Configuring Single Sign-On (SSO) for Amazon Connect Using Duo

Single Sign-On (SSO) has become an essential part of modern cloud security, allowing users to access multiple systems with a single set of credentials. For organizations using AWS Amazon Connect—a powerful, cloud-based contact center solution—setting up SSO ensures that agents, supervisors, and administrators can securely and seamlessly log into the system without managing multiple passwords. When paired with Duo, a trusted identity provider known for its multi-factor authentication (MFA) capabilities, you can take security to the next level, ensuring only authorized users access your Amazon Connect environment.

In this blog post, we’ll walk through the steps to configure AWS Amazon Connect with Duo as the identity provider for  SAML 2.0 SSO. By integrating these two systems, you'll improve both the user experience and security posture of your contact center.

Why Use Duo for SSO with Amazon Connect?

When it comes to securing cloud services like Amazon Connect, ensuring that users authenticate through a robust identity provider is crucial. Duo provides comprehensive identity management features, including user authentication and MFA, making it a great choice for organizations looking to balance convenience with security. With Duo, you can implement multi-factor authentication (MFA), adding another layer of protection beyond just username and password. This integration allows users to easily access Amazon Connect while keeping your data safe from unauthorized access.

What You'll Need to Get Started

Before diving into the setup process, there are a few things you'll need:

1. An AWS Account with Amazon Connect already configured.
2. Duo Account with access to Duo's Single Sign-On (SSO) feature.
3. Administrator Access to both AWS and Duo to configure settings and permissions.
4. Basic familiarity with AWS IAM roles and Identity Federation for configuring permissions.

    

In the following steps, we will guide you through configuring AWS Identity and Access Management (IAM), setting up Duo as the SAML identity provider, and testing your SSO setup to ensure that everything works smoothly.

Create the Amazon Connect Application in Duo¹

1. Log on to the Duo Admin Panel and navigate to Applications.
2. Click "Protect an Application" and locate the entry for Amazon Connect with a protection type of "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list. Click Protect to the far-right to start configuring.
3. Amazon Connect. See Protecting Applications for more information about protecting applications in Duo and additional application options. You'll need the information on the Amazon Connect page under Downloads later.
   Amazon Connect uses the Mail Attribute when authenticating. We've mapped the <Email Address> bridge attribute to Duo Single Sign-On supported authentication source attributes as follows:

If you are using a non-standard email attribute for your authentication source, check the Custom Attributes box and enter the name of the attribute you wish to use instead.

4.  You can adjust additional settings for your new SAML application at this time - like changing the application's name from the default value, enabling self-service, or assigning a group policy.

5. Under "Downloads" click Download XML. 

6. Keep the Duo Admin Panel tab open. You will come back to it later.

Configure Amazon Connect for SSO

Note: Identify management for Amazon Connect is chosen during the instance creation process and cannot be modified once the instance has been created. This means that the authentication method you select at the time of setup is fixed for the lifetime of the instance. For this blog post, we assume that SAML 2.0-based authentication was selected as the identity management option during the initial configuration.

If you did not choose SAML 2.0-based authentication during the instance creation, you will need to either recreate the instance or use the identity management method that was initially selected.

Collect Amazon Connect Details

To configure Duo SSO with Amazon Connect, you'll need two specific values related to your Amazon Connect instance: the Instance ID and the Region where it is located.

1. Accessing the Amazon Connect Instance:
   1. From the AWS Management Console, navigate to the Amazon Connect service.
   2. In the list of existing instances, select the one you want to configure for Duo SSO.
      

2. Retrieving the Instance ID and Region:

1. 1. On the instance's Account Overview page, located and copy the Instance ID. This value is the last segment of the Instance ARN.
   2. Additionally, from the ARN, extract the Region ID, which indicates the AWS region where your Amazon Connect instance resides (e.g., us-east-1).

These two values are crucial for completing the SSO configuration with Duo.

Create Identity Provider in AWS Console IAM

An Identity Provider (IdP) in AWS is a trusted external service that authenticates users and allows them to access AWS resources through federated access. Rather than managing individual user accounts directly within AWS. We will use Duo as an external IdP. Once a user is authenticated by the IdP, AWS uses the federation to assign roles and permissions, granting the user access to specific AWS services, like Amazon Connect.

