AWS Security ChangesHomeSearch

AWS connect documentation change

Service: connect · 2026-05-10 · Documentation low

File: connect/latest/adminguide/configure-saml.md

Summary

Rebranded all references from 'Amazon Connect' to 'Connect Customer' throughout the SAML configuration documentation

Security assessment

The changes are purely branding/naming updates without modifications to security configurations, protocols, or vulnerabilities. All SAML implementation details remain identical except for the product name replacement. No security advisories, vulnerability fixes, or new security features were introduced.

Diff

diff --git a/connect/latest/adminguide/configure-saml.md b/connect/latest/adminguide/configure-saml.md
index eacecceb1..8ef3b52d5 100644
--- a//connect/latest/adminguide/configure-saml.md
+++ b//connect/latest/adminguide/configure-saml.md
@@ -7 +7 @@
-Important notesOverview of using SAML with Amazon ConnectEnabling SAML-based authentication for Amazon ConnectSelect SAML 2.0-based authentication during instance creationEnable SAML federation between your identity provider and AWSConfigure the identity provider to use regional SAML endpointsUse a destination in your relay state URLAdd users to your Amazon Connect instanceSAML user logging in and session duration
+Important notesOverview of using SAML with Connect CustomerEnabling SAML-based authentication for Connect CustomerSelect SAML 2.0-based authentication during instance creationEnable SAML federation between your identity provider and AWSConfigure the identity provider to use regional SAML endpointsUse a destination in your relay state URLAdd users to your Connect Customer instanceSAML user logging in and session duration
@@ -9 +9 @@ Important notesOverview of using SAML with Amazon ConnectEnabling SAML-based aut
-# Configure SAML with IAM for Amazon Connect
+# Configure SAML with IAM for Connect Customer
@@ -11 +11 @@ Important notesOverview of using SAML with Amazon ConnectEnabling SAML-based aut
-Amazon Connect supports identity federation by configuring Security Assertion Markup Language (SAML) 2.0 with AWS IAM to enable web-based single sign-on (SSO) from your organization to your Amazon Connect instance. This allows your users to sign in to a portal in your organization hosted by a SAML 2.0 compatible identity provider (IdP) and log in to an Amazon Connect instance with a single sign-on experience without having to provide separate credentials for Amazon Connect.
+Connect Customer supports identity federation by configuring Security Assertion Markup Language (SAML) 2.0 with AWS IAM to enable web-based single sign-on (SSO) from your organization to your Connect Customer instance. This allows your users to sign in to a portal in your organization hosted by a SAML 2.0 compatible identity provider (IdP) and log in to an Connect Customer instance with a single sign-on experience without having to provide separate credentials for Connect Customer.
@@ -17 +17 @@ Before you begin, note the following:
-  * These instructions do not apply to Amazon Connect Global Resiliency deployments. For information that applies to Amazon Connect Global Resiliency, see [Integrate your identity provider (IdP) with an Amazon Connect Global Resiliency SAML sign in endpoint](./integrate-idp.html).
+  * These instructions do not apply to Connect Customer Global Resiliency deployments. For information that applies to Connect Customer Global Resiliency, see [Integrate your identity provider (IdP) with an Connect Customer Global Resiliency SAML sign in endpoint](./integrate-idp.html).
@@ -19 +19 @@ Before you begin, note the following:
-  * Choosing SAML 2.0-based authentication as the identity management method for your Amazon Connect instance requires the configuration of [AWS Identity and Access Management federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html). 
+  * Choosing SAML 2.0-based authentication as the identity management method for your Connect Customer instance requires the configuration of [AWS Identity and Access Management federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html). 
@@ -21 +21 @@ Before you begin, note the following:
-  * The user name in Amazon Connect must match the RoleSessionName SAML attribute specified in the SAML response returned by the identity provider.
+  * The user name in Connect Customer must match the RoleSessionName SAML attribute specified in the SAML response returned by the identity provider.
