Search code examples
amazon-web-servicessaml-2.0amazon-connect

How do I configure multiple AWS Connect instances from different accounts with AWS Single Sign On in a top level account?

I am setting up our telephony system in AWS and we're utilizing AWS Single Sign On for our primary SAML authentication. This has worked fine for normal cli and console access but has kind of been a struggle for implementing Amazon Connect through the SSO Cloud Applications configuration.

Background

I have done a proof of concept with a single Amazon Connect instance and was able to federate login with a number of different permissions sets to simulate admin, developer, and user access for the single instance. This worked fine until I started adding additional instances and each time any user permission set tries to login to Amazon Connect they get Session Expired on the Connect screen.

Our setup is as follows:

  • Root account contains AWS SSO Directory
    • Dev Account has 1 Connect instance in the east
    • QA Account has 2 Connect instances total in east and west
    • Prod account has 2 Connect instances total in east and west

A lot of the documentation I've been reading seems it assumes the Amazon Connect instances are in the same account as the Amazon SSO service. Additionally the documentation mentions creating additional IAM Identity Providers for each Amazon Connect instance's SAML Metadata file, and a role associated that allows the SSO user to access that instance. I see where this would work in a single account, but I don't understand how to adopt the access role and implement it as a permissions policy in AWS SSO for the user group thats logging into the instance.

I've configured everything as close as possible to the Amazon Connect SAML Setup Guide, and I'm working on troubleshooting the permissions policy stuff to configure access, I'm just at a loss.

If anyone has previous Amazon SSO experience, or has done something similar with Amazon Connect that would be greatly appreciated. I just want to be able to validate whether this is feasible in the current iteration of Amazon SSO (granted its a newer service), or we need to architect and integrate a 3rd party SSO for Amazon Connect.

Thanks!

Solution

  • We recently have this kind of setup and requirements and still in the testing phase but so far, it is working as expected.

    In the Amazon Connect SAML Guide that you linked, there's a lacking piece of information in there with regards to the Attributes Mapping (Step 10)

    Change From:

    To This:

    Sample Value:

    arn:aws:iam::123456301789:saml-provider/AWSSSO_DevelopmentConnect,arn:aws:iam::123456301789:role/AmazonConnect_Development_Role

    The Setup:

    • Root AWS

      • Configured with AWS SSO
      • In AWS SSO page, you can have 1 or more Amazon Connect Applications here
        • AmazonConnect-Development
        • AmazonConnect-QAEast
        • AmazonConnect-QAWest

    • Dev AWS:

      • You have setup Amazon Connect
      • AmazonConnect-Development as the Instance Name (Record the ARN)
      • Create a new Identity Provider (for ex: AWSSSO_DevelopmentConnect)
      • Create a Policy (to be attached in the Role)
      • Create a Role (for ex: AmazonConnect_Development_Role)
      • See more here for the content of Policy
      • In Root AWS, configure your AmazonConnect-Development application to have the Attribute Mapping pattern same with my above example value.
      • You also specify the Relay State URL for you want the users to be redirected to a specific Amazon Connecct application.

    • xxx AWS:

      • Same steps will be applied as the above

    Key Points:

    • For each AWS Account:
      • You will need to Create Identity Provider, name it with a pattern
      • Create a Policy to be attached in the Role
      • Create a Role and Choose SAML 2.0 Federation
      • Checked: Allow programmatic and AWS Management Console access
      • Link the Identity Provider with the Role
    • For the Applications that you configure in the AWS SSO page, make sure the additional Attribute Mappings have the correct value