Amazon Connect Single Sign-On (SSO) with Azure Active Directory (Azure AD): Complete Configuration Guide

Introduction to Amazon Connect and Single Sign-On

Amazon Connect has become a go-to cloud contact center solution for organizations that want flexibility, scalability, and tight integration with AWS services. But as contact centers grow, so does the complexity of managing users, permissions, and secure access. This is where Single Sign-On, or SSO, steps in like a master key that opens multiple doors with one secure credential.

At its core, Single Sign-On allows users to authenticate once and gain access to multiple systems without re-entering credentials. Instead of juggling usernames and passwords for Amazon Connect, email, CRM tools, and other platforms, users sign in through a centralized identity provider. In this guide, that provider is Azure Active Directory (Azure AD).

Why does this matter? Imagine a contact center with hundreds of agents logging in every shift. Password resets, security risks, and inconsistent access control can quickly become a nightmare. SSO reduces friction, strengthens security, and improves the overall user experience. When combined with SAML 2.0, Azure AD and Amazon Connect form a secure trust relationship that streamlines authentication while keeping compliance intact.

This article walks you step by step through configuring SSO for Amazon Connect using Azure AD. From prerequisites and IAM roles to SAML claims and testing, everything is covered in detail so you can implement a production-ready solution with confidence.

---

Overview of Authentication Options in Amazon Connect

Amazon Connect supports multiple authentication approaches, allowing organizations to choose what best fits their security and operational needs. Out of the box, Amazon Connect provides native user authentication, where users are created and managed directly within the Amazon Connect instance. While this approach works for small teams, it quickly becomes limiting as organizations scale.

The real power comes from SAML 2.0–based federation. With SAML, Amazon Connect delegates authentication to an external identity provider, such as Azure AD. This means Amazon Connect no longer stores or validates passwords. Instead, it trusts the identity provider to verify users and send signed assertions confirming who they are.

Using an external IdP offers several advantages. First, user identities are centralized, making onboarding and offboarding faster and safer. Second, security policies like multi-factor authentication, conditional access, and password complexity are enforced consistently. Third, compliance requirements become easier to manage because access is auditable from a single system.

When you integrate Azure AD with Amazon Connect using SAML 2.0, you’re effectively creating a secure bridge between AWS and Microsoft identity ecosystems. This setup is ideal for enterprises already using Azure AD as their primary directory service.

---

Understanding Azure Active Directory (Azure AD)

Azure Active Directory is Microsoft’s cloud-based identity and access management service. It acts as a centralized directory for users, groups, applications, and devices. In many organizations, Azure AD is the backbone of authentication, controlling access to everything from Microsoft 365 to third-party SaaS applications.

When Azure AD functions as a SAML Identity Provider, it becomes responsible for authenticating users and issuing SAML assertions. These assertions are digitally signed messages that confirm a user’s identity and include attributes like username, email, and group membership.

The beauty of Azure AD lies in its flexibility. You can enforce conditional access policies, require multi-factor authentication, and manage user lifecycles from a single pane of glass. When Azure AD integrates with Amazon Connect, all these capabilities extend seamlessly to your contact center environment.

In simple terms, Azure AD becomes the gatekeeper, and Amazon Connect becomes the trusted application that accepts verified users without needing to handle credentials directly.

---

How Amazon Connect and Azure AD Work Together

The integration between Amazon Connect and Azure AD relies on trust. Amazon Connect trusts Azure AD to authenticate users, while Azure AD trusts Amazon Connect as a valid service provider. This trust is established through SAML metadata exchange and IAM configuration.

Here’s what happens during a typical login:

1. A user attempts to access Amazon Connect.

2. The request is redirected to Azure AD.

3. Azure AD authenticates the user using its policies.

4. Azure AD sends a signed SAML assertion to AWS.

5. AWS validates the assertion and maps the user to an IAM role.

6. Amazon Connect grants access based on assigned permissions.

From the user’s perspective, the process feels seamless. They log in once and land directly in the Amazon Connect console. Behind the scenes, SAML assertions, IAM roles, and trust policies work together like gears in a well-oiled machine.

Solution Overview

The following architecture diagram depicts two Azure AD AWS Enterprise Applications that federate via Identity Provider initiated SSO to AWS Identity and Access Management (IAM). This helps grant access to your Amazon Connect Instance. The first application is created for Administrators of your contact center. The second application is created for agents.

