Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Close
Guides
Deploying Engage
3
.

Okta

GUIDE

Deploying Engage

A Technical Guide to Configuring your Account for Amazon Connect.

Next Module
4
Engage Admin
Icon arrow left
All Modules

Both Amazon Connect and Local Measure Engage can be configured for SSO with Okta as the SAML-based identity provider. Amazon Connect and Local Measure Engage will each require a SAML application. The required SAML applications are created and configured in the Okta portal.

The Okta SAML application along with an AWS IAM identity provider will enable the federation between Okta and your AWS IAM users.

No items found.

Configure SSO for Amazon Connect

The following AWS guide describes in detail how to configure Amazon Connect SSO with Okta  as the identity provider:
https://catalog.workshops.aws/amazon-connect-sso/en-US/1-sso-amazonconnect-okta

It is recommended to use Service Control Policies (SCPs) to manage permissions regarding what users and roles can do in Amazon Connect, protecting important resources and making your system more secure.

[.callout-primary--book]Recommended reading: Security Best Practices for Amazon Connect [.callout-primary--book]

Below is an example SCP that can be used to prevent the deletion of the Amazon Connect instance and associated Role:


<pre><code class="language-json">
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AmazonConnectRoleDenyDeletion",
      "Effect": "Deny",
      "Action": [
        "iam:DeleteRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/***Amazon Connect user role***"
      ]
    },
    {
      "Sid": "AmazonConnectInstanceDenyDeletion",
      "Effect": "Deny",
      "Action": [
        "connect:DeleteInstance"
      ],
      "Resource": [
        "***Amazon Connect instance ARN***"
      ]
    }
  ]
}
</pre></code>

Configure SSO for Local Measure Engage

The following summarizes the high-level process which needs to be followed:

  1. Create a SAML application in Okta
  2. Configure SAML integration for your Okta application
  3. Assign users to your application
  4. Specify this identity provider to be used for agent authentication

The below will guide you through the detailed process.

Step 1: Create a SAML application in Okta

Open the Okta Developer Console. In the navigation menu, expand Applications, and then choose Applications and choose ‘Create App Integration’. In the Create a new app integration menu, choose SAML 2.0 as the Sign-in method. Choose Next.

Step 2: Configure SAML integration for your Okta application

On the Create SAML Integration page, under General Settings, enter a name for your app. Choose Next.

Fill in the following fields:

  • Single sign on URL: https://${yourDomainPrefix}.auth.${region}.amazoncognito.com/saml2/idpresponse
  • Audience URI (SP Entity ID): urn:amazon:cognito:sp:${yourUserPoolId}

[.callout-primary]Note: Replace ${yourDomainPrefix}, ${region} and ${yourUserPoolId} with the values for your user pool. [.callout-primary]

Under ATTRIBUTE STATEMENTS (OPTIONAL), add a statement with the following information:

| SAML attribute Name | Value | |--------------------------------------------------------------------|-------------| | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | user.email. |

For all other settings on the page, leave them as their default values or set them according to your preferences. Choose Next and Finish.

Step 3: Assign users to your application

On the Assignments tab for your Okta app, for Assign, choose Assign to People. Choose Assign next to the user that you want to assign. Choose Save and Go Back. Your user is now assigned. Select Done.

Step 4: Specify this identity provider to be used for agent authentication

On the Sign On tab for your Okta app, find the Identity Provider metadata hyperlink. Right-click the hyperlink, and then copy the URL.

Log into the AWS account which contains the Cognito Userpool. Navigate to Cognito and open the Userpool.

Select the 'Sign-in experience' tab and then click on 'Add identity provider' as indicated on the below image:

 

On the resulting page, select 'SAML'.

Under 'Set up SAML federation with this user pool':

  • Provider name - enter a name for this identity provider. It is recommended to not use any spaces in the name.
  • Metadata document source - Paste the Metadata URL, from the previous step, in metadata endpoint URL field.

Under 'Map attributes between your SAML provider and your user pool', set the following attribute:

| User pool attribute | SAML attribute | |---------------------|--------------------------------------------------------------------| | email | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |

Click 'Add identity provider'. At this point the required identity provider has been created. The last step in the Cognito configuration is to specify that the App Client should use this identity provider. 

Select 'App integration' from the tabbed view, scroll to the bottom and click on the 'app-client' to open it.  Once the app-client has been opened, scroll down to the 'Hosted UI' section and click 'Edit' as illustrated below:

Under 'Hosted sign-up and sign-in pages' scroll down to the 'Identity providers' dropdown box. Click on this and select the identity provider that was configured in the previous step. Click 'Save changes'.

Local Measure will require the name of the IDP (as configured under 'Sign-in experience') to complete the setup of your account. Please include this along with the CloudFormation outputs information shared with Local Measure.