@@ -23 +23 @@ Before you begin, note the following:
-  * Amazon Connect does not support reverse federation. That is, you can't login directly into Amazon Connect. If you tried, you'd get a _Session Expired_ message. The authentication should be done from the Identity Provider (IdP) and not the Service Provider (SP) (Amazon Connect). 
+  * Connect Customer does not support reverse federation. That is, you can't login directly into Connect Customer. If you tried, you'd get a _Session Expired_ message. The authentication should be done from the Identity Provider (IdP) and not the Service Provider (SP) (Connect Customer). 
@@ -27 +27 @@ Before you begin, note the following:
-  * All Amazon Connect usernames are case sensitive, even when using SAML.
+  * All Connect Customer usernames are case sensitive, even when using SAML.
@@ -29 +29 @@ Before you begin, note the following:
-  * If you have old Amazon Connect instances that were set up with SAML and you need to update your Amazon Connect domain, see [Personal settings](./update-your-connect-domain.html#new-domain-settings). 
+  * If you have old Connect Customer instances that were set up with SAML and you need to update your Connect Customer domain, see [Personal settings](./update-your-connect-domain.html#new-domain-settings). 
@@ -34 +34 @@ Before you begin, note the following:
-## Overview of using SAML with Amazon Connect
+## Overview of using SAML with Connect Customer
@@ -36 +36 @@ Before you begin, note the following:
-The following diagram shows the order in which steps take place for SAML requests to authenticate users and federate with Amazon Connect. It is not a flow diagram for a threat model. 
+The following diagram shows the order in which steps take place for SAML requests to authenticate users and federate with Connect Customer. It is not a flow diagram for a threat model. 
@@ -38 +38 @@ The following diagram shows the order in which steps take place for SAML request
-![Overview of the request flow for SAML authentication requests with Amazon Connect.](/images/connect/latest/adminguide/images/saml-overview.png)
+![Overview of the request flow for SAML authentication requests with Connect Customer.](/images/connect/latest/adminguide/images/saml-overview.png)
@@ -42 +42 @@ SAML requests go through the following steps:
-  1. The user browses to an internal portal that includes a link to log in to Amazon Connect. The link is defined in the identity provider.
+  1. The user browses to an internal portal that includes a link to log in to Connect Customer. The link is defined in the identity provider.
@@ -50 +50 @@ SAML requests go through the following steps:
-  5. The user's browser posts the SAML assertion to the AWS sign in SAML endpoint (https://signin.aws.amazon.com/saml). AWS sign in receives the SAML request, processes the request, authenticates the user, and initiates a browser redirect to the Amazon Connect endpoint with the authentication token.
+  5. The user's browser posts the SAML assertion to the AWS sign in SAML endpoint (https://signin.aws.amazon.com/saml). AWS sign in receives the SAML request, processes the request, authenticates the user, and initiates a browser redirect to the Connect Customer endpoint with the authentication token.
@@ -52 +52 @@ SAML requests go through the following steps:
-  6. Using the authentication token from AWS, Amazon Connect authorizes the user and opens Amazon Connect in their browser.
+  6. Using the authentication token from AWS, Connect Customer authorizes the user and opens Connect Customer in their browser.
@@ -57 +57 @@ SAML requests go through the following steps:
-## Enabling SAML-based authentication for Amazon Connect
+## Enabling SAML-based authentication for Connect Customer
@@ -59 +59 @@ SAML requests go through the following steps:
-The following steps are required to enable and configure SAML authentication for use with your Amazon Connect instance:
+The following steps are required to enable and configure SAML authentication for use with your Connect Customer instance:
@@ -61 +61 @@ The following steps are required to enable and configure SAML authentication for
-  1. Create an Amazon Connect instance and select SAML 2.0-based authentication for identity management.
+  1. Create an Connect Customer instance and select SAML 2.0-based authentication for identity management.
@@ -65 +65 @@ The following steps are required to enable and configure SAML authentication for
-  3. Add Amazon Connect users to your Amazon Connect instance. Log in to your instance using the administrator account created when you created your instance. Go to the **User Management** page and add users. 
