Using Azure AD with AWS SSO and Amazon Connect

Recently I was having a look at Amazon Connect and configuring a demo for a client. One of the things I wanted to get working was single sign on (SSO) with Azure AD as the identity provider (IdP). My search for blog posts and documentation on how to do this uncovered some good starting points but they didn’t cater for all my requirements.

The Next Evolution in AWS Single Sign-On is a great blog post on getting Azure AD identities into AWS SSO but is missing the integration into Connect. Enabling federation with AWS Single Sign-On and Amazon Connect is another great blog post but uses AWS Managed Microsoft AD as its user base.

Between those two blog posts and the AWS documentation I thought I had everything I needed to get it working quickly. The first little hurdle I encountered was my users in Azure AD did not have all the mandatory fields set for automatic provisioning. As per the documentation:

For SCIM synchronization to work, every user must have a First name, Last name, Username and Display name value specified. If any of these values are missing from a user, that user will not be provisioned.

The Azure AD account I was using for this demo wasn’t properly maintained so I had to go in there and update all the missing fields. Once these were updated the identities all came across to AWS SSO. A word of warning though, automatic provisioning on Azure syncs every 40 minutes. There were times it took almost an hour to sync across. It can be a long day waiting for users to come across especially if you don’t get your settings right from the start and have to make changes and then wait for them to sync across again.

Once I had my users in AWS SSO I moved on to the Connect blog post setup steps. I created a user stojan.veselinovski@mantalus.com in my Amazon Connect instance and for attribute mappings I was using the configuration options as outlined in Step 4.

Step 4.

Now that everything was configured it was time to run my first test and to try login. I grabbed my SSO url from the SSO console. Its configured in the initial setup of SSO and in the format of:

https://<globally unique name>.awsapps.com/start#/

The logon screen is shown below.

Amazon Connect

I clicked on Amazon Connect and it popped up the Microsoft login box and a list of accounts I could use. I authenticated with the appropriate account and then I got the error - ${user:email} is empty.

Looking at the documentation I could see the following supported attributes.

Supported Attributes

I checked the synced identities in AWS SSO and noticed that “Primary Email” was blank. The documentation says auto provisioning uses System for Cross-domain Identity Management (SCIM) v2.0 protocol. The core schema specification can be found at https://tools.ietf.org/html/rfc7643.

It wasn’t completely obvious as to what fields I needed to map but my first inclination was to set the source attribute in Azure AD to be userPrincipalName and dest attribute to be email[type = “work”].value. See below. I waited the obligatory 40 odd minutes for the sync to come across and found that the email field had been populated.

Supported Attributes

So I ran my test login into Amazon Connect again and this time it all worked and we had success.

Key Takeaways

  • Follow The Next Evolution in AWS Single Sign-On to setup Azure AD integration into AWS SSO
  • Make sure First name, Last name, Username and Display name are populated in Azure AD for all users.
  • Make sure you set source userPrincipalName to dest email[type = “work”].value for primary email to come across. You could possibly set other attributes depending on requirements but read through rfc7623 to find what works for you.
  • Follow Enabling federation with AWS Single Sign-On and Amazon Connect to setup AWS SSO integration into Amazon Connect
  • Watch out for the 40 odd minute sync from Azure. There is no button or method to trigger a sync and it can be a long day waiting when you are testing different mappings.
  • Even though its single sign on you still have to manually create a user in Amazon Connect with the same username as the attribute passed in for RoleSessionName from the IdP.