# Plan your identity management in Amazon Connect
Before you [set up your Amazon Connect instance](amazon-connect-instances.md), you should decide how you want to manage your Amazon Connect users. A user is anyone who needs an Amazon Connect account: agents, call center managers, analysts, and more.
**You cannot change the option you select for identity management after you create an instance**. Instead, you must delete the instance and create a new one. However, if you delete an instance, you lose its configuration settings and metrics data.
When you create your instance, you can choose from one of the following identity management solutions:
+ **Store users with Amazon Connect**—Choose this option if you want to create and manage user accounts within Amazon Connect.
When you manage users in Amazon Connect, the user name and password for each user is specific to Amazon Connect. Users must remember a separate user name and password to log in to Amazon Connect.
+ **Link to an existing directory**—Choose this option to use an existing Active Directory. Users will log in to Amazon Connect using their corporate credentials.
If you choose this option, the directory must be associated with your account, set up in Directory Service, and be active in the same Region in which you create your instance. If you plan to choose this option, you should prepare your directory before you create your Amazon Connect instance. For more information, see [Use an existing directory for identity management in Amazon Connect](directory-service.md).
+ **SAML 2.0-based authentication**—Choose this option if you want to use your existing network identity provider to federate users with Amazon Connect. Users can only log in to Amazon Connect by using the link configured through your identity provider. If you plan to choose this option, you should configure your environment for SAML before you create your Amazon Connect instance. For more information, see [Configure SAML with IAM for Amazon Connect](configure-saml.md).
# Use an existing directory for identity management in Amazon Connect
If you are already using a Directory Service directory to manage users, you can use the same directory to manage user accounts in Amazon Connect. You can also create a new directory in Directory Service to use for Amazon Connect. The directory you choose must be associated with your AWS account, and must be active in the AWS Region in which you create your instance. You can associate an Directory Service directory with only one Amazon Connect instance at a time. To use the directory with a different instance, you must delete the instance with which it is already associated.
The following Directory Service directories are supported in Amazon Connect:
+ [Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html)—Directory Service lets you run Microsoft Active Directory as a managed service.
+ [Active Directory Connector](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html)—AD Connector is a directory gateway you can use to redirect directory requests to your on-premises Microsoft Active Directory.
+ [Simple Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_simple_ad.html)—Simple AD is a standalone managed directory that is powered by a Samba 4 Active Directory compatible server.
You cannot change the identity option you select after you create the instance. If you decide to change the directory you selected, you can delete the instance and create a new one. When you delete an instance, you lose all configuration settings and metrics data for it.
There is no additional charge for using an existing or a proprietary directory in Amazon Connect. For information about the costs associated with using Directory Service, see [Directory Service Pricing Overview](https://aws.amazon.com/directoryservice/pricing/).
The following limitations apply to all new directories created using Directory Service:
+ Directories can only have alphanumeric names. Only the '.' character can be used.
+ Directories cannot be unbound from an Amazon Connect instance after they have been associated.
+ Only one directory can be added to an Amazon Connect instance.
+ Directories cannot be shared across multiple Amazon Connect instances.
# Configure SAML with IAM for Amazon Connect
Amazon Connect supports identity federation by configuring Security Assertion Markup Language (SAML) 2.0 with AWS IAM to enable web-based single sign-on (SSO) from your organization to your Amazon Connect instance. This allows your users to sign in to a portal in your organization hosted by a SAML 2.0 compatible identity provider (IdP) and log in to an Amazon Connect instance with a single sign-on experience without having to provide separate credentials for Amazon Connect.
## Important notes
Before you begin, note the following:
+ These instructions do not apply to Amazon Connect Global Resiliency deployments. For information that applies to Amazon Connect Global Resiliency, see [Integrate your identity provider (IdP) with an Amazon Connect Global Resiliency SAML sign in endpoint](integrate-idp.md).
+ Choosing SAML 2.0-based authentication as the identity management method for your Amazon Connect instance requires the configuration of [AWS Identity and Access Management federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html).
+ The user name in Amazon Connect must match the RoleSessionName SAML attribute specified in the SAML response returned by the identity provider.
+ Amazon Connect does not support reverse federation. That is, you can't login directly into Amazon Connect. If you tried, you'd get a *Session Expired* message. The authentication should be done from the Identity Provider (IdP) and not the Service Provider (SP) (Amazon Connect).
+ Most identity providers by default use the global AWS sign-in endpoint as the Application Consumer Service (ACS), which is hosted in US East (N. Virginia). We recommend overriding this value to use the regional endpoint that matches the AWS Region where your instance was created.