+  3. Add Connect Customer users to your Connect Customer instance. Log in to your instance using the administrator account created when you created your instance. Go to the **User Management** page and add users. 
@@ -71 +71 @@ The following steps are required to enable and configure SAML authentication for
-     * Due to the association of an Amazon Connect user and an AWS IAM Role, the user name must match exactly the RoleSessionName as configured with your AWS IAM federation integration, which typically ends up being the user name in your directory. The format of the username should match the intersection of the format conditions of the [RoleSessionName](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) and an [Amazon Connect user](https://docs.aws.amazon.com/connect/latest/APIReference/API_CreateUser.html#connect-CreateUser-request-DirectoryUserId), as shown in the following diagram:
+     * Due to the association of an Connect Customer user and an AWS IAM Role, the user name must match exactly the RoleSessionName as configured with your AWS IAM federation integration, which typically ends up being the user name in your directory. The format of the username should match the intersection of the format conditions of the [RoleSessionName](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) and an [Connect Customer user](https://docs.aws.amazon.com/connect/latest/APIReference/API_CreateUser.html#connect-CreateUser-request-DirectoryUserId), as shown in the following diagram:
@@ -73 +73 @@ The following steps are required to enable and configure SAML authentication for
-![Ven diagram of rolesessionname and Amazon Connect user.](/images/connect/latest/adminguide/images/saml-ven-diagram.png)
+![Ven diagram of rolesessionname and Connect Customer user.](/images/connect/latest/adminguide/images/saml-ven-diagram.png)
@@ -75 +75 @@ The following steps are required to enable and configure SAML authentication for
-  4. Configure your identity provider for the SAML assertions, authentication response, and relay state. Users log in to your identity provider. When successful, they are redirected to your Amazon Connect instance. The IAM role is used to federate with AWS, which allows access to Amazon Connect.
+  4. Configure your identity provider for the SAML assertions, authentication response, and relay state. Users log in to your identity provider. When successful, they are redirected to your Connect Customer instance. The IAM role is used to federate with AWS, which allows access to Connect Customer.
@@ -82 +82 @@ The following steps are required to enable and configure SAML authentication for
-When you are creating your Amazon Connect instance, select the SAML 2.0-based authentication option for identity management. On the second step, when you create the administrator for the instance, the user name that you specify must exactly match a user name in your existing network directory. There is no option to specify a password for the administrator because passwords are managed through your existing directory. The administrator is created in Amazon Connect and assigned the **Admin** security profile.
+When you are creating your Connect Customer instance, select the SAML 2.0-based authentication option for identity management. On the second step, when you create the administrator for the instance, the user name that you specify must exactly match a user name in your existing network directory. There is no option to specify a password for the administrator because passwords are managed through your existing directory. The administrator is created in Connect Customer and assigned the **Admin** security profile.
@@ -84 +84 @@ When you are creating your Amazon Connect instance, select the SAML 2.0-based au
-You can log in to your Amazon Connect instance, through your IdP, using the administrator account to add additional users.
+You can log in to your Connect Customer instance, through your IdP, using the administrator account to add additional users.
@@ -88 +88 @@ You can log in to your Amazon Connect instance, through your IdP, using the admi
-To enable SAML-based authentication for Amazon Connect, you must create an identity provider in the IAM console. For more information, see [Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html).
+To enable SAML-based authentication for Connect Customer, you must create an identity provider in the IAM console. For more information, see [Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html).
@@ -90 +90 @@ To enable SAML-based authentication for Amazon Connect, you must create an ident
-The process to create an identity provider for AWS is the same for Amazon Connect. Step 6 in the above flow diagram shows the client is sent to your Amazon Connect instance instead of the AWS Management Console.
+The process to create an identity provider for AWS is the same for Connect Customer. Step 6 in the above flow diagram shows the client is sent to your Connect Customer instance instead of the AWS Management Console.
