Construct non-public and safe enterprise generative AI functions with Amazon Q Enterprise utilizing IAM Federation

Amazon Q Enterprise is a conversational assistant powered by generative synthetic intelligence (AI) that enhances workforce productiveness by answering questions and finishing duties based mostly on info in your enterprise techniques, which every person is allowed to entry. In an earlier publish, we mentioned how you possibly can construct non-public and safe enterprise generative AI functions with Amazon Q Enterprise and AWS IAM Identification Heart. If you wish to use Amazon Q Enterprise to construct enterprise generative AI functions, and have but to undertake organization-wide use of AWS IAM Identification Heart, you should utilize Amazon Q Enterprise IAM Federation to instantly handle person entry to Amazon Q Enterprise functions out of your enterprise id supplier (IdP), corresponding to Okta or Ping Identification. Amazon Q Enterprise IAM Federation makes use of Federation with IAM and doesn’t require using IAM Identification Heart.

AWS recommends utilizing AWS Identification Heart you probably have a lot of customers so as to obtain a seamless person entry administration expertise for a number of Amazon Q Enterprise functions throughout many AWS accounts in AWS Organizations. You should use federated teams to outline entry management, and a person is charged just one time for his or her highest tier of Amazon Q Enterprise subscription. Though Amazon Q Enterprise IAM Federation allows you to construct non-public and safe generative AI functions, with out requiring using IAM Identification Heart, it’s comparatively constrained with no help for federated teams, and limits the flexibility to cost a person just one time for his or her highest tier of Amazon Q Enterprise subscription to Amazon Q Enterprise functions sharing SAML id supplier or OIDC id supplier in a single AWS accouGnt.

This publish exhibits how you should utilize Amazon Q Enterprise IAM Federation for person entry administration of your Amazon Q Enterprise functions.

Answer overview

To implement this resolution, you create an IAM id supplier for SAML or IAM id supplier for OIDC based mostly in your IdP software integration. When creating an Amazon Q Enterprise software, you select and configure the corresponding IAM id supplier.

When responding to requests by an authenticated person, the Amazon Q Enterprise software makes use of the IAM id supplier configuration to validate the person id. The appliance can reply securely and confidentially by imposing entry management lists (ACLs) to generate responses from solely the enterprise content material the person is allowed to entry.

We use the identical instance from Construct non-public and safe enterprise generative AI apps with Amazon Q Enterprise and AWS IAM Identification Heart—a generative AI worker assistant constructed with Amazon Q Enterprise—to exhibit learn how to set it up utilizing IAM Federation to solely reply utilizing enterprise content material that every worker has permissions to entry. Thus, the staff are capable of converse securely and privately with this assistant.

Structure

Amazon Q Enterprise IAM Federation requires federating the person identities provisioned in your enterprise IdP corresponding to Okta or Ping Identification account utilizing Federation with IAM. This entails a onetime setup of making a SAML or OIDC software integration in your IdP account, after which making a corresponding SAML id supplier or an OIDC id supplier in AWS IAM. This SAML or OIDC IAM id supplier is required so that you can create an Amazon Q Enterprise software. The IAM id supplier is utilized by the Amazon Q Enterprise software to validate and belief federated identities of customers authenticated by the enterprise IdP, and affiliate a novel id with every person. Thus, a person is uniquely recognized throughout all Amazon Q Enterprise functions sharing the identical SAML IAM id supplier or OIDC IAM id supplier.

The next diagram exhibits a high-level structure and authentication workflow. The enterprise IdP, corresponding to Okta or Ping Identification, is used because the entry supervisor for an authenticated person to work together with an Amazon Q Enterprise software utilizing an Amazon Q internet expertise or a customized software utilizing an API.

The person authentication workflow consists of the next steps:

1. The consumer software makes an authentication request to the IdP on behalf of the person.
2. The IdP responds with id or entry tokens in OIDC mode, or a SAML assertion in SAML 2.0 mode. Amazon Q Enterprise IAM Federation requires the enterprise IdP software integration to supply a particular principal tag e mail attribute with its worth set to the e-mail deal with of the authenticated person. If person attributes corresponding to position or location (metropolis, state, nation) are current within the SAML or OIDC assertions, Amazon Q Enterprise will extract these attributes for personalization. These attributes are included within the id token claims in OIDC mode, and SAML assertions within the SAML 2.0 mode.
3. The consumer software makes an AssumeRoleWithWebIdentity (OIDC mode) or AssumeRoleWithSAML (SAML mode) API name to AWS Safety Token Service (AWS STS) to accumulate AWS Sig V4 credentials. Electronic mail and different attributes are extracted and enforced by the Amazon Q Enterprise software utilizing session tags in AWS STS. The AWS Sig V4 credentials embrace details about the federated person.
4. The consumer software makes use of the credentials obtained within the earlier step to make Amazon Q Enterprise API calls on behalf of the authenticated person. The Amazon Q Enterprise software is aware of the person id based mostly on the credential used to make the API calls, exhibits solely the particular person’s dialog historical past, and enforces doc ACLs. The appliance retrieves solely these paperwork from the index that the person is allowed to entry and are related to the person’s question, to be included as context when the question is shipped to the underlying massive language mannequin (LLM). The appliance generates a response based mostly solely on enterprise content material that the person is allowed to entry.

How subscriptions work with Amazon Q Enterprise IAM Federation

The best way person subscriptions are dealt with once you use IAM Identification Heart vs. IAM Federation is totally different.

For functions that use IAM Identification Heart, AWS will de-duplicate subscriptions throughout all Amazon Q Enterprise functions accounts, and cost every person just one time for his or her highest subscription degree. De-duplication will apply provided that the Amazon Q Enterprise functions share the identical group occasion of IAM Identification Heart. Customers subscribed to Amazon Q Enterprise functions utilizing IAM federation can be charged one time after they share the identical SAML IAM id supplier or OIDC IAM id supplier. Amazon Q Enterprise functions can share the identical SAML IAM id supplier or OIDC IAM id supplier provided that they’re in the identical AWS account. For instance, should you use Amazon Q Enterprise IAM Federation, and want to make use of Amazon Q Enterprise functions throughout 3 separate AWS accounts, every AWS account would require its personal SAML id supplier or OIDC id supplier to be created and used within the corresponding Amazon Q Enterprise functions, and a person subscribed to those three Amazon Q Enterprise functions can be charged 3 times. In one other instance, if a person is subscribed to some Amazon Q Enterprise functions that use IAM Identification Heart and others that use IAM Federation, they are going to be charged one time throughout all IAM Identification Heart functions and one time per SAML IAM id supplier or OIDC IAM id supplier utilized by the Amazon Q Enterprise functions utilizing IAM Federation.

For Amazon Q Enterprise functions utilizing IAM Identification Heart, the Amazon Q Enterprise administrator instantly assigns subscriptions for teams and customers on the Amazon Q Enterprise administration console. For an Amazon Q Enterprise software utilizing IAM federation, the administrator chooses the default subscription tier throughout software creation. When an authenticated person logs in utilizing both the Amazon Q Enterprise software internet expertise or a customized software utilizing the Amazon Q Enterprise API, that person is mechanically subscribed to the default tier.

Limitations

On the time of writing, Amazon Q Enterprise IAM Federation has the next limitations:

1. Amazon Q Enterprise doesn’t help OIDC for Google and Microsoft Entra ID.
2. There isn’t any built-in mechanism to validate a person’s membership to federated teams outlined within the enterprise IdP. Should you’re utilizing ACLs in your information sources with teams federated from the enterprise IdP, you should utilize the PutGroup API to outline the federated teams within the Amazon Q Enterprise person retailer. This manner, the Amazon Q Enterprise software can validate a person’s membership to the federated group and implement the ACLs accordingly. This limitation doesn’t apply to configurations the place teams utilized in ACLs are outlined regionally throughout the information sources. For extra info, discuss with Group mapping.

Pointers to selecting a person entry mechanism

The next desk summarizes the rules to contemplate when selecting a person entry mechanism.

Conditions

To implement the pattern use case described on this publish, you want an Okta account. This publish covers workflows for each OIDC and SAML 2.0, so you possibly can observe both one or each workflows based mostly in your curiosity. It’s worthwhile to create software integrations for OIDC or SAML mode, after which configure the respective IAM id suppliers in your AWS account, which can be required to create and configure your Amazon Q Enterprise functions. Although you utilize the identical Okta account and the identical AWS account to create two Amazon Q Enterprise functions one utilizing an OIDC IAM id supplier, and the opposite utilizing SAML IAM id supplier, the identical person subscribed to each these Amazon Q Enterprise functions can be charged twice, since they don’t share the underlying SAML or OIDC IAM id suppliers.

