Configure Amazon Connnect for SSO using Microsoft Azure
July 2nd, 2020
  1. Home -
  2. Configure Amazon Connnect for SSO using Microsoft Azure -
Azure AD Configuration There is work that needs to be done on both sides and typically two different engineers will be working the issue, one on Azure and one in Connect.  Step one is for the Azure engineer to setup a new application using the login link that agents would normally use to login to the Connect instance.  You can find this on the Amazon Connect home page inside the AWS Management console.   The Azure engineer will then provide a Metadata.XML file back to the AWS Engineer. Step 2 AWS IAM Provider Configuration  
  1. Log in to AWS and open the IAM
  2. Click on Identity providers and then Create Provider.
  3. Choose the Provider Type as SAML.
  4. Enter Provider Name, such as “Azure AD”
  5. Upload a Federation Metadata XML (downloaded from previous step).
  6. Click Create Provider
  Step 3 AWS IAM Role Configuration ( More Information Here: https://docs.aws.amazon.com/connect/latest/adminguide/configure-saml.html )
  1. From the IAM/roles console Create a New Role
  2. Select SAML 2.0 Federation trusted entity type
  3. Select the Azure AD SAML provider from previous step
  4. Select Allow Programmatic and AWS Management Console access. The rest will auto-fill.
  5. On the Attach Permissions Policies Page create a policy like this:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Federation", "Effect": "Allow", "Action": "connect:GetFederationToken", "Resource": [ "arn:aws:connect:YOUR_REGION:YOUR_ACCOUNT_ID:instance/YOUR_INSTANCE_ID/user/${aws:userid}" ] } ] }
  1. After policy is created, go back to Create Role tab, reload the policy list, and select your new policy.
  2. Set a role name and description, then click Create Role
  3. Open the new role and copy the Role ARN into notepad. Switch to the trust relationships tab and copy the Provider ARN into notepad.
Step 4 Create User for Azure to pull Roles for Users 1 - Create Policy "List Roles" 2 - Create User with programmatic access and attach the policy with the Access and Secret Keys 3 - Send me the Provider ARN and Role ARN back to the Azure engineer along with the User and Access Keys where the balance of the configuration is completed The Azure engineer will then complete the Provisioning section setting the mode to Auto    
Related articles
Configuring Amazon Connect Voice Mail
Configuring Amazon Connect Voice Mail For several years we have been deploying a modified version of the Amazon Connect Voice [...]
Membership notification system using AWS Pinpoint SMS!
The Challenge! We had a voice notification system setup to alert member of our "club" about meetings and special events.  [...]
Amazon Connect Emergency Notification System
Emergency Notification? There are a number of use cases for an application that can process a list of contacts to [...]