+ All Amazon Connect usernames are case sensitive, even when using SAML.
+ If you have old Amazon Connect instances that were set up with SAML and you need to update your Amazon Connect domain, see [Personal settings](update-your-connect-domain.md#new-domain-settings).
## Overview of using SAML with Amazon Connect
The following diagram shows the order in which steps take place for SAML requests to authenticate users and federate with Amazon Connect. It is not a flow diagram for a threat model.
![\[Overview of the request flow for SAML authentication requests with Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-overview.png)
SAML requests go through the following steps:
1. The user browses to an internal portal that includes a link to log in to Amazon Connect. The link is defined in the identity provider.
1. The federation service requests authentication from the organization's identity store.
1. The identity store authenticates the user and returns the authentication response to the federation service.
1. When authentication is successful, the federation service posts the SAML assertion to the user's browser.
1. The user's browser posts the SAML assertion to the AWS sign in SAML endpoint (https://signin.aws.amazon.com/saml). AWS sign in receives the SAML request, processes the request, authenticates the user, and initiates a browser redirect to the Amazon Connect endpoint with the authentication token.
1. Using the authentication token from AWS, Amazon Connect authorizes the user and opens Amazon Connect in their browser.
## Enabling SAML-based authentication for Amazon Connect
The following steps are required to enable and configure SAML authentication for use with your Amazon Connect instance:
1. Create an Amazon Connect instance and select SAML 2.0-based authentication for identity management.
1. Enable SAML federation between your identity provider and AWS.
1. Add Amazon Connect users to your Amazon Connect instance. Log in to your instance using the administrator account created when you created your instance. Go to the **User Management** page and add users.
**Important**
**For a list of allowed characters in user names**, see the documentation for the `Username` property in the [CreateUser](https://docs.aws.amazon.com/connect/latest/APIReference/API_CreateUser.html) action.
Due to the association of an Amazon Connect user and an AWS IAM Role, the user name must match exactly the RoleSessionName as configured with your AWS IAM federation integration, which typically ends up being the user name in your directory. The format of the username should match the intersection of the format conditions of the [RoleSessionName](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) and an [Amazon Connect user](https://docs.aws.amazon.com/connect/latest/APIReference/API_CreateUser.html#connect-CreateUser-request-DirectoryUserId), as shown in the following diagram:
![\[Ven diagram of rolesessionname and Amazon Connect user.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-ven-diagram.png)
1. Configure your identity provider for the SAML assertions, authentication response, and relay state. Users log in to your identity provider. When successful, they are redirected to your Amazon Connect instance. The IAM role is used to federate with AWS, which allows access to Amazon Connect.
## Select SAML 2.0-based authentication during instance creation
When you are creating your Amazon Connect instance, select the SAML 2.0-based authentication option for identity management. On the second step, when you create the administrator for the instance, the user name that you specify must exactly match a user name in your existing network directory. There is no option to specify a password for the administrator because passwords are managed through your existing directory. The administrator is created in Amazon Connect and assigned the **Admin** security profile.
You can log in to your Amazon Connect instance, through your IdP, using the administrator account to add additional users.
## Enable SAML federation between your identity provider and AWS
To enable SAML-based authentication for Amazon Connect, you must create an identity provider in the IAM console. For more information, see [Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html).
The process to create an identity provider for AWS is the same for Amazon Connect. Step 6 in the above flow diagram shows the client is sent to your Amazon Connect instance instead of the AWS Management Console.
The steps necessary to enable SAML federation with AWS include:
1. Create a SAML provider in AWS. For more information, see [Creating SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html).
1. Create an IAM role for SAML 2.0 federation with the AWS Management Console. Create only one role for federation (only one role is needed and used for federation). The IAM role determines which permissions the users that log in through your identity provider have in AWS. In this case, the permissions are for accessing Amazon Connect. You can control the permissions to features of Amazon Connect by using security profiles in Amazon Connect. For more information, see [Creating a Role for SAML 2.0 Federation (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html).
In step 5, choose **Allow programmatic and AWS Management Console access**. Create the trust policy described in the topic in the procedure *To prepare to create a role for SAML 2.0 federation*. Then create a policy to assign permissions to your Amazon Connect instance. Permissions start on step 9 of the *To create a role for SAML-based federation* procedure.
**To create a policy for assigning permissions to the IAM role for SAML federation**
1. On the **Attach permissions policy** page, choose **Create policy**.
1. On the **Create policy** page, choose **JSON**.
1. Copy one of the following example policies and paste it into the JSON policy editor, replacing any existing text. You can use either policy to enable SAML federation, or customize them for your specific requirements.