Create an Amazon Q Enterprise software with an OIDC IAM id supplier

To arrange an Amazon Q Enterprise software with an OIDC IAM id identifier, you first configure the Okta software integration utilizing OIDC. Then you definately create an IAM id supplier for that OIDC app integration, and create an Amazon Q Enterprise software utilizing that OIDC IAM id supplier. Lastly, you replace the Okta software integration with the net expertise URIs of the newly created Amazon Q Enterprise software.

Create an Okta software integration with OIDC

Full the next steps to create your Okta software integration with OIDC:

1. On the administration console of your Okta account, select Functions, then Functions within the navigation pane.
2. Select Create App Integration.
3. For Signal-in methodology, choose OIDC.
4. For Software kind, choose Internet Software.
5. Select Subsequent.
   

6. Give your app integration a reputation.
7. Choose Authorization Code and Refresh Token for Grant Kind.
8. Affirm that Refresh token conduct is ready to Use persistent token.
9. For Signal-in redirect URIs, present a placeholder worth corresponding to https://instance.com/authorization-code/callback.

You replace this later with the net expertise URI of the Amazon Q Enterprise software you create.

10. On the Assignments tab, assign entry to applicable customers inside your group to your Amazon Q Enterprise software.

On this step, you possibly can choose all customers in your Okta group, or select choose teams, corresponding to Finance-Group if it’s outlined, or choose particular person customers.

11. Select Save to avoid wasting the app integration.

Your app integration will look much like the next screenshots.

12. Be aware the values for Consumer ID and Consumer secret to make use of in subsequent steps.
    
    

13. On the Signal on tab, select Edit subsequent to OpenID Join ID Token.
14. For Issuer, word the Okta URL.
15. Select Cancel.
    

16. Within the navigation pane, select Safety after which API.
17. Below API, Authorization Servers, select default.
18. On the Claims tab, select Add Declare.
19. For Title, enter https://aws.amazon.com/tags.
20. For Embody in token kind, choose ID Token.
21. For Worth, enter {"principal_tags": {"Electronic mail": {person.e mail}}}.
22. Select Create.

The declare will look much like the next screenshot. It’s a greatest follow to make use of a customized authorization server. Nevertheless, as a result of that is an illustration, we use the default authorization server.

Arrange an IAM id supplier for OIDC

To arrange an IAM id supplier for OIDC, full the next steps:

1. On the IAM console, select Identification suppliers within the navigation pane.
2. Select Add supplier.
3. For Supplier kind, choose OpenID Join.
4. For Supplier URL, enter the Okta URL you copied earlier, adopted by /oauth2/default.
5. For Viewers, enter the consumer ID you copied earlier.
6. Select Add supplier.
   

Create an Amazon Q Enterprise software with the OIDC IAM id supplier

Full the next steps to create an Amazon Q Enterprise software with the OIDC IdP:

1. On the Amazon Q Enterprise console, select Create software.
2. Give the applying a reputation.
3. For Entry administration methodology, choose AWS IAM Identification supplier.
4. For Select an Identification supplier kind, choose OpenID Join (OIDC).
5. For Choose Identification Supplier, select the IdP you created.
6. For Consumer ID, enter the consumer ID of the Okta software integration you copied earlier.
7. Go away the remaining settings as default and select Create.
   

8. Within the Choose retriever step, until you wish to change the retriever kind or the index kind, select Subsequent.
9. For now, choose Subsequent on the Join information sources We configure the information supply later.

On the Handle entry web page, in Default subscription settings, Subscription Tier of Q Enterprise Professional is chosen by default. Which means that when an authenticated person begins utilizing the Amazon Q Enterprise software, they may mechanically get subscribed as Amazon Q Enterprise Professional. The Amazon Q Enterprise administrator can change the subscription tier for a person at any time.

10. In Internet expertise settings uncheck Create internet expertise. Select Performed.
    
11. On the Amazon Q Enterprise Functions web page, select the applying you simply created to view the small print.
12. Within the Software Particulars web page, word the Software ID.
    
13. In a brand new tab of your internet browser open the administration console for AWS Secrets and techniques Supervisor. Select Retailer a brand new secret.
14. For Select secret kind select Different kind of secret. For Key/worth pairs, enter client_secret as key and enter the consumer secret you copied from the Okta software integration as worth. Select Subsequent.
    
15. For Configure secret give a Secret identify.
16. For Configure rotation, until you wish to make any adjustments, settle for the defaults, and select Subsequent.
17. For Evaluation, assessment the key you simply saved, and select Retailer.
18. On AWS Secrets and techniques Supervisor, Secrets and techniques web page select the key you simply created. Be aware the Secret identify and Secret ARN.
    
