Single Sign-On

Access to the following AgentX components can be managed using your existing enterprise Single Sign-On provider.

• Content Designer

• Web Client

• Reports and Dashboards

Federated authentication uses the SAML2 protocol, which an industry standard for single sign-on.

Note: IdP-initiated sessions are not supported by Amazon Cognito. This means that access cannot be initiated through an SSO portal. Users must access the application through the Content Designer URL.

Gather details for SAML configuration

Before configuring the Identity Provider, begin by gathering the required details from Amazon CloudFormation.

1. Log on to the AWS Console. Navigate to the service administration page for Amazon CloudFormation, and select the stack that represents the AgentX installation you want to work with.

2. Select the Outputs tab in the stack details, and locate the outputs containing the SSO integration details.

• SAMLEntityID

• SAMLReplyURL

• UserPoolURL

3. Make a note of these values as they will be used later.

Identity Provider Configuration

Below you will find instructions to configure your identity provider.

Microsoft Entra (formerly Azure Active Directory)

1. Create an Enterprise Application

   • Click New application on the toolbar

   • Choose Create your own application

   • Provide a name

   • Select Integrate any other application you don’t find in the gallery (Non-gallery)

   • Click Create

2. Configure Single Sign-On

   • Select Single Sign On on the left navigation bar

   • Click the SAML box

   • Under Basic SAML Configuration, click Edit

   • For Identifier, enter the SAMLEntityID from the previous section.

   • For Reply URL, enter the SAMLReplyURL from the previous section. Index can be left blank.

   • Click Save

3. Under SAML Certificates, copy the App Federation Metadata Url to use in the next section.

Amazon Cognito configuration

1. Log on to the AWS Console. Navigate the UserPoolURL link that we saved earlier.

2. Select Social and custom providers on the left navigation bar.

3. Click Add identity provider and select SAML.

4. Enter a Provider name. This is the friendly name for your identity provider. If unsure what to use here, the name of your company is usually appropriate. For example: AcmeCorp or AcmeCorp-SSO. This name will appear in the logon page presented to users. Spaces and underscores are not permitted.

5. Under Identifiers include the email domain(s) for users who should be directed to this identity provider. Multiple values should be separated by a comma.

6. Under Metadata document source, choose Enter metadata document endpoint URL

7. Paste the metadata URL, copied in the previous section.

8. Include a mapping for the email attribute. The SAML attribute name will normally be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, but check the documentation for your identity provider.

9. Click Add identity provider.

10. Select App clients on the left navigation bar.

    • For each client listed, select the client to edit it.

    • Select the Login pages tab

    • In the Managed login pages configuration section, click Edit.

    • Under Identity Providers, add the SAML provider you just created.

    • Click Save changes

11. Select the User Pool Properties tab

    • Click the Add Lambda Trigger button.

    • Set the typet to Sign-Up and choose Post Confirmation Trigger.

    • On the Lambda Function tile, assign the AutoAdminFunction. It will have a name like <stack_name>-AutoAdminFunction-<random-string>

    • Click Add lambda trigger