Use this policy to enable federation for all users in a specific Amazon Connect instance. For SAML-based authentication, replace the value for the `Resource` to the ARN for the instance that you created:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": "connect:GetFederationToken",
"Resource": [
"arn:aws:connect:us-east-1:361814831152:instance/2fb42df9-78a2-2e74-d572-c8af67ed289b/user/${aws:userid}"
]
}
]
}
```
------
Use this policy to enable federation to a specific Amazon Connect instances. Replace the value for the `connect:InstanceId` to the instance ID for your instance.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement2",
"Effect": "Allow",
"Action": "connect:GetFederationToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"connect:InstanceId": "2fb42df9-78a2-2e74-d572-c8af67ed289b"
}
}
}
]
}
```
------
Use this policy to enable federation for multiple instances. Note the brackets around the listed instance IDs.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement2",
"Effect": "Allow",
"Action": "connect:GetFederationToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"connect:InstanceId": [
"2fb42df9-78a2-2e74-d572-c8af67ed289b",
"1234567-78a2-2e74-d572-c8af67ed289b"]
}
}
}
]
}
```
------
1. After you create the policy, choose **Next: Review**. Then return to step 10 in the *To create a role for SAML-based federation* procedure in the [Creating a Role for SAML 2.0 Federation (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) topic.
1. Configure your network as a SAML provider for AWS. For more information, see [Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html).
1. Configure SAML Assertions for the Authentication Response. For more information, [Configuring SAML Assertions for the Authentication Response](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html).
1. For Amazon Connect, leave the **Application Start URL** blank.
1. Override the Application Consumer Service (ACS) URL in your identity provider to use the regional endpoint that coincides with the AWS Region of your Amazon Connect instance. For more information, see [Configure the identity provider to use regional SAML endpoints](#regionally-isolated-saml).
1. Configure the relay state of your identity provider to point to your Amazon Connect instance. The URL to use for the relay state is comprised as follows:
`https://region-id.console.aws.amazon.com/connect/federate/instance-id`
Replace the *region-id* with the Region name where you created your Amazon Connect instance, such as us-east-1 for US East (N. Virginia). Replace the *instance-id* with the instance ID for your instance.
For a GovCloud instance, the URL is **https://console.amazonaws-us-gov.com/**:
+ https://console.amazonaws-us-gov.com/connect/federate/instance-id
**Note**
You can find the instance ID for your instance by choosing the instance alias in the Amazon Connect console. The instance ID is the set of numbers and letters after '/instance' in the **Instance ARN** displayed on the **Overview** page. For example, the instance ID in the following Instance ARN is *178c75e4-b3de-4839-a6aa-e321ab3f3770*.
arn:aws:connect:us-east-1:450725743157:instance/*178c75e4-b3de-4839-a6aa-e321ab3f3770*
## Configure the identity provider to use regional SAML endpoints
To provide the best availability we recommend using the regional SAML endpoint that coincides with your Amazon Connect instance instead of the default global endpoint.
The following steps are IdP agnostic; they work for any SAML IdP (for example, Okta, Ping, OneLogin, Shibboleth, ADFS, AzureAD, and more).
1. Update (or override) the Assertion Consumer Service (ACS) URL. There are two ways you can do this:
+ **Option 1**: Download the AWS SAML metadata and update the `Location` attribute to the Region of your choice. Load this new version of the AWS SAML metadata into your IdP.
Following is an example of a revision:
``
+ **Option 2**: Override the AssertionConsumerService (ACS) URL in your IdP. For IdPs like Okta that provide prebaked AWS integrations, you can override the ACS URL in the AWS admin console. Use the same format to override to a Region of your choice (for example, https://*region-id*.signin.aws.amazon.com/saml).
1. Update the associated role trust policy:
1. This step needs to be done for every role in every account that trusts the given identity provider.
1. Edit the trust relationship, and replace the singular `SAML:aud` condition with a multivalued condition. For example:
+ Default: "`SAML:aud`": "https://signin.aws.amazon.com/saml".
+ With modifications: "`SAML:aud`": [ "https://signin.aws.amazon.com/saml", "https://*region-id*.signin.aws.amazon.com/saml" ]
1. Make these changes to the trust relationships in advance. They should not be done as part of a plan during an incident.
1. Configure a relay state for the Region-specific console page.
1. If you don't do this final step, there's no guarantee that the Region-specific SAML sign in process will forward the user to the console sign in page within the same Region. This step is most varied per identity provider, but there are a blogs (for example, [How to Use SAML to Automatically Direct Federated Users to a Specific AWS Management Console Page](https://aws.amazon.com/blogs//security/how-to-use-saml-to-automatically-direct-federated-users-to-a-specific-aws-management-console-page/)) that show the use of relay state to achieve deep linking.
1. Using the technique/parameters appropriate for your IdP, set the relay state to the console endpoint that matches (for example, https://*region-id*.console.aws.amazon.com/connect/federate/*instance-id*).
**Note**
Ensure that STS is not disabled in your additional Regions.
Ensure no SCPs are preventing STS actions in your additional Regions.
## Use a destination in your relay state URL
When you configure the relay state for your identity provider, you can use the destination argument in the URL to navigate users to a specific page in your Amazon Connect instance. For example, use a link to open the CCP directly when an agent logs in. The user must be assigned a security profile that grants access to that page in the instance. For example, to send agents to the CCP, use a URL similar to the following for the relay state. You must use [URL encoding](https://en.wikipedia.org/wiki/Percent-encoding) for the destination value used in the URL:
+ `https://us-east-1.console.aws.amazon.com/connect/federate/instance-id?destination=%2Fccp-v2%2Fchat&new_domain=true`
Another example of a valid URL is:
+ `https://us-east-1.console.aws.amazon.com/connect/federate/instance-id?destination=%2Fagent-app-v2`
For a GovCloud instance, the URL is **https://console.amazonaws-us-gov.com/**. So the address would be:
+ `https://console.amazonaws-us-gov.com/connect/federate/instance-id?destination=%2Fccp-v2%2Fchat&new_domain=true`
If you want to configure the destination argument to a URL outside of the Amazon Connect instance, such as your own custom website, first add that external domain to the account's approved origins. For example, perform the steps in the following order:
1. In the Amazon Connect console add https://*your-custom-website*.com to your approved origins. For instructions, see [Use an allowlist for integrated applications in Amazon Connect](app-integration.md).
1. In your identity provider configure your relay state to ` https://your-region.console.aws.amazon.com/connect/federate/instance-id?destination=https%3A%2F%2Fyour-custom-website.com`
1. When your agents log in they are taken directly to https://*your-custom-website*.com.
## Add users to your Amazon Connect instance
Add users to your connect instance, making sure that the user names exactly match the users names in your existing directory. If the names do not match, users can log in to the identity provider, but not to Amazon Connect because no user account with that user name exists in Amazon Connect. You can add users manually on the **User management** page, or you can bulk upload users with the CSV template. After you add the users to Amazon Connect, you can assign security profiles and other user settings.
When a user logs in to the identity provider, but no account with the same user name is found in Amazon Connect, the following **Access denied** message is displayed.
![\[An Access denied error for a user whose name is not in Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-access-denied.png)
**Bulk upload users with the template**
You can import your users by adding them to a CSV file. You can then import the CSV file to your instance, which adds all users in the file. If you add users by uploading a CSV file, make sure that you use the template for SAML users. You can find on the **User management** page in Amazon Connect. A different template is used for SAML-based authentication. If you previously downloaded the template, you should download the version available on the **User management** page after you set up your instance with SAML-based authentication. The template should not include a column for email or password.
## SAML user logging in and session duration
When you use SAML in Amazon Connect, users must log in to Amazon Connect through your identity provider (IdP). Your IdP is configured to integrate with AWS. After authentication, a token for their session is created. The user is then redirected to your Amazon Connect instance and automatically logged in to Amazon Connect using single sign-on.
As a best practice, you should also define a process for your Amazon Connect users to log out when they are finished using Amazon Connect. They should log out from both Amazon Connect and your identity provider. If they do not, the next person that logs in to the same computer can log in to Amazon Connect without a password since the token for the previous sessions is still valid for the duration of the session. It's valid for 12 hours.
**About session expiration**
Amazon Connect sessions expire 12 hours after a user logs in. After 12 hours, users are automatically logged out, even if they are currently on a call. If your agents stay logged in for more than 12 hours, they need to refresh the session token before it expires. To create a new session, agents need to log out of Amazon Connect and your IdP and then log in again. This resets the session timer set on the token so that agents are not logged out during an active contact with a customer. When a session expires while a user is logged in, the following message is displayed. To use Amazon Connect again, the user needs to log in to your identity provider.
![\[Error message displayed when the session expires for a SAML-based user.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-session-expired.png)
**Note**
If you see the **Session expired** message while logging in, you probably just need to refresh the session token. Go to your identity provider and log in. Refresh the Amazon Connect page. If you still get this message, contact your IT team.
