Amazon Q Business is a conversational assistant powered by generative AI that enhances workforce productivity by answering questions and completing tasks based on information in your enterprise systems, which each user is authorized to access. AWS recommends using AWS IAM Identity Center when you have a large number of users in order to achieve a seamless user access management experience for multiple Amazon Q Business applications across many AWS accounts in AWS Organizations. When you want to use Amazon Q Business to build enterprise generative AI applications and have yet to adopt organization-wide use of IAM Identity Center, you can build private and secure enterprise generative AI applications with Amazon Q Business using IAM federation. This allows you to directly manage user access to Amazon Q Business applications from your enterprise identity provider (IdP), such as Okta or PingFederate.
Amazon Q Business provides a rich set of APIs to perform administrative tasks and to build an AI assistant with customized user experience for your enterprise. In this post, we show how to use Amazon Q Business APIs when using AWS Identity and Access Management (IAM) federation for user access management. We use illustrative scripts from the AWS samples open source repository to do the following:
As an Amazon Q Business administrator, use APIs to automate creation of Amazon Q Business applications using IAM federation for user access management
As an application builder, build and deploy custom applications to get AWS Sig V4 credentials with identity information on behalf of a user authenticated with the IdP
As an application developer, use the credentials obtained to enable the user to chat with your Amazon Q Business application and get responses only from that enterprise content which the user is authorized to access
To make this post consistent and self-sufficient, some content included overlaps with the post Build private and secure enterprise generative AI applications with Amazon Q Business using IAM Federation.
Solution overview
Amazon Q Business IAM Federation requires federating the user identities provisioned in your enterprise IdP (such as Okta or Ping Identity) account using federation with IAM. This involves a setup described in the following steps:
Create a SAML or OIDC application integration in your IdP account. This step is performed by the IAM or security administrator in your organization.
Create a corresponding SAML IAM identity provider or OIDC IAM identity provider in IAM. The IAM identity provider is used by the Amazon Q Business application to validate and trust federated identities of users authenticated by the enterprise IdP and associate a unique identity with each user. This way, a user is uniquely identified across Amazon Q Business applications sharing the same SAML IAM identity provider or OIDC IAM identity provider. This step is performed by an AWS administrator or by an Amazon Q Business administrator, provided they have the IAM permissions to do so.
Create an Amazon Q Business application using the SAML or OIDC IAM identity provider. This step is performed by an Amazon Q Business administrator. The sample scripts create-iam-saml-qbiz-app.py and create-iam-oidc-qbiz-app.py illustrate how the administrators can automate Steps 2 and 3 using AWS APIs.
Users in your organization can use the Amazon Q Business web experience, a built-in application, to authenticate with your IdP and chat with the AI assistant. However, to address unique requirements of your organization, your developers can build a custom application or integrate a preexisting enterprise portal with the Amazon Q Business application using the Amazon Q Business APIs, for the users to authenticate with your IdP, and chat with the AI assistant. The sample scripts samlapp.py and oidcapp.py in conjunction with simple_aq.py illustrate how to acquire AWS Sig V4 credentials that include the user identities of your authenticated users, and then you can use these credentials to invoke Amazon Q Business conversation APIs and implement chat functionality.
Architecture
The following diagram shows a high-level architecture and authentication workflow. The enterprise IdP, such as Okta or Ping Identity, is used as the access manager for an authenticated user to interact with an Amazon Q Business application using an Amazon Q web experience or a custom application using an API.
The user authentication workflow consists of the following steps:
The client application makes an authentication request to the IdP on behalf of the user.
The IdP responds with identity or access tokens in OIDC mode, or a SAML assertion in SAML 2.0 mode. Amazon Q Business IAM Federation requires the enterprise IdP application integration to provide a special principal tag email attribute with its value set to the email address of the authenticated user. If user attributes such as role or location (city, state, country) are present in the SAML or OIDC assertions, Amazon Q Business will extract these attributes for personalization. These attributes are included in the identity token claims in OIDC mode, and SAML assertions in the SAML 2.0 mode. The email attribute ties the authenticated human user with the identity token, and is later enforced using session tags in AWS Security Token Service (AWS STS).
The client application makes an AssumeRoleWithWebIdentity (OIDC mode) or AssumeRoleWithSAML (SAML mode) API call to AWS STS to acquire AWS Sig V4 credentials. Email and other attributes are extracted and enforced by the Amazon Q Business application using session tags in AWS STS. The AWS Sig V4 credentials include information about the federated user. The sample scripts samlapp.py and oidcapp.py illustrate this step.
AWS STS returns AWS Sig V4 credentials, which include user identity information.
The client application uses the credentials obtained in the previous step to make Amazon Q Business API calls on behalf of the authenticated user. The Amazon Q Business application knows the user identity based on the credential used to make the API calls, shows only the specific user’s conversation history, and enforces document access control lists (ACLs). The application retrieves only those documents from the index that the user is authorized to access and are relevant to the user’s query, to be included as context when the query is sent to the underlying large language model (LLM). The application generates a response based only on enterprise content that the user is authorized to access. The sample script simple_aq.py illustrates this step.
Working with groups when using Amazon Q Business IAM Federation
It is not possible to get the groups defined in the enterprise IdP in the IAM federation workflow. If you’re using ACLs in your data sources with groups federated from the enterprise IdP, you can use the Amazon Q PutGroup API to define the federated groups in the Amazon Q Business user store. This way, the Amazon Q Business application can validate a user’s membership to the federated group and enforce the ACLs accordingly. This limitation doesn’t apply to configurations where groups used in ACLs are defined locally within the data sources. For more information, refer to Group mapping.
This is illustrated here using a group core-team, defined in Okta as shown in the following screenshot.
If document ACLs in the data sources are defined for the group core-team, based on the group defined in IdP, and the group core-team isn’t defined locally in the data sources, then you will first need to define the group in the Amazon Q Business user store using the PutGroup API. The AWS Command Line Interface (AWS CLI) command put-group (see the following code) demonstrates the use of this API. This API needs to be invoked by an AWS administrator or Amazon Q Business administrator persona. The Amazon Q Business user store must be updated to reflect group membership changes in your IdP. You might want to build an automation that updates the group membership in Amazon Q Business as group membership changes in your IdP directory.
Amazon Q Business provides a rich set of APIs to perform administrative tasks and to build an AI assistant with customized user experience for your enterprise. In this post, we show how to use Amazon Q Business APIs when using AWS Identity and Access Management (IAM) federation for user access management. Read More