---

Prerequisites for Configuring Amazon Connect SSO

➡️ An AWS account

➡️ An Amazon Connect instance with SAML 2.0 as the chosen Identity Provider

➡️ Basic understanding of Amazon Connect

➡️ Basic understanding of IAM and privileges required to create the following; IAM identity provider, roles, policies, and users

➡️ An Azure AD subscription.

➡️ A user created in Azure AD that will act as your Amazon Connect administrator

➡️ An administrator user defined in Amazon Connect with the name exactly matching its counterpart in Azure AD (as mentioned in the above step)

---

End to End Steps

Step 1 – In AWS Console – Create the First IAM policies

There are two required policies that need to be created. The first policy enables federation for all users in a specific Amazon Connect instance. The second policy allows Azure AD to list IAM roles and account aliases. To create the Amazon Connect federation IAM policy:

1. Login to the AWS Management Console  and choose IAM
2. In the navigation pane, choose Policies
3. Choose Create policy
4. Select the JSON tab
5. Paste the following policy into the editor, replacing the existing content

   {
       "Version": "2012-10-17",
   "Statement": [
           {
               "Sid": "Statement1",
               "Effect": "Allow",
               "Action": "connect:GetFederationToken",
               "Resource": [
                   "**YOUR AMAZON CONNECT INSTANCE ARN**/user/${aws:userid}"
               ]
           }
       ]
   }

6. Replace YOUR AMAZON CONNECT INSTANCE ARN with the ARN for your instance. To find your ARN:
   • Open a new browser tab and log into your Amazon Connect Console
   • Choose your Instance Alias
   • Copy value of your Instance ARN
7. Paste the value of the Instance ARN and choose Review Policy
8. Name your policy ‘azure_federation_policy’, or something similar
9. Optionally, provide a description for the policy
10. Choose Create policy

 

Step 2 – In AWS Console – Create Second IAM Policy, the Azure AD access IAM policy

1. In the IAM console, choose Policies again
2. Choose Create policy
3. Select the JSON tab
4. Paste the following policy into the editor, replacing the existing content

   {
       "Version": "2012-10-17",
       "Statement": [
           {
           "Effect": "Allow",
           "Action": [
               "iam:ListRoles",
               "iam:ListAccountAliases"
           ],
           "Resource": "*"
           }
       ]
   }

5. Verify the replacement and choose Review Policy
6. Name the policy ‘azure_cli_policy’, or something similar
7. Optionally, provide a description for the policy
8. Choose Create policy

 

Step 3 – In AWS Console – Create IAM User

An IAM user is created to allow programmatic access to AWS resources. This will allow Azure AD to retrieve the appropriate IAM credentials from your AWS account.

1. Login to the AWS Management Console and choose IAM
2. In the navigation pane, choose Users
3. Choose Add user
4. In the Set user details section, provide a Username, for example ‘azure_cli_user’
5. In the Select AWS access type section, choose Programmatic access
6. Choose Next: Permissions
7. In the Set permissions section, choose Attach existing policies directly
8. In the search field, type azure. Note: Available policies will filter. Choose azure_cli_policy policy, that you have created in last step.
9. Choose Next: Tags
10. Optionally add tags, then choose Next: Review
11. Choose Create user
12. On the success page, download the credentials.csv file that contains your user credentials. Note: You will need this later during the Azure AD application setup.

 

Step 4 – In Azure Portal – Create the Azure AD AWS SAML application

The Azure AD AWS SAML application along with an AWS IAM identity provider will enable the federation between Azure AD and your AWS IAM users. As a part of this blog post you will end up creating two Azure AD applications – one for your Amazon Connect administrators and another for your Amazon Connect agents. At this moment we will begin by creating an application for your administrators.

1. Log in to the Azure AD portal  with your Azure AD subscription.
2. On the navigation pane, select the Azure Active Directory service.

3. Navigate to Enterprise Applications → All Applications.

4. Select New application.

5. In Browse Azure AD Gallery, search for Amazon Web Services (AWS).

6. Select AWS Single Account Access.

7. Rename the application to: AWS Single-Account Access – Admin

8. Click Create and wait for the application to be added.

9. Once the application is created, select Set up single sign-on.

10. Choose SAML as the single sign-on method.

11. When prompted to save settings, select Yes.

12. Edit Basic SAML Configuration.

13. Configure the Relay State URL for Amazon Connect administrators:

    https://<region-id>.console.aws.amazon.com/connect/federate/<instance-id>?destination=%2Fconnect%2F

    Notes:

    • %2F represents / (URL-encoded best practice).