# Troubleshoot SAML with Amazon Connect
This article explains how to troubleshoot and resolve some of the most common issues customers encounter when using SAML with Amazon Connect.
If you're troubleshooting your integration with other identity providers such as Okta, PingIdentify, Azure AD, and more, see [Amazon Connect SSO Setup Workshop](https://catalog.workshops.aws/workshops/33e6d0e7-f927-4531-abb1-f28a86ba0872/en-US).
## Error Message: Access Denied. Your account has been authenticated, but has not been onboarded to this application.
![\[The error message: access denied.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-troubleshooting-access-denied.png)
### What does this mean?
This error means that the user has successfully authenticated using SAML into the AWS SAML login endpoint. However, the user could not be matched/found inside Amazon Connect. This usually indicates one of the following:
+ The username in Amazon Connect doesn't match the `RoleSessionName` SAML attribute specified in the SAML response returned by the identity provider.
+ The user doesn't exist in Amazon Connect.
+ The user has two separate profiles assigned to them with SSO.
### Resolution
Use the following steps to check the RoleSessionName SAML attribute specified in the SAML response returned by the identity provider, and then retrieve and compare with the login name in Amazon Connect.
1. Perform a HAR capture (**H**TTP **AR**chive) for the end-to-end login process. This captures the network requests from the browser side. Save the HAR file with your preferred file name, for example, **saml.har**.
For instructions, see [How do I create a HAR file from my browser for an AWS Support case?](https://aws.amazon.com/premiumsupport/knowledge-center/support-case-browser-har-file/)
1. Use a text editor to find the SAMLResponse in the HAR file. Or, run the following commands:
`$ grep -o "SAMLResponse=.*&" azuresaml.har | sed -E 's/SAMLResponse=(.*)&/\1/' > samlresponse.txt`
+ This searches for the SAMLresponse in the HAR file and saves it to a **samlresponse.txt** file.
+ The response is URL encoded and the contents are Base64 encoded.
1. Decode the URL response and then decode the Base64 contents using a third-party tool or a simple script. For example:
`$ cat samlresponse.txt | python3 -c "import sys; from urllib.parse import unquote; print(unquote(sys.stdin.read()));" | base64 --decode > samlresponsedecoded.txt`
This script uses a simple python command to decode the SAMLResponse from its original URL encoded format. Then it decodes the response from Base64 and outputs the SAML Response in plain text format.
1. Check the decoded response for the needed attribute. For example, the following image shows how to check `RoleSessionName`:
![\[The grep command to check rolesessionname.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-troubleshooting-rolesessionname.png)
1. Check whether the username returned in from the previous step exists as a user in your Amazon Connect instance:
\$1 aws connect list-users --instance-id [INSTANCE\$1ID] \$1 grep \$1username
+ If the final grep does not return a result then this means that the user does not exist in your Amazon Connect instance or it has been created with a different case/capitalization.
+ If your Amazon Connect instance has many users, the response from the ListUsers API call maybe paginated. Use the `NextToken` returned by the API to fetch the rest of the users. For more information, see [ListUsers](https://docs.aws.amazon.com/connect/latest/APIReference/API_ListUsers.html).
### Example SAML Response
Following is an image from a sample SAML Response. In this case, the identity provider (IdP) is Azure Active Directory (Azure AD).
![\[a sample SAML Response.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-troubleshooting-saml-response.png)
## Error Message: Access denied, Please contact your AWS account administrator for assistance.
![\[Error Message: Access denied.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-troubleshooting-access-denied-admin.png)
### What does this mean?
The role that the user has assumed has successfully authenticated using SAML. However, the role doesn't have permission to call the GetFederationToken API for Amazon Connect. This call is required so the user can log in to your Amazon Connect instance using SAML.
### Resolution
1. Attach a policy that has the permissions for `connect:GetFederationToken` to the role found in the error message. Following is a sample policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": "connect:GetFederationToken",
"Resource": [
"arn:aws:connect:ap-southeast-2:111122223333:instance/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/user/${aws:userid}"
]
}
]
}
```
------
1. Use the IAM console to attach the policy. Or, use the attach-role-policy API, for example:
`$ aws iam attach-role-policy —role-name [ASSUMED_ROLE] —policy_arn [POLICY_WITH_GETFEDERATIONTOKEN]`
## Error Message: Session Expired
If you see the **Session expired** message while logging in, you probably just need to refresh the session token. Go to your identity provider and log in. Refresh the Amazon Connect page. If you still get this message, contact your IT team.