@@ -96 +96 @@ The steps necessary to enable SAML federation with AWS include:
-  2. Create an IAM role for SAML 2.0 federation with the AWS Management Console. Create only one role for federation (only one role is needed and used for federation). The IAM role determines which permissions the users that log in through your identity provider have in AWS. In this case, the permissions are for accessing Amazon Connect. You can control the permissions to features of Amazon Connect by using security profiles in Amazon Connect. For more information, see [Creating a Role for SAML 2.0 Federation (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html).
+  2. Create an IAM role for SAML 2.0 federation with the AWS Management Console. Create only one role for federation (only one role is needed and used for federation). The IAM role determines which permissions the users that log in through your identity provider have in AWS. In this case, the permissions are for accessing Connect Customer. You can control the permissions to features of Connect Customer by using security profiles in Connect Customer. For more information, see [Creating a Role for SAML 2.0 Federation (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html).
@@ -98 +98 @@ The steps necessary to enable SAML federation with AWS include:
-In step 5, choose **Allow programmatic and AWS Management Console access**. Create the trust policy described in the topic in the procedure _To prepare to create a role for SAML 2.0 federation_. Then create a policy to assign permissions to your Amazon Connect instance. Permissions start on step 9 of the _To create a role for SAML-based federation_ procedure.
+In step 5, choose **Allow programmatic and AWS Management Console access**. Create the trust policy described in the topic in the procedure _To prepare to create a role for SAML 2.0 federation_. Then create a policy to assign permissions to your Connect Customer instance. Permissions start on step 9 of the _To create a role for SAML-based federation_ procedure.
@@ -108 +108 @@ In step 5, choose **Allow programmatic and AWS Management Console access**. Crea
-Use this policy to enable federation for all users in a specific Amazon Connect instance. For SAML-based authentication, replace the value for the `Resource` to the ARN for the instance that you created:
+Use this policy to enable federation for all users in a specific Connect Customer instance. For SAML-based authentication, replace the value for the `Resource` to the ARN for the instance that you created:
@@ -131 +131 @@ JSON
-Use this policy to enable federation to a specific Amazon Connect instances. Replace the value for the `connect:InstanceId` to the instance ID for your instance.
+Use this policy to enable federation to a specific Connect Customer instances. Replace the value for the `connect:InstanceId` to the instance ID for your instance.
@@ -192 +192 @@ JSON
-  5. For Amazon Connect, leave the **Application Start URL** blank.
+  5. For Connect Customer, leave the **Application Start URL** blank.
@@ -194 +194 @@ JSON
-  6. Override the Application Consumer Service (ACS) URL in your identity provider to use the regional endpoint that coincides with the AWS Region of your Amazon Connect instance. For more information, see Configure the identity provider to use regional SAML endpoints. 
+  6. Override the Application Consumer Service (ACS) URL in your identity provider to use the regional endpoint that coincides with the AWS Region of your Connect Customer instance. For more information, see Configure the identity provider to use regional SAML endpoints. 
@@ -196 +196 @@ JSON
-  7. Configure the relay state of your identity provider to point to your Amazon Connect instance. The URL to use for the relay state is comprised as follows:
+  7. Configure the relay state of your identity provider to point to your Connect Customer instance. The URL to use for the relay state is comprised as follows:
@@ -200 +200 @@ JSON
-Replace the `region-id` with the Region name where you created your Amazon Connect instance, such as us-east-1 for US East (N. Virginia). Replace the `instance-id` with the instance ID for your instance.
+Replace the `region-id` with the Region name where you created your Connect Customer instance, such as us-east-1 for US East (N. Virginia). Replace the `instance-id` with the instance ID for your instance.
@@ -208 +208 @@ For a GovCloud instance, the URL is **https://console.amazonaws-us-gov.com/** :
-You can find the instance ID for your instance by choosing the instance alias in the Amazon Connect console. The instance ID is the set of numbers and letters after '/instance' in the **Instance ARN** displayed on the **Overview** page. For example, the instance ID in the following Instance ARN is _178c75e4-b3de-4839-a6aa-e321ab3f3770_.