    • The relay state allows direct access to specific Amazon Connect pages.

    • Users must have the correct Amazon Connect security profile.

    How to Find Your Amazon Connect Instance ID?
    – Open the Amazon Connect Console.

    – Choose your Instance Alias.

    – Copy the Instance ID from the Instance ARN (text after the final /).

    arn:aws:connect:us-east-1:123456789:instance/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx

    Replace:

    • <region-id> → AWS region (example: us-east-1)

    • <instance-id> → Amazon Connect instance ID

14.  Paste the Relay State URL into Basic SAML Configuration.

15. Select Save.

16. Verify there are no spaces or missing characters.

17. Go to Set up single sign-on with SAML.
18. Navigate to SAML Signing Certificate.
19. Click Add a Certificate.
20. Set:Signing Option: SAML AssertionSigning Algorithm: SHA-256
21. Click New Certificate → Save.
22. Download the Federation Metadata XML file.
23. Keep the Azure portal open.

 

Step 5 – In AWS Portal – Create AWS IAM Identity Provider

1. Log in to the AWS Management Console.

2. Navigate to IAM → Identity Providers.

3. Select Add provider.

4. Choose SAML as Provider Type.

5. Provider Name: AzureAD_Connect_Admin

6. Upload the metadata.xml downloaded earlier.

7. Select Next Step → Create.

 

Step 6 – In AWS Portal – Create AWS IAM Role for Azure AD

1. In IAM, go to Roles → Create role.

2. Select SAML 2.0 federation.

3. Choose provider: AzureAD_Connect_Admin.

4. Enable Programmatic and AWS Management Console access.

5. Click Next: Permissions.

6. Search for azure and select both required policies.

7. Click Next: Tags → Next: Review.

8. Role name: AzureAD_Role

9. Click Create role.

 

Step 7 – In AWS Portal – Create AWS IAM Role for Azure AD

1. In IAM, go to Roles → Create role.

2. Select SAML 2.0 federation.

3. Choose provider: AzureAD_Connect_Admin.

4. Enable Programmatic and AWS Management Console access.

5. Click Next: Permissions.

6. Search for azure and select both required policies.

7. Click Next: Tags → Next: Review.

8. Role name:
   AzureAD_Role

9. Click Create role.

10. Return to the Azure portal.

11. Navigate to Enterprise Applications → AWS Single-Account Access – Admin.

12. Select Provisioning → Get started.

13. Change Provisioning Mode from Manual to Automatic.

14. Open the credentials.csv file from the IAM user setup.

15. Copy:

    • Access key ID → Paste into Client Secret

    • Secret access key → Paste into Secret Token

16. Click Test Connection.

17. Confirm the success message.

18. Select Save.

19. Set Provisioning Status to On.

20. Select Save.

21. Wait for initial provisioning to complete.

 

Step 8 – In Azure Portal – Assign Administrator User

1. In Azure portal, open your AWS application.

2. Go to Users and groups → Add user.

3. Select your Amazon Connect administrator.

4. Choose the role and click Assign.

5. Confirm the user assignment.

Note: Role visibility may take minutes or hours to sync.

 

Step 9 – In Amazon Connect Portal – Created Admin and Users

1. In Amazon Connect portal, open User Management.

2. Fill the details for Users or Admin
   Note: Users or Admin email IDs and name should be same in Amazon Connect, Same as Azure AD.

3. In username section, fill the email id of Admin or Users

4. Choose the security profile and routing profile

5. Create the user

 

Step 10 – In Azure Portal – Test Administrator/Users SSO

1. Go to Application’s Properties and copy the User access URL.

2. Open a new browser session (Incognito recommended).

3. Paste the URL.

4. Log in with the assigned Azure AD user.

5. You should be logged into the Amazon Connect console as Administrator.

 

Check the youtube video for the same

 

Sources

• AWS Workshop – https://catalog.us-east-1.prod.workshops.aws/workshops/33e6d0e7-f927-4531-abb1-f28a86ba0872/en-US/3-sso-amazonconnect-azuread
• Saroj Kumar Jena Youtube Channel – https://youtu.be/w0fAvakPmx8