Amazon Q Enterprise is a conversational assistant powered by generative synthetic intelligence (AI) that enhances workforce productiveness by answering questions and finishing duties primarily based on info in your enterprise programs, which every person is permitted to entry. In an earlier submit, we mentioned how one can construct non-public and safe enterprise generative AI purposes with Amazon Q Enterprise and AWS IAM Identification Heart. If you wish to use Amazon Q Enterprise to construct enterprise generative AI purposes, and have but to undertake organization-wide use of AWS IAM Identification Heart, you should utilize Amazon Q Enterprise IAM Federation to instantly handle person entry to Amazon Q Enterprise purposes out of your enterprise identification supplier (IdP), reminiscent of Okta or Ping Identification. Amazon Q Enterprise IAM Federation makes use of Federation with IAM and doesn’t require the usage of IAM Identification Heart.
AWS recommends utilizing AWS Identification Heart you probably have a lot of customers in an effort to obtain a seamless person entry administration expertise for a number of Amazon Q Enterprise purposes throughout many AWS accounts in AWS Organizations. You should utilize federated teams to outline entry management, and a person is charged just one time for his or her highest tier of Amazon Q Enterprise subscription. Though Amazon Q Enterprise IAM Federation lets you construct non-public and safe generative AI purposes, with out requiring the usage of IAM Identification Heart, it’s comparatively constrained with no assist for federated teams, and limits the flexibility to cost a person just one time for his or her highest tier of Amazon Q Enterprise subscription to Amazon Q Enterprise purposes sharing SAML identification supplier or OIDC identification supplier in a single AWS account.
This submit exhibits how you should utilize Amazon Q Enterprise IAM Federation for person entry administration of your Amazon Q Enterprise purposes.
Resolution overview
To implement this resolution, you create an IAM identification supplier for SAML or IAM identification supplier for OIDC primarily based in your IdP software integration. When creating an Amazon Q Enterprise software, you select and configure the corresponding IAM identification supplier.
When responding to requests by an authenticated person, the Amazon Q Enterprise software makes use of the IAM identification supplier configuration to validate the person identification. The appliance can reply securely and confidentially by imposing entry management lists (ACLs) to generate responses from solely the enterprise content material the person is permitted to entry.
We use the identical instance from Construct non-public and safe enterprise generative AI apps with Amazon Q Enterprise and AWS IAM Identification Heart—a generative AI worker assistant constructed with Amazon Q Enterprise—to reveal methods to set it up utilizing IAM Federation to solely reply utilizing enterprise content material that every worker has permissions to entry. Thus, the staff are in a position to converse securely and privately with this assistant.
Structure
Amazon Q Enterprise IAM Federation requires federating the person identities provisioned in your enterprise IdP reminiscent of Okta or Ping Identification account utilizing Federation with IAM. This entails a onetime setup of making a SAML or OIDC software integration in your IdP account, after which making a corresponding SAML identification supplier or an OIDC identification supplier in AWS IAM. This SAML or OIDC IAM identification supplier is required so that you can create an Amazon Q Enterprise software. The IAM identification supplier is utilized by the Amazon Q Enterprise software to validate and belief federated identities of customers authenticated by the enterprise IdP, and affiliate a novel identification with every person. Thus, a person is uniquely recognized throughout all Amazon Q Enterprise purposes sharing the identical SAML IAM identification supplier or OIDC IAM identification supplier.
The next diagram exhibits a high-level structure and authentication workflow. The enterprise IdP, reminiscent of Okta or Ping Identification, is used because the entry supervisor for an authenticated person to work together with an Amazon Q Enterprise software utilizing an Amazon Q net expertise or a customized software utilizing an API.
The person authentication workflow consists of the next steps:
The consumer software makes an authentication request to the IdP on behalf of the person.
The IdP responds with identification or entry tokens in OIDC mode, or a SAML assertion in SAML 2.0 mode. Amazon Q Enterprise IAM Federation requires the enterprise IdP software integration to supply a particular principal tag e mail attribute with its worth set to the e-mail tackle of the authenticated person. If person attributes reminiscent of function or location (metropolis, state, nation) are current within the SAML or OIDC assertions, Amazon Q Enterprise will extract these attributes for personalization. These attributes are included within the identification token claims in OIDC mode, and SAML assertions within the SAML 2.0 mode.
The consumer software makes an AssumeRoleWithWebIdentity (OIDC mode) or AssumeRoleWithSAML (SAML mode) API name to AWS Safety Token Service (AWS STS) to amass AWS Sig V4 credentials. E mail and different attributes are extracted and enforced by the Amazon Q Enterprise software utilizing session tags in AWS STS. The AWS Sig V4 credentials embody details about the federated person.
The consumer software makes use of the credentials obtained within the earlier step to make Amazon Q Enterprise API calls on behalf of the authenticated person. The Amazon Q Enterprise software is aware of the person identification primarily based on the credential used to make the API calls, exhibits solely the precise person’s dialog historical past, and enforces doc ACLs. The appliance retrieves solely these paperwork from the index that the person is permitted to entry and are related to the person’s question, to be included as context when the question is distributed to the underlying massive language mannequin (LLM). The appliance generates a response primarily based solely on enterprise content material that the person is permitted to entry.
How subscriptions work with Amazon Q Enterprise IAM Federation
The way in which person subscriptions are dealt with whenever you use IAM Identification Heart vs. IAM Federation is completely different.