+You can find the instance ID for your instance by choosing the instance alias in the Connect Customer console. The instance ID is the set of numbers and letters after '/instance' in the **Instance ARN** displayed on the **Overview** page. For example, the instance ID in the following Instance ARN is _178c75e4-b3de-4839-a6aa-e321ab3f3770_.
@@ -217 +217 @@ arn:aws:connect:us-east-1:450725743157:instance/_178c75e4-b3de-4839-a6aa-e321ab3
-To provide the best availability we recommend using the regional SAML endpoint that coincides with your Amazon Connect instance instead of the default global endpoint.
+To provide the best availability we recommend using the regional SAML endpoint that coincides with your Connect Customer instance instead of the default global endpoint.
@@ -263 +263 @@ Following is an example of a revision:
-When you configure the relay state for your identity provider, you can use the destination argument in the URL to navigate users to a specific page in your Amazon Connect instance. For example, use a link to open the CCP directly when an agent logs in. The user must be assigned a security profile that grants access to that page in the instance. For example, to send agents to the CCP, use a URL similar to the following for the relay state. You must use [URL encoding](https://en.wikipedia.org/wiki/Percent-encoding) for the destination value used in the URL:
+When you configure the relay state for your identity provider, you can use the destination argument in the URL to navigate users to a specific page in your Connect Customer instance. For example, use a link to open the CCP directly when an agent logs in. The user must be assigned a security profile that grants access to that page in the instance. For example, to send agents to the CCP, use a URL similar to the following for the relay state. You must use [URL encoding](https://en.wikipedia.org/wiki/Percent-encoding) for the destination value used in the URL:
@@ -284 +284 @@ For a GovCloud instance, the URL is **https://console.amazonaws-us-gov.com/**. S
-If you want to configure the destination argument to a URL outside of the Amazon Connect instance, such as your own custom website, first add that external domain to the account's approved origins. For example, perform the steps in the following order: 
+If you want to configure the destination argument to a URL outside of the Connect Customer instance, such as your own custom website, first add that external domain to the account's approved origins. For example, perform the steps in the following order: 
@@ -286 +286 @@ If you want to configure the destination argument to a URL outside of the Amazon
-  1. In the Amazon Connect console add https://`your-custom-website`.com to your approved origins. For instructions, see [Use an allowlist for integrated applications in Amazon Connect](./app-integration.html). 
+  1. In the Connect Customer console add https://`your-custom-website`.com to your approved origins. For instructions, see [Use an allowlist for integrated applications in Connect Customer](./app-integration.html). 
@@ -295 +295 @@ If you want to configure the destination argument to a URL outside of the Amazon
-## Add users to your Amazon Connect instance
+## Add users to your Connect Customer instance
@@ -297 +297 @@ If you want to configure the destination argument to a URL outside of the Amazon
-Add users to your connect instance, making sure that the user names exactly match the users names in your existing directory. If the names do not match, users can log in to the identity provider, but not to Amazon Connect because no user account with that user name exists in Amazon Connect. You can add users manually on the **User management** page, or you can bulk upload users with the CSV template. After you add the users to Amazon Connect, you can assign security profiles and other user settings.
+Add users to your connect instance, making sure that the user names exactly match the users names in your existing directory. If the names do not match, users can log in to the identity provider, but not to Connect Customer because no user account with that user name exists in Connect Customer. You can add users manually on the **User management** page, or you can bulk upload users with the CSV template. After you add the users to Connect Customer, you can assign security profiles and other user settings.
@@ -299 +299 @@ Add users to your connect instance, making sure that the user names exactly matc
-When a user logs in to the identity provider, but no account with the same user name is found in Amazon Connect, the following **Access denied** message is displayed.
+When a user logs in to the identity provider, but no account with the same user name is found in Connect Customer, the following **Access denied** message is displayed.
