Manage users for Gen AI-based Resilience Amazon Connect

Manage users for Gen AI-based Resilience Amazon Connect

It is very important to choose the right users' management for Amazon Connect, especially if you plan for Global Resiliency in the future. Amazon Connect is a contact center powered by Gen AI. In this blog, you will learn how to choose the best users management for Amazon Connect. There are different methods and on this blog I explained what I tested on my PoC.

Published May 6, 2024
Question: Will we need Global Resiliency/Global HA setup in the future as well (one Amazon Connect instance at US East and another at US West)?
Answer: If answer is No. Choose any kind of identity management (Local, AWS Management Active Directory 1:1 connection or SAML 2.0) but once the instance is created you cannot change the identity management.
Answer: If answer is Yes. Use SAML 2.0 for identity management. One of the prerequisites for Global Resiliency setup is SMAL 2.0.
SAML 2.0 is essential for Amazon Connect to achieve global resiliency/global high availability.
SAML: Security Assertion Markup Language

Administered users on AWS Management AD Without SAML

Without SAML

Managed user accounts on Okta using SAML authentication

Okta to managed multiple Amazon Connects.
1. Okta will handle and maintain all the users for multiple Amazon Connect instances in different AWS accounts. (Dev, Test, UAT, Prod)
2. Users can log in to different Amazon Connects with the same user and password (same credential).
3. It can connect to different AWS Management Consoles using the same credentials. (Dev, Test, UAT, Prod)
4. It can assign group of users to each Amazon Connect. (Easy to onboard and offboard)
Use Case at my Sandbox environment! (Multiple AWS accounts under one organization with several OUs like client’s landing zone).
1. Using Okta as SAML 2.0 authentication (Okta Developer account)
2. Created two amazon connect instances under two different AWS accounts with single url
3. Default Amazon Connect instance url disable and must login through SAML url.
4. No Active Directory integrated. Managed users locally inside Okta.
On my Okta developer account
Use cases:
- User 1 login & see only one Amazon Connect instance (Prod) through Okta url Call Center Manager
- User 2 login & see both instances with different roles. (Prod – Agent & UAT Agent & Call Center Manager) through Okta url (above screenshot)
- User 3 has administrator role in Okta and both Amazon Connect instances and uses Okta admin url to access them.
Finally, Okta is not the only option for users management for resiliency setup. Many companies use Microsoft Entra ID (formerly Azure Active Directory) for their employees’ authentication and authorization. One advantage of using Microsoft Entra ID is that Entra supports SAML 2.0. Here is a high level diagram I created at my sandbox environment.
Amazon Connect using Microsoft Entra ID