19. Observe the directions on IAM position for an Amazon Q internet expertise utilizing IAM Federation to create Internet expertise IAM position, and Secret Supervisor Function. You’ll require the Amazon Q Enterprise Software ID, Secret identify and Secret ARN you copied earlier.
20. Open the Software Particulars in your Amazon Q Enterprise software. Select Edit.
21. For Replace software, there isn’t a must make adjustments. Select Replace.
22. For Replace retriever, there isn’t a must make adjustments. Select Subsequent.
23. For Join information sources, there isn’t a must make adjustments. Select Subsequent.
24. For Replace entry, choose Create internet expertise.
25. For Service position identify choose the net expertise IAM position you created earlier.
26. For AWS Secrets and techniques Supervisor secret, choose the key you saved earlier.
27. For Internet Expertise to make use of Secrets and techniques: Service position identify, choose the Secret Supervisor Function you created earlier.
28. Select Replace.
    
29. On the Amazon Q Enterprise Functions web page, select the applying you simply up to date to view the small print.
30. Be aware the worth for Deployed URL.
    

Earlier than you should utilize the net expertise to work together with the Amazon Q Enterprise software you simply created, it’s worthwhile to replace the Okta software integration with the redirect URL of the net expertise.

18. Open the Okta administration console, then open the Okta software integration you created earlier.
19. On the Basic tab, select Edit subsequent to Basic Settings.
20. For Signal-in redirect URIs, exchange the placeholder https://instance.com/ with the worth for Deployed URL of your internet expertise. Be certain that the authorization-code/callback suffix will not be deleted. The complete URL ought to appear to be https://your_deployed_url/authorization-code/callback.
21. Select Save.
    

Create an Amazon Q Enterprise software with a SAML 2.0 IAM id supplier

The method to arrange an Amazon Q Enterprise software with a SAML 2.0 IAM id supplier is much like creating an software utilizing OIDC. You first configure an Okta software integration utilizing SAML 2.0. Then you definately create an IAM id supplier for that SAML 2.0 app integration, and create an Amazon Q Enterprise software utilizing the SAML 2.0 IAM id supplier. Lastly, you replace the Okta software integration with the net expertise URIs of the newly created Amazon Q Enterprise software.

Create an Okta software integration with SAML 2.0

Full the next steps to create your Okta software integration with SAML 2.0:

1. On the administration console of your Okta account, select Functions, then Functions within the navigation pane.
2. Select Create App Integration.
3. For Signal-in methodology, choose SAML 2.0.
4. Select Subsequent.
   

5. On the Basic Settings web page, enter an app identify and select Subsequent.

This may open the Create SAML Integration web page.

6. For Single sign-on URL, enter a placeholder URL corresponding to https://instance.com/saml and deselect Use this for Recipient URL and Vacation spot URL.
7. For Recipient URL, enter https://signin.aws.amazon.com/saml.
8. For Vacation spot URL, enter the placeholder https://instance.com/saml.
9. For Viewers URL (SP Entity ID), enter https://signin.aws.amazon.com/saml.
10. For Title ID format, select Persistent.
11. Select Subsequent after which End.

The placeholder values of https://instance.com will have to be up to date with the deployment URL of the Amazon Q Enterprise internet expertise, which you create in subsequent steps.

12. On the Signal On tab of the app integration you simply created, word the worth for Metadata URL.
    

13. Open the URL in your internet browser, and put it aside in your native pc.

The metadata can be required in subsequent steps.

Arrange an IAM id supplier for SAML 2.0

To arrange an IAM IdP for SAML 2.0, full the next steps:

1. On the IAM console, select Identification suppliers within the navigation pane.
2. Select Add supplier.
3. For Supplier kind, choose SAML.
4. Enter a supplier identify.
5. For Metadata doc, select Select file and add the metadata doc you saved earlier.
6. Select Add supplier.
   

7. From the record of id suppliers, select the id supplier you simply created.
8. Be aware the values for ARN, Issuer URL, and SSO service location to make use of in subsequent steps.
   

Create an Amazon Q Enterprise software with the SAML 2.0 IAM id supplier

Full the next steps to create an Amazon Q Enterprise software with the SAML 2.0 IAM id supplier:

1. On the Amazon Q Enterprise console, select Create software.
2. Give the applying a reputation.
3. For Entry administration methodology, choose AWS IAM Identification supplier.
4. For Select an Identification supplier kind, choose SAML.
5. For Choose Identification Supplier, select the IdP you created.
6. Go away the remaining settings as default and select Create.
   

