Erfassen Sie Ihre Fortschritte
Trailhead-Startseite
Trailhead-Startseite

Set Up Identity and Permissions

In this step, you swivel back and forth between your Trailhead Playground and AWS. It's good to have both environments open as you set up your call center.

Configure Salesforce as an Identity Provider

Now, you need to configure Salesforce as an identity provider. If your Trailhead Playground isn’t open yet, open it by going to the bottom of this page, selecting it from the playground selector, and clicking Launch.

  1. Click Setup, then click Setup.
  2. Enter identity in Quick Find, then click Identity Provider.
  3. Click Enable Identity Provider.
  4. Select the self-signed certificate from the list of certificates. It should be in the format of SelfSignedCert_DATE.
  5. Click Save. If there’s a popup message, click OK.
  6. Click Download Metadata and save it to a location on your machine where you can easily retrieve it later.

Salesforce Identity Provider page with Download Metadata button highlighted by a red box and arrow

Just like that, you’ve completed identity provider setup for Salesforce and are a step closer to SSO with Amazon Connect. Back to AWS.

Configure AWS IAM

Next, you configure AWS Identity and Access Management (IAM) to use the Salesforce for identity management for your new Amazon Connect instance.

  1. Log in to the AWS Console if you haven’t already.
  2. Enter iam in Find Services and select IAM.
  3. Click Identity providers in the left navigation, then click Create Provider. IAM dashboard with Identity provides option in left pane highlighted by a red box and arrow
  4. Select SAML for the Provider Type.
  5. Enter AmazonConnectSalesforce for Provider Name.
  6. Click Choose File and select the metadata file you downloaded from your playground.
  7. Click Next Step, then click Create.
    Success message You have finished creating a SAML provider
  8. Retrieve your Provider ARN.
    1. Click on AmazonConnectSalesforce under Provider Name.
    2. Click copy  at the end of the Provider ARN to copy it.
    3. Save the Provider ARN where you can retrieve it later.

Create an SSO Policy and Role

Now, create a policy in IAM. Similar to Salesforce profiles and roles, policies and roles in AWS enable you to assign a specific set of permissions to users. In this case, you’re enabling Salesforce users to access Amazon Connect right from within Service Console.

  1. In IAM, click Roles in the left navigation, then click Create Role. IAM dashboard with Roles in the left pane highlighted by a red box and arrow
  2. Click SAML 2.0 federation as your trusted entity. First step in role creation with SAML 2.0 federation selected, highlighted by a red box and arrow
  3. For SAML provider, select AmazonConnectSalesforce in the dropdown.
  4. Select Allow programmatic and AWS Management Console Access.
  5. Click Next: Permissions, then click Create Policy. This opens a new browser tab. Keep the previous one open—you go back to it later.

The policy is where you define the permission.

  1. In the new browser tab where you configure your policy, click JSON.
  2. Replace the JSON with the following policy. Make sure you replace <YOUR INSTANCE ARN HERE> with your Amazon Connect instance ARN.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": "connect:GetFederationToken",
            "Resource": [
                "<YOUR INSTANCE ARN HERE>/user/${aws:userid}"
            ]
        }
    ]
}

JSON form with code as above

  1. Click Review Policy.
  2. Enter AmazonConnectSSO_GetFederationTokenSFDC for Name.
  3. Finally, click Create Policy.
    success message AmazonConnectSSO_GetFederationTokenSFDC has been created

Almost there! Now, go back to the previous browser tab where your role is waiting to be completed.

  1. Search for your new policy by entering AmazonConnectSSO_GetFederationTokenSFDC in the search bar.
    1. If you can’t find it, refresh the page, then click Next: Permissions.
  2. Check the box next to your policy.
  3. Click Next: Tags, then Next: Review.
  4. Enter AmazonConnectSSO_SFDC for Role name and then click Create Role.
  5. While you're here, retrieve the Role ARN.
    1. Click into your newly created role AmazonConnectSSO_SFDC. Roles overview with AmazonConnectSSO_SFDC highlighted by a red box and arrow
    2. At the top of the Summary, click copyat the end of the Role ARN to copy it.
    3. Save the Role ARN where you can retrieve it later.

We’re getting there! You’ve established Salesforce as the identity provider and created the AWS IAM policy and role to support your SSO implementation.

We won’t check any of your setup. Click Verify Step to proceed to the next step in the project.