Connect, and Azure AD using AWS SSO.<\/p>\n\n\n\n
Scenario Overview<\/h2>\n\n\n\n
A customer wanted to configure an Amazon Connect instance federating their existing users on Office365 (using the underlying Azure Active Directory service) to keep centralized user management. Another requisite was to have a separate AWS account for the service, to let only some administrators manage services on the account.<\/p>\n\n\n\n
Amazon Connect can connect to Active Directory and use it for identity management, but you\u2019ll need to use AWS Directory Service. Sometimes it\u2019s better to leverage existing Identity providers. <\/p>\n\n\n\n
AWS SSO was our service of choice because of the flexibility it offers in configuring SAML applications and account access. As a bonus, we also were able to grant different access levels to multiple AWS accounts using single-sign-on.<\/p>\n\n\n\n
As you\u2019ll see in this article Amazon Connect doesn\u2019t have a native integration with AWS SSO, so we need to configure an application and use it as an identity provider in the destination account.<\/p>\n\n\n\n
In this article, we will: <\/p>\n\n\n\n
- Configure AWS SSO on the Organization master account to trust Azure Active Directory (used by Office365) to authenticate users<\/a><\/li>
- Configure an Amazon Connect instance with SAML authentication into a different account belonging to the AWS organization (internal-services)<\/a><\/li>
- Create and configure an AWS SSO SAML application for Amazon Connect<\/a><\/li>
- Configure an Identity Provider on the internal-services account to trust the SAML application for cross-account authentication<\/a><\/li>
- Add the required roles in the internal-service account to authenticate federated users<\/a><\/li>
- Test the configuration<\/a><\/li><\/ul>\n\n\n\n
AWS SSO Setup<\/h2>\n\n\n\n
Log into the Azure Active Directory admin center<\/a><\/p>\n\n\n\n
Select \u201cEnterprise Applications\u201d<\/p>\n\n\n\n
<\/p>\n\n\n\n
![\"Azure](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image14.jpg\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
Select \u201cCreate your own application\u201d and give it a unique name<\/p>\n\n\n\n
<\/p>\n\n\n\n
![\"Azure](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image11-1.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
![\"create](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image21.jpg\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
After a little while the application will be ready, we need to set-up Single sign-on<\/strong>, click on the menu and then select \u201cSAML<\/strong>\u201d<\/p>\n\n\n\n
<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image6-1024x489.jpg\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image9-1-1024x306.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
Click on the Download link for \u201cFederation Metadata XML<\/strong>\u201d and store the file in a secure place, don\u2019t share this file with anyone ! <\/p>\n\n\n\n
Assign users to the SSO application to enable them<\/p>\n\n\n\n
<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image12-1.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
Log in into the AWS Organizations management<\/strong> account for and select \u201cAWS Single Sign On<\/strong>\u201d<\/p>\n\n\n\n
<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image19-1024x474.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
If you previously configured AWS SSO you can change your identity source or configure a new one on the \u201cSettings\u201d page.<\/p>\n\n\n\n
<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image3-1-1024x259.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image15-1-1024x930.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
Select \u201cExternal identity provider<\/strong>\u201d, download the metadata file and, as previously, store it in a secure place. Upload the metadata file you downloaded from the Azure SAML application page
Go back to the Azure Active Directory Administration Console and click on \u201cupload metadata file<\/strong>\u201d<\/p>\n\n\n\n<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image7-1.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
Select the file downloaded from the AWS Console and proceed. <\/p>\n\n\n\n
We just exchanged the required configuration information to federate Azure Active Directory users with AWS SSO. <\/p>\n\n\n\n
Back on the Azure Console you can try the application, you should now be able to login with your current Azure Active Directory credentials.<\/p>\n\n\n\n
<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image17-1024x273.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
