Start tracking your progress
Trailhead Home
Trailhead Home

Set Up a Connected App and Enable Single Sign-On

Configure a Salesforce Connected App

Next, you need to configure a Salesforce Connected App so that AWS and Salesforce are talking to one another. If the Trailhead Playground you used for Build an Amazon Connect Integration isn’t open yet, head to the bottom of this page, select it from the playground selector, and click Launch.

  1. Click setup, then click Setup.
  2. Enter app manager in Quick Find and click App Manager.
  3. Then, click New Connected App.
  4. Enter the following information:
    1. Connected App Name: AmazonConnectSSOConnectedApp , this should also populate the API name.
    2. Contact Email: your email address
    3. Web App Settings: check the box next to Enable SAML.
    4. Entity Id: AmazonConnectSalesforce (the same name as the identity provider you configured in the AWS console).
    5. ACS URL: https://signin.aws.amazon.com/saml 
    6. Subject Type: Persistent ID
    7. NameID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    8. IdP Certificate: select the self-signed cert you established in your identity provider.
  5. Leave the remaining defaults as-is and click Save.

You’ve set up your basic connected app. Time to add a couple of custom attributes.

Refine Your Connected App with Custom Attributes and Profile Access

  1. Scroll down your new connect app page to Custom Attributes and click New.
  2. For Key, enter: https://aws.amazon.com/SAML/Attributes/RoleSessionName
  3. For Value:
    1. Click Insert Field 
    2. Click $User > 
    3. Then, click Email
    4. Then, Insert
  4. Click Save to save your custom attribute.
  5. Click New to create another custom attribute that contains your Identity Provider and Role ARNs.
  6. For Key, enter: https://aws.amazon.com/SAML/Attributes/Role
  7. For Value: your AWS IAM IdP Provider ARN and the AWS IAM Role ARN you created previously. It should be in the following format: '<your Provider ARN>' & ',' & '<your Role ARN>' custom attribute with ARNs populated
  8. Then, click Save.

You’re close to full SSO integration! Time to put the finishing touches on the connected app so that you have the right access.

  1. Click Manage at the top of your connected app page.
  2. Go to the Profiles section and click Manage Profiles.
  3. Check the boxes next to Standard User and System Administrator.
  4. Then, click Save.
  5. Back at your connect app’s main page, head over to the SAML Login Information section.
  6. Store the IdP-Initiated Login URL in a safe place. You need it later.
  7. Then, click the URL. This opens a new tab and takes you to the AWS Console.
  8. Click the identity dropdown to display your identity details. Save the Federated Login details where you can retrieve it later.
    identity dropdown open and Federated Login highlighted with a red box and arrow

Now, add the Federated Login as a user in your Amazon Connect instance.

Create User in Amazon Connect

  1. Sign out from the Federated Login and sign back in with your AWS account credentials (email and password).
  2. Enter amazon connect in the Find Services search bar and select Amazon Connect.
  3. Click your instance alias, then click Log in for emergency access. This logs you into your Amazon Connect instance with root user permissions.
  4. Hover over user, then click User management in the dropdown.
  5. Click Add new users.
  6. Make sure Create and set up a new user is checked and click Next.
  7. When setting up your new user, use the following information.
    1. First name: a name you haven’t used for this instance before.
    2. Last name: something fun, like your pet’s name, or your favorite food.
    3. Login name: now, this is important—the email portion of the federated login information you recorded above (everything after AmazonConnectSSO_SFDC/).
    4. Routing Profile: Basic Routing Profile.
    5. Security Profiles: Agent.
    6. Phone Type: Soft Phone.
  8. Click Save, then Create users.

SSO is fully enabled in AWS. Great job! In the next step, you enable Salesforce for SSO.