Verified AI summary ◀▼
Use Cognito UserPools for agent sign-in if you're not using SSO. Log into your AWS account, access the Cognito service, and create users in the UserPool. Ensure email addresses match Amazon Connect usernames. Set Cognito as the identity provider in the Hosted UI settings. This configuration allows agents to sign in using the manually created users in the UserPool.
Users in Amazon Connect are the agents and supervisors who manage your contact center. You can add users manually or by importing them in a CSV file. Each user has attributes that determine their roles and capabilities. The high-level requirement for configuring SSO is summarized and can be used as guidance for configuration of any new SAML providers that have not yet been documented.
- No agent data is stored in the Zendesk environment. All agent data is stored in Amazon Cognito in the client's own AWS account.
- Amazon Cognito caters for user pools where users can manually be created.
- Amazon Cognito caters for SAML federation, which enables SSO, with most SAML providers.
- A SAML application (and an associated XML configuration file) is required.
Understanding required SAML application settings
Your SAML application must have the following settings:
| Attribute | Value |
| ACS URL | https://${yourDomainPrefix}.auth.${region}.amazoncognito.com/saml2/idpresponse |
| Application SAML audience | urn:amazon:cognito:sp:${yourUserPoolID} |
| Application start URL (optional) | Contact Center login URL |
The SAML application must have the following two SAML attributes:
| SAML Attribute | Maps to this string value or user attribute | Format |
| Subject | ${user:email} | Persistent |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | ${user:email} |
Configure the identity provider in Cognito with the following attributes:
| User pool attribute | SAML Attribute |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
Manually adding users using Cognito user pools (if you're not using SAML/SSO)
When the CloudFormation stack ran, it created an Amazon Cognito user pool for this Contact Center instance. The user pool is a directory of user accounts who can authenticate to Contact Center. It likely also created an app client in Cognito (which the Contact Center app uses to allow users to lsign in), and an LMAdmin group for admin permissions. Next, you'll create at least one user in this user pool, so you can test signing in to Contact Center.
To manually add a user
- In the AWS console, open the Cognito service.
- Click the use pool you want to manage.
- On the Login pages tab of the app client setting, edit the Managed login pages configuration.
- Change the Identity Provider to be the Congito user pool directory.
- In the Cognito user pool console, find the section for Users” and click Create user (or Add user).
- Enter the following details for the new user account:
- Username: Choose a username (for example, the person’s email address or a simple name).
- Temporary Password: Set an initial password for the user. (Cognito might require the user to reset the password on first sign in, but for internal testing you can set a simple password and, optionally, turn off the reset requirement).
- Contact Info: Depending on settings, you might need to provide a valid email address and/or phone number for the user (these can be used for password recovery or multi-factor authentication).
- Account Status: Make sure that Mark phone/email as verified is checked if you provided those and don’t want Cognito to expect a verification step. Also, check Temporary password so the user must change it on first sign in (for production users).
-
Create the user: The new user will now appear in the
user list for the pool.
This user represents an agent (or admin) who can log into the Contact Center web app.
Setting up users with SSO and SAML
Setting up SSO with other services
The following resources provide additional information about setting up SSO with various services: