What's my plan?
All Suites Team, Growth, Professional, Enterprise, or Enterprise Plus
Add-on Zendesk for Contact Center

Both Amazon Connect and contact center can be configured for SSO with Okta as the SAML-based identity provider. Amazon Connect and contact center each require a SAML application to authenticate. You create the SAML applications in the Okta portal.

The Okta SAML application along with an AWS Identity and Access Management (IAM) provider enables federation between Okta and your AWS IAM users.

This article contains the following topics:

  • Configuring SSO for Amazon Connect
  • Configuring SSO for contact center

Configuring SSO for Amazon Connect

This AWS guide describes how to configure Amazon Connect SSO with Okta as the identity provider.

We recommend you use Service Control Policies (SCPs) to manage user and role permissions in Amazon Connect, protecting important resources, making your system more secure.

  • Recommended reading: Security best practices for Amazon Connect

Below is an example SCP that can be used to prevent the deletion of the Amazon Connect instance and associated role:

<pre><code class="language-json">
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonConnectRoleDenyDeletion",
"Effect": "Deny",
"Action": [
"iam:DeleteRole"
],
"Resource": [
"arn:aws:iam::*:role/***Amazon Connect user role***"
]
},
{
"Sid": "AmazonConnectInstanceDenyDeletion",
"Effect": "Deny",
"Action": [
"connect:DeleteInstance"
],
"Resource": [
"***Amazon Connect instance ARN***"
]
}
]
}
</pre></code>

Configuring SSO for contact center

This section summarizes the high-level process which needs to be followed to configure SSO for contact center.

  • Step 1: Create a SAML application in Okta
  • Step 2: Configure SAML integration for your Okta application
  • Step 3: Assign users to your application
  • Step 4: Specify the identity provider to be used for agent authentication

The following steps guide you through the process.

Step 1: Create a SAML application in Okta

To enable the federation between Okta and your AWS IAM users, create a SAML application in Okta.

To create a SAML application

  1. Open the Okta developer console.
  2. In the navigation menu, expand Applications, and click Applications.
  3. Click Create app integration.
  4. In the Create a new app integration menu, choose SAML 2.0 as the sign-in method.
  5. Click Next.

Step 2: Configure SAML integration for your Okta application

In this step, you'll configure the SAML integration for your Okta application.

To configure SAML integration

  1. On the Create SAML integration page, under General settings, enter a name for your app, and then click Next.
  2. Fill in the following fields:
    • Single sign on URL: https://${yourDomainPrefix}.auth.${region}.amazoncognito.com/saml2/idpresponse
    • Audience URI (SP Entity ID): urn:amazon:cognito:sp: ${yourUserPoolId}

      Replace ${yourDomainPrefix}, ${region} and ${yourUserPoolId} with the values for your user pool.

    • Under ATTRIBUTE STATEMENTS (OPTIONAL), add a statement with the following information:
      SAML attribute Name Value
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress user.email.
    • For all other settings on the page, leave them as their default values or set them according to your preferences. Click Next, then Finish.

Step 3: Assign users to your application

In this step, you'll assign users to the application you created in Step 1.

To assign users to your application

  1. On the Assignments tab for your Okta app, under Assign, choose Assign to People.
  2. Click Assign next to the user that you want to assign.
  3. Click Save and Go back.
  4. Your user is now assigned. Click Done.

Step 4: Specify the identity provider to be used for agent authentication

In this step, you'll add an identity provider which will be used to authenticate your agents.

To specify the identity provider

  1. On the sign on tab for your Okta app, find the identity provider metadata hyperlink. Right-click the hyperlink, and copy the URL.
  2. Sign into the AWS account containing the Cognito userpool. Navigate to Cognito and open the userpool.
  3. Select the Sign-in experience tab, and then click Add identity provider as shown below:

  4. On the resulting page, select SAML.
  5. Under 'Set up SAML federation with this user pool':
    • Provider name: Enter a name for the identity provider. We recommended not using any spaces in the name.
    • Metadata document source: Paste the Metadata URL, from the previous step, in the metadata endpoint URL field.
  6. Under Map attributes between your SAML provider and your user pool, set the following attribute:
    User pool attribute SAML attribute
    email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  7. Click Add identity provider. At this point the required identity provider has been created. The last step in the Cognito configuration is to specify that the app client must use this identity provider.
  8. Select App integration from the tabbed view, scroll to the bottom and click app-client to open it.
  9. Once the app-client has been opened, scroll down to the Hosted UI section and click Edit as illustrated below:

  10. Under Hosted sign-up and sign-in pages scroll down to the 'Identity providers' dropdown box. Click this and select the identity provider that was configured in the previous step.
  11. Click Save changes.

Zendesk will require the name of the IDP (as configured under 'Sign-in experience') to complete the setup of your account. Include this along with the CloudFormation outputs information shared with Zendesk.

Powered by Zendesk