1. In AWS Console go to the Identity and Access Management (IAM) 
2. Click "Access Management" and then click "Identity Providers"
3. On the following screen click on “Add Provider”

4. Adding the Provider

1. 1. Enter provider name in this case let's call it CHC_Duo make a note of the name you are using here. Or if you have the Duo Admin Panel page still open scroll down to "Provider Name" and enter the same value.
   2. Below "Metadata Document" press "Choose File" and upload xml file downloaded form Duo in Step 5 from the previous section.
   3. Press "Add Provider" button 

5. From the list of existing identity providers click on the newly created identity provider "CHC_Duo" in our case.

6. Make Notes

1. 1. Make a note of your AWS account number and the ARN value that is part of it. It is shown under the ARN on the identity provider details screen.
   2. Make a note of your SSO login page URL
      

Create the IAM Federation Policy

Federation policies define what resources the federated users can access and what actions they can perform once authenticated. The roles associated with federation policies allow for fine-grained control over permissions, ensuring that users from trusted external systems have appropriate access levels. We need to create a IAM policy that will be used for the federation between Duo and AWS.

The policy enables federation for all users in a specific Amazon Connect instance.

1. Go to the AWS  IAM Service console 
2. In the navigation pane, choose "Policies"
3. Choose "Create Policy"
4. Select the "JSON" tab
5. Paste the following policy into the editor, replacing the existing content:
6. JSON
   

7. Name your policy with a user-friendly name (and remember it!)

8. Optionally, provide a description for the policy

9. Choose "Create Policy"

Create the IAM Role

An IAM role is created to allow programmatic access to AWS resources.

1. Go to the AWS IAM Service console
2. In the navigation pane, choose "Roles"
3. Press "Create Role"
4. Next steps
   
   1. Select "SAML 2.0 Federation"
   2. Select "Allow Programmatic and AWS Management Console Access"
   3. From the list list "SAML 2.0-Based Provider" select your Duo provider
      

5. Press "Next"

6. In the Filter policies section type the "User-Friendly Name" you used for your Federation Policy that was created in the "Create the IAM Federation Policy" section

7. Provide a User-Friendly Name for your POLICY and make note of it (This policy name will be needed in the Duo Admin Panel - if you have that page still open, scroll down to "Amazon Connect Role" and enter the role name there.

Finish Duo Setup

Return to the Duo Admin Panel. In the Service Provider section, finish adding missing required information:

Service Provider

Account Number* - This is just the AWS Account Number (not the ARN)

Provider Name* - This is the name you assigned in AWS AIM when creating the Identity Provider. In our example, that value is CHC_Duo

Region ID* - Region ID where your Amazon Connect Instance is created.  For example, us-east-1

Instance ID* - This is the Amazon Connect Instance ID; the value for this was collected in the "Collect Amazon Connect Details" section (value of your connect instance id)

Destination - You can enter a specific URL if you want to redirect your users to a specific destination inside of Connect (see this link for details: https://docs.aws.amazon.com/connect/latest/adminguide/configure-saml.html#destination-relay )

Role Attributes: Make sure that the "Amazon Connect Role" name entered matches the name of the role you created in the "Create the IAM Role" section (user-friendly name)

Select Duo groups that should have access to Amazon Connect.

Finish Amazon Connect Setup

The last part before accessing our Connect Instance using SSO is to create users inside Amazon Connect.

Ensure that the usernames in Amazon Connect exactly match those in your existing directory. If the names don't align, users will be able to log in to the identity provider, but they won't be able to access Amazon Connect since there won't be a corresponding user account. You can manually add users through the User Management. Duo uses Mail Attribute, when adding users to Connect their email address will be their username:

You are now ready to use the SSO link to log in to Amazon Connect with Duo!

Key Highlights and Takeaways

If you've already set this up but are facing issues, or if you're not following the directions exactly, we want to highlight a few things that are easy to miss in other guides and configuration samples.

Key Point 1: Role Name

In the Duo Admin Panel, under the "Role Attributes" section, the setting labeled "Amazon Connect Role" refers to the name of the IAM Role in AWS required for the SAML 2.0 Federation Integration. The label "Amazon Connect Role" is somewhat misleading, as there isn't actually a concept called "Amazon Connect Role"; it would be clearer if it were named "SAML 2.0 Federation IAM Role."

Key Point 2: Connect Users

On the Duo approval screen on mobile devices, only the username will likely be displayed. However, in most cases, the "Login" value in Amazon Connect needs to be the FULL email address.

References:

https://aws.amazon.com/blogs/contact-center/configure-single-sign-on-using-onelogin-for-amazon-connect/

 https://duo.com/docs/sso-amazon-connect 

https://docs.aws.amazon.com/connect/latest/adminguide/configure-saml.html#destination-relay