@@ -301 +301 @@ When a user logs in to the identity provider, but no account with the same user
-![An Access denied error for a user whose name is not in Amazon Connect.](/images/connect/latest/adminguide/images/saml-access-denied.png)
+![An Access denied error for a user whose name is not in Connect Customer.](/images/connect/latest/adminguide/images/saml-access-denied.png)
@@ -305 +305 @@ When a user logs in to the identity provider, but no account with the same user
-You can import your users by adding them to a CSV file. You can then import the CSV file to your instance, which adds all users in the file. If you add users by uploading a CSV file, make sure that you use the template for SAML users. You can find on the **User management** page in Amazon Connect. A different template is used for SAML-based authentication. If you previously downloaded the template, you should download the version available on the **User management** page after you set up your instance with SAML-based authentication. The template should not include a column for email or password.
+You can import your users by adding them to a CSV file. You can then import the CSV file to your instance, which adds all users in the file. If you add users by uploading a CSV file, make sure that you use the template for SAML users. You can find on the **User management** page in Connect Customer. A different template is used for SAML-based authentication. If you previously downloaded the template, you should download the version available on the **User management** page after you set up your instance with SAML-based authentication. The template should not include a column for email or password.
@@ -309 +309 @@ You can import your users by adding them to a CSV file. You can then import the
-When you use SAML in Amazon Connect, users must log in to Amazon Connect through your identity provider (IdP). Your IdP is configured to integrate with AWS. After authentication, a token for their session is created. The user is then redirected to your Amazon Connect instance and automatically logged in to Amazon Connect using single sign-on.
+When you use SAML in Connect Customer, users must log in to Connect Customer through your identity provider (IdP). Your IdP is configured to integrate with AWS. After authentication, a token for their session is created. The user is then redirected to your Connect Customer instance and automatically logged in to Connect Customer using single sign-on.
@@ -311 +311 @@ When you use SAML in Amazon Connect, users must log in to Amazon Connect through
-As a best practice, you should also define a process for your Amazon Connect users to log out when they are finished using Amazon Connect. They should log out from both Amazon Connect and your identity provider. If they do not, the next person that logs in to the same computer can log in to Amazon Connect without a password since the token for the previous sessions is still valid for the duration of the session. It's valid for 12 hours.
+As a best practice, you should also define a process for your Connect Customer users to log out when they are finished using Connect Customer. They should log out from both Connect Customer and your identity provider. If they do not, the next person that logs in to the same computer can log in to Connect Customer without a password since the token for the previous sessions is still valid for the duration of the session. It's valid for 12 hours.
@@ -315 +315 @@ As a best practice, you should also define a process for your Amazon Connect use
-Amazon Connect sessions expire 12 hours after a user logs in. After 12 hours, users are automatically logged out, even if they are currently on a call. If your agents stay logged in for more than 12 hours, they need to refresh the session token before it expires. To create a new session, agents need to log out of Amazon Connect and your IdP and then log in again. This resets the session timer set on the token so that agents are not logged out during an active contact with a customer. When a session expires while a user is logged in, the following message is displayed. To use Amazon Connect again, the user needs to log in to your identity provider.
+Connect Customer sessions expire 12 hours after a user logs in. After 12 hours, users are automatically logged out, even if they are currently on a call. If your agents stay logged in for more than 12 hours, they need to refresh the session token before it expires. To create a new session, agents need to log out of Connect Customer and your IdP and then log in again. This resets the session timer set on the token so that agents are not logged out during an active contact with a customer. When a session expires while a user is logged in, the following message is displayed. To use Connect Customer again, the user needs to log in to your identity provider.
@@ -321 +321 @@ Amazon Connect sessions expire 12 hours after a user logs in. After 12 hours, us
-If you see the **Session expired** message while logging in, you probably just need to refresh the session token. Go to your identity provider and log in. Refresh the Amazon Connect page. If you still get this message, contact your IT team.
+If you see the **Session expired** message while logging in, you probably just need to refresh the session token. Go to your identity provider and log in. Refresh the Connect Customer page. If you still get this message, contact your IT team.
@@ -329 +329 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Use an existing directory for identity management in Amazon Connect
+Use an existing directory for identity management in Connect Customer
@@ -331 +331 @@ Use an existing directory for identity management in Amazon Connect
-Troubleshoot SAML with Amazon Connect
+Troubleshoot SAML with Connect Customer