If you assign AWS accounts and different applications to your users you should be able to see them<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image10-1-1024x642.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
You can also enable auto-provisioning<\/strong> for users and enable selected groups to access your AWS accounts.<\/p>\n\n\n\n
Amazon Connect Setup<\/h2>\n\n\n\n
We\u2019ll use a different AWS account (internal-services<\/strong>) to configure Amazon Connect. With SSO and Organizations we can enable fine-grained access to different teams and isolate duties.<\/p>\n\n\n\n
On the internal-service account search for \u201cAmazon Connect\u201d and click on \u201cCreate new instance\u201d.<\/p>\n\n\n\n
Select \u201cSAML 2.0-based authentication<\/strong>\u201d for identity management and assign a name to your instance.<\/p>\n\n\n\n
Once you set an authentication mechanism in Amazon Connect you can\u2019t change it.<\/p>\n\n\n\n
<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image5-1-1024x733.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
Continue with the configuration wizard steps with your preferences.<\/p>\n\n\n\n
In a matter of minutes, your amazon connect instance should be ready.<\/p>\n\n\n\n
<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image13-1-1024x124.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image18-1024x420.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
Please note<\/strong>: since Connect doesn\u2019t support user auto-provisioning you\u2019ll need to create a user with the same username you defined in Azure Active Directory<\/p>\n\n\n\n
SSO Integration Setup<\/h2>\n\n\n\n
On the management account go back on the AWS SSO Console click on \u201cApplications\u201d and \u201cAdd a new Application\u201d, search for \u201cAmazon Connect<\/strong>\u201d<\/p>\n\n\n\n
<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image16-795x1024.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
Give your application a name and, once again, download the metadata file.
On the internal-services<\/strong> account, go to IAM and go in the \u201cIdentity Providers<\/strong>\u201d section, click on \u201cAdd provider\u201d and upload the metadata file<\/p>\n\n\n\n<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image23-935x1024.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
Setup roles<\/h2>\n\n\n\n
Once the identity provider has been created we\u2019ll need to setup the necessary roles and policies to let SSO users access the service
On the internal-services account go to IAM -> Roles and create a new Role. Select \u201cSAML 2.0 federation<\/strong>\u201d for the type of trusted identity and choose the identity provider you have just created.<\/p>\n\n\n\n<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image22-1024x618.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
Create a new policy to let the role get a \u201cFederation Token\u201d from the Amazon Connect instance, use this json template:<\/p>\n\n\n\n
{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [\n \t{\n \t\"Sid\": \"Statement1\",\n \t\"Effect\": \"Allow\",\n \t\"Action\": \"connect:GetFederationToken\",\n \t\"Resource\": [\n \t\"arn:aws:connect:region:Account-id:instance\/amazonconnectintanceid\/user\/${aws:userid}\"\n \t]\n \t}\n\t]\n}\n<\/code><\/pre>\n\n\n\nYou can find the instance id by clicking on the connect instance and copying the last part of the \u201cInstance ARN\u201d <\/strong>field, use the internal-services accountid and the connect region for the remaining fields:<\/p>\n\n\n\n
<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image1-1-1024x197.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
Once the appropriate role and policy have been created we can go back to the AWS SSO Console on the management account to modify the Connect application to finish the configuration.<\/p>\n\n\n\n
Edit the configuration, leave the \u201cApplication start UR<\/strong>L\u201d field blank, for \u201cRelay state\u201d<\/strong> use:
https:\/\/region<\/strong>.console.aws.amazon.com\/connect\/federate\/amazonconnectid<\/strong><\/a><\/p>\n\n\n\n<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image20-905x1024.png\")
<\/figure><\/div>\n\n\n\n<\/p>\n\n\n\n
Go to \u201cAttribute Mappings<\/strong>\u201d and add a new mapping:<\/p>\n\n\n\n
- Configure an Amazon Connect instance with SAML authentication into a different account belonging to the AWS organization (internal-services)<\/a><\/li>
![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image2-1-1024x660.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image4-1-1024x541.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2021\/11\/image8-1-1024x162.png\")
<\/figure><\/div>\n\n\n\n