Single Sign-On (SSO) has become an essential part of modern cloud security, allowing users to access multiple systems with a single set of credentials. For organizations using AWS Amazon Connect—a powerful, cloud-based contact center solution—setting up SSO ensures that agents, supervisors, and administrators can securely and seamlessly log into the system without managing multiple passwords. When paired with Duo, a trusted identity provider known for its multi-factor authentication (MFA) capabilities, you can take security to the next level, ensuring only authorized users access your Amazon Connect environment.
In this blog post, we’ll walk through the steps to configure AWS Amazon Connect with Duo as the identity provider for SAML 2.0 SSO. By integrating these two systems, you'll improve both the user experience and security posture of your contact center.
When it comes to securing cloud services like Amazon Connect, ensuring that users authenticate through a robust identity provider is crucial. Duo provides comprehensive identity management features, including user authentication and MFA, making it a great choice for organizations looking to balance convenience with security. With Duo, you can implement multi-factor authentication (MFA), adding another layer of protection beyond just username and password. This integration allows users to easily access Amazon Connect while keeping your data safe from unauthorized access.
Before diving into the setup process, there are a few things you'll need:
In the following steps, we will guide you through configuring AWS Identity and Access Management (IAM), setting up Duo as the SAML identity provider, and testing your SSO setup to ensure that everything works smoothly.
If you are using a non-standard email attribute for your authentication source, check the Custom Attributes box and enter the name of the attribute you wish to use instead.
4. You can adjust additional settings for your new SAML application at this time - like changing the application's name from the default value, enabling self-service, or assigning a group policy.
5. Under "Downloads" click Download XML.
6. Keep the Duo Admin Panel tab open. You will come back to it later.
Note: Identify management for Amazon Connect is chosen during the instance creation process and cannot be modified once the instance has been created. This means that the authentication method you select at the time of setup is fixed for the lifetime of the instance. For this blog post, we assume that SAML 2.0-based authentication was selected as the identity management option during the initial configuration.
If you did not choose SAML 2.0-based authentication during the instance creation, you will need to either recreate the instance or use the identity management method that was initially selected.
Collect Amazon Connect Details
To configure Duo SSO with Amazon Connect, you'll need two specific values related to your Amazon Connect instance: the Instance ID and the Region where it is located.
2. Retrieving the Instance ID and Region:
These two values are crucial for completing the SSO configuration with Duo.
An Identity Provider (IdP) in AWS is a trusted external service that authenticates users and allows them to access AWS resources through federated access. Rather than managing individual user accounts directly within AWS. We will use Duo as an external IdP. Once a user is authenticated by the IdP, AWS uses the federation to assign roles and permissions, granting the user access to specific AWS services, like Amazon Connect.
4. Adding the Provider
5. From the list of existing identity providers click on the newly created identity provider "CHC_Duo" in our case.
6. Make Notes
Federation policies define what resources the federated users can access and what actions they can perform once authenticated. The roles associated with federation policies allow for fine-grained control over permissions, ensuring that users from trusted external systems have appropriate access levels. We need to create a IAM policy that will be used for the federation between Duo and AWS.
The policy enables federation for all users in a specific Amazon Connect instance.
7. Name your policy with a user-friendly name (and remember it!)
8. Optionally, provide a description for the policy
9. Choose "Create Policy"
Create the IAM Role
An IAM role is created to allow programmatic access to AWS resources.
5. Press "Next"
6. In the Filter policies section type the "User-Friendly Name" you used for your Federation Policy that was created in the "Create the IAM Federation Policy" section
7. Provide a User-Friendly Name for your POLICY and make note of it (This policy name will be needed in the Duo Admin Panel - if you have that page still open, scroll down to "Amazon Connect Role" and enter the role name there.
Return to the Duo Admin Panel. In the Service Provider section, finish adding missing required information:
Service Provider
Account Number* - This is just the AWS Account Number (not the ARN)
Provider Name* - This is the name you assigned in AWS AIM when creating the Identity Provider. In our example, that value is CHC_Duo
Region ID* - Region ID where your Amazon Connect Instance is created. For example, us-east-1
Instance ID* - This is the Amazon Connect Instance ID; the value for this was collected in the "Collect Amazon Connect Details" section (value of your connect instance id)
Destination - You can enter a specific URL if you want to redirect your users to a specific destination inside of Connect (see this link for details: https://docs.aws.amazon.com/connect/latest/adminguide/configure-saml.html#destination-relay )
Role Attributes: Make sure that the "Amazon Connect Role" name entered matches the name of the role you created in the "Create the IAM Role" section (user-friendly name)
Select Duo groups that should have access to Amazon Connect.
The last part before accessing our Connect Instance using SSO is to create users inside Amazon Connect.
Ensure that the usernames in Amazon Connect exactly match those in your existing directory. If the names don't align, users will be able to log in to the identity provider, but they won't be able to access Amazon Connect since there won't be a corresponding user account. You can manually add users through the User Management. Duo uses Mail Attribute, when adding users to Connect their email address will be their username:
You are now ready to use the SSO link to log in to Amazon Connect with Duo!
If you've already set this up but are facing issues, or if you're not following the directions exactly, we want to highlight a few things that are easy to miss in other guides and configuration samples.
Key Point 1: Role Name
In the Duo Admin Panel, under the "Role Attributes" section, the setting labeled "Amazon Connect Role" refers to the name of the IAM Role in AWS required for the SAML 2.0 Federation Integration. The label "Amazon Connect Role" is somewhat misleading, as there isn't actually a concept called "Amazon Connect Role"; it would be clearer if it were named "SAML 2.0 Federation IAM Role."
Key Point 2: Connect Users
On the Duo approval screen on mobile devices, only the username will likely be displayed. However, in most cases, the "Login" value in Amazon Connect needs to be the FULL email address.
References:
https://duo.com/docs/sso-amazon-connect
https://docs.aws.amazon.com/connect/latest/adminguide/configure-saml.html#destination-relay