search

aws-solutions / qnabot-on-aws

AWS QnABot is a multi-channel, multi-language conversational interface (chatbot) that responds to your customer's questions, answers, and feedback. The solution allows you to deploy a fully functional chatbot across multiple channels including chat, voice, SMS and Amazon Alexa.
https://aws.amazon.com/solutions/implementations/aws-qnabot
Apache License 2.0
389 stars 249 forks source link

Expose the Cognito group used for authorization as a CFn parameter. Allow multiple groups. #396

Closed t-jones closed 1 year ago

t-jones commented 2 years ago

Is your feature request related to a problem? Please describe.

Many customers have existing identity management / SSO solutions deployed inside their enterprises e.g. Azure AD. They commonly want to integrate access to the QnABot designer, etc, with this infrastructure, generally using SAML federation. After a SAML IdP is configured inside cognito, when a user tries to login in, they are denied access. At this point, the user must be added to the Admin group inside cognito. This can be done manually or with a Lambda function tied to the cognito Post-confirmation hook and maintained by the customer.

Describe the feature you'd like Add the group used for Cognito authorization as a CFn parameter. As a bonus, support multiple groups. Then when a federated identity is added to cognito, the group associated with these users could be added to QnABot and users granted access.

For example, if a federated sign-in identity provider named AzureAdIdp is added to the user pool, a group called region_XXXXXXXXX_AzureAdIdp is automatically created and all users federating in via this provider are added to the group. It would be nice to click Update on the stack, add this name to a CFn parameter, and have access to the QnABot designer be granted.

tabdunabi commented 1 year ago

The enhancement did not receive enough support to be added to the roadmap