7. Within the Choose retriever step, until you wish to change the retriever kind or the index kind, select Subsequent.
8. For now, select Subsequent on the Join information sources We are going to configure the information supply later.

On the Handle entry web page, in Default subscription settings, Subscription Tier of Q Enterprise Professional is chosen by default. Which means that when an authenticated person begins utilizing the Amazon Q Enterprise software, they may mechanically get subscribed as Amazon Q Enterprise Professional. The Amazon Q Enterprise administrator can change the subscription tier for a person at any time.

1. For Internet expertise settings, uncheck Create internet expertise. Select Performed.
2. On the Amazon Q Enterprise Functions web page, select the applying you simply created.
3. Within the Software Particulars web page, word the Software ID.
   
4. Observe the directions on IAM position for an Amazon Q internet expertise utilizing IAM Federation to create Internet expertise IAM position. You’ll require the Amazon Q Enterprise Software ID you copied earlier.
5. Open the Software Particulars in your Amazon Q Enterprise software. Select Edit.
6. For Replace software, there isn’t a must make adjustments. Select Replace.
7. For Replace retriever, there isn’t a must make adjustments. Select Subsequent.
8. For Join information sources, there isn’t a must make adjustments. Select Subsequent.
9. For Replace entry, choose Create internet expertise.
10. For this publish, we proceed with the default setting.
11. For Authentication URL, enter the worth for SSO service location that you just copied earlier.
12. Select Replace.
    
13. On the Amazon Q Enterprise Functions web page, select the applying you simply up to date to view the small print.
14. Be aware the values for Deployed URL and Internet expertise IAM position ARN to make use of in subsequent steps.
    

 Earlier than you should utilize the net expertise to work together with the Amazon Q Enterprise software you simply created, it’s worthwhile to replace the Okta software integration with the redirect URL of the net expertise.

15. Open the Okta administration console, then open the Okta software integration you created earlier.
16. On the Basic tab, select Edit subsequent to SAML Settings.
17. For Single sign-on URL and Vacation spot URL, exchange the placeholder https://instance.com/ with the worth for Deployed URL of your internet expertise. Be certain that the /saml suffix isn’t deleted.
18. Select Save.
    

19. On the Edit SAML Integration web page, within the Attribute Statements (optionally available) part, add attribute statements as listed within the following desk.

This step will not be optionally available and these attributes are utilized by the Amazon Q Enterprise software to find out the id of the person, so you’ll want to verify their correctness.

For the worth of the https://aws.amazon.com/SAML/Attributes/Function attribute, it’s worthwhile to concatenate the net expertise IAM position ARN and IdP ARN you copied earlier with a comma between them, with out areas or some other characters.

20. Select Subsequent and End.
21. On the Assignments tab, assign customers who can entry the app integration you simply created.

This step controls entry to applicable customers inside your group to your Amazon Q Enterprise software. On this step, you possibly can allow self-service so that each one customers in your Okta group, or select choose teams, corresponding to Finance-Group if it’s outlined, or choose particular person customers.

Arrange the information supply

Whether or not you created the Amazon Q Enterprise software utilizing an OIDC IAM id supplier or SAML 2.0 IAM id supplier, the process to create an information supply stays the identical. For this publish, we arrange an information supply for Atlassian Confluence. The next steps present learn how to configure the information supply for the Confluence surroundings. For extra particulars on learn how to arrange a Confluence information supply, discuss with Connecting Confluence (Cloud) to Amazon Q Enterprise.

1. On the Amazon Q Enterprise Software particulars web page, select Add information supply.
   

2. On the Add information supply web page, select Confluence.
   

3. For Information supply identify, enter a reputation.
4. For Supply, choose Confluence Cloud and enter the Confluence URL.
   

5. For Authentication, choose Primary authentication and enter the Secrets and techniques Supervisor secret.
6. For IAM position, choose Create a brand new service position.
7. Go away the remaining settings as default.
   

8. For Sync scope, choose the suitable content material to sync.
9. Below Area and regex patterns, present the Confluence areas to be included.
10. For Sync mode, choose Full sync.
11. For Sync run schedule, select Run on demand.
12. Select Add information supply.
    

13. After the information supply creation is full, select Sync now to begin the information supply sync.
    

Wait till the sync is full earlier than logging in to the net expertise to begin querying.

Worker AI assistant use case

As an example how one can construct a safe and personal generative AI assistant in your staff utilizing Amazon Q Enterprise functions, let’s take a pattern use case of an worker AI assistant in an enterprise company. Two new staff, Mateo Jackson and Mary Main, have joined the corporate on two totally different initiatives, and have completed their worker orientation. They’ve been given company laptops, and their accounts are provisioned within the company IdP. They’ve been advised to get assist from the worker AI assistant for any questions associated to their new workforce member actions and their advantages.

The corporate makes use of Confluence to handle their enterprise content material. The pattern Amazon Q software used to run the eventualities for this publish is configured with an information supply utilizing the built-in connector for Confluence to index the enterprise Confluence areas utilized by staff. The instance makes use of three Confluence areas with the next permissions:

• HR Area – All staff, together with Mateo and Mary
• AnyOrgApp Challenge Area – Workers assigned to the venture, together with Mateo
• ACME Challenge Area – Workers assigned to the venture, together with Mary

Let’s take a look at how Mateo and Mary expertise their worker AI assistant.

Each are supplied with the URL of the worker AI assistant internet expertise. They use the URL and sign up to the IdP from the browsers of their laptops. Mateo and Mary each wish to find out about their new workforce member actions and their fellow workforce members. They ask the identical inquiries to the worker AI assistant however get totally different responses, as a result of every has entry to separate initiatives. Within the following screenshots, the browser window on the left is for Mateo Jackson and the one on the fitting is for Mary Main. Mateo will get details about the AnyOrgApp venture and Mary will get details about the ACME venture.

Mateo chooses Sources underneath the query about workforce members to take a more in-depth take a look at the workforce member info, and Mary chooses Sources underneath the query for the brand new workforce member guidelines. The next screenshots present their up to date views.

Mateo and Mary wish to discover out extra about the advantages their new job gives and the way the advantages are relevant to their private and household conditions.

The next screenshot exhibits that Mary asks the worker AI assistant questions on her advantages and eligibility.

Mary may discuss with the supply paperwork.

The next screenshot exhibits that Mateo asks the worker AI assistant totally different questions on his eligibility.

Mateo seems on the following supply paperwork.

Each Mary and Mateo first wish to know their eligibility for advantages. However after that, they’ve totally different inquiries to ask. Though the benefits-related paperwork are accessible by each Mary and Mateo, their conversations with the worker AI assistant are non-public and private. The peace of mind that their dialog historical past is non-public and might’t be seen by some other person is crucial for the success of a generative AI worker productiveness assistant.

Clear up

Should you created a brand new Amazon Q Enterprise software to check out the mixing with IAM federation, and don’t plan to make use of it additional, you possibly can unsubscribe, take away mechanically subscribed customers from the applying, and delete it in order that your AWS account doesn’t accumulate prices.

1. To unsubscribe and take away customers, go to the applying particulars web page and select Handle subscriptions.
   

2. Choose all of the customers, select Take away to take away subscriptions, and select Performed.
   

3. To delete the applying after eradicating the customers, return to the applying particulars web page and select Delete.
   

Conclusion

For enterprise generative AI assistants such because the one proven on this publish to achieve success, they need to respect entry management in addition to guarantee the privateness and confidentiality of each worker. Amazon Q Enterprise achieves this by integrating with IAM Identification Heart or with IAM Federation to supply an answer that authenticates every person and validates the person id at every step to implement entry management together with privateness and confidentiality.

On this publish, we confirmed how Amazon Q Enterprise IAM Federation makes use of SAML 2.0 and OIDC IAM id suppliers to uniquely determine a person authenticated by the enterprise IdP, after which that person id is used to match up doc ACLs arrange within the information supply. At question time, Amazon Q Enterprise responds to a person question using solely these paperwork that the person is allowed to entry. This performance is much like that achieved by the mixing of Amazon Q Enterprise with IAM Identification Heart we noticed in an earlier publish. Moreover, we additionally offered the rules to contemplate when selecting a person entry mechanism.

To be taught extra, discuss with Amazon Q Enterprise, now typically accessible, helps increase workforce productiveness with generative AI and the Amazon Q Enterprise Person Information.

Concerning the authors

Abhinav Jawadekar is a Principal Options Architect within the Amazon Q Enterprise service workforce at AWS. Abhinav works with AWS prospects and companions to assist them construct generative AI options on AWS.

Venky Nagapudi is a Senior Supervisor of Product Administration for Q Enterprise, Amazon Comprehend and Amazon Translate. His focus areas on Q Enterprise embrace person id administration, and utilizing offline intelligence from paperwork to enhance Q Enterprise accuracy and helpfulness.