For purposes that use IAM Identification Heart, AWS will de-duplicate subscriptions throughout all Amazon Q Enterprise purposes accounts, and cost every person just one time for his or her highest subscription degree. De-duplication will apply provided that the Amazon Q Enterprise purposes share the identical group occasion of IAM Identification Heart. Customers subscribed to Amazon Q Enterprise purposes utilizing IAM federation shall be charged one time after they share the identical SAML IAM identification supplier or OIDC IAM identification supplier. Amazon Q Enterprise purposes can share the identical SAML IAM identification supplier or OIDC IAM identification supplier provided that they’re in the identical AWS account. For instance, in the event you use Amazon Q Enterprise IAM Federation, and wish to make use of Amazon Q Enterprise purposes throughout 3 separate AWS accounts, every AWS account would require its personal SAML identification supplier or OIDC identification supplier to be created and used within the corresponding Amazon Q Enterprise purposes, and a person subscribed to those three Amazon Q Enterprise purposes shall be charged thrice. In one other instance, if a person is subscribed to some Amazon Q Enterprise purposes that use IAM Identification Heart and others that use IAM Federation, they are going to be charged one time throughout all IAM Identification Heart purposes and one time per SAML IAM identification supplier or OIDC IAM identification supplier utilized by the Amazon Q Enterprise purposes utilizing IAM Federation.
For Amazon Q Enterprise purposes utilizing IAM Identification Heart, the Amazon Q Enterprise administrator instantly assigns subscriptions for teams and customers on the Amazon Q Enterprise administration console. For an Amazon Q Enterprise software utilizing IAM federation, the administrator chooses the default subscription tier throughout software creation. When an authenticated person logs in utilizing both the Amazon Q Enterprise software net expertise or a customized software utilizing the Amazon Q Enterprise API, that person is routinely subscribed to the default tier.
Limitations
On the time of writing, Amazon Q Enterprise IAM Federation has the next limitations:
Amazon Q Enterprise doesn’t assist OIDC for Google and Microsoft Entra ID.
There isn’t any built-in mechanism to validate a person’s membership to federated teams outlined within the enterprise IdP. If you happen to’re utilizing ACLs in your knowledge sources with teams federated from the enterprise IdP, you should utilize the PutGroup API to outline the federated teams within the Amazon Q Enterprise person retailer. This fashion, the Amazon Q Enterprise software can validate a person’s membership to the federated group and implement the ACLs accordingly. This limitation doesn’t apply to configurations the place teams utilized in ACLs are outlined regionally inside the knowledge sources. For extra info, consult with Group mapping.
Tips to picking a person entry mechanism
The next desk summarizes the rules to contemplate when selecting a person entry mechanism.
Federation Sort
AWS Account Sort
Amazon Q Enterprise Subscription Billing Scope
Supported Identification Supply
Different Issues
Federated with IAM Identification Heart
A number of accounts managed by AWS Organizations
AWS group, assist for federated group-level subscriptions to Amazon Q Enterprise purposes
All identification sources supported by IAM Identification Heart: IAM Identification Heart listing, Lively Listing, and IdP
AWS recommends this selection you probably have a lot of customers and a number of purposes, with many federated teams used to outline entry management and permissions.
Federated with IAM utilizing OIDC IAM identification supplier
Single, standalone account
All Amazon Q Enterprise purposes inside a single standalone AWS account sharing the identical OIDC IAM identification supplier
IdP with OIDC software integration
This methodology is extra easy to configure in comparison with a SAML 2.0 supplier. It’s additionally much less advanced to share IdP software integrations throughout Amazon Q Enterprise net experiences and customized purposes utilizing Amazon Q Enterprise APIs.
Federated with IAM utilizing SAML IAM identification supplier
Single, standalone account
All Amazon Q Enterprise purposes inside a single standalone AWS account sharing the identical SAML IAM identification supplier
IdP with SAML 2.0 software integration
This methodology is extra advanced to configure in comparison with OIDC, and requires a separate IdP software integration for every Amazon Q Enterprise net expertise. Some sharing is feasible for customized purposes utilizing Amazon Q Enterprise APIs.
Stipulations
To implement the pattern use case described on this submit, you want an Okta account. This submit covers workflows for each OIDC and SAML 2.0, so you may comply with both one or each workflows primarily based in your curiosity. That you must create software integrations for OIDC or SAML mode, after which configure the respective IAM identification suppliers in your AWS account, which shall be required to create and configure your Amazon Q Enterprise purposes. Although you employ the identical Okta account and the identical AWS account to create two Amazon Q Enterprise purposes one utilizing an OIDC IAM identification supplier, and the opposite utilizing SAML IAM identification supplier, the identical person subscribed to each these Amazon Q Enterprise purposes shall be charged twice, since they don’t share the underlying SAML or OIDC IAM identification suppliers.
Create an Amazon Q Enterprise software with an OIDC IAM identification supplier
To arrange an Amazon Q Enterprise software with an OIDC IAM identification identifier, you first configure the Okta software integration utilizing OIDC. You then create an IAM identification supplier for that OIDC app integration, and create an Amazon Q Enterprise software utilizing that OIDC IAM identification supplier. Lastly, you replace the Okta software integration with the online expertise URIs of the newly created Amazon Q Enterprise software.
Create an Okta software integration with OIDC
Full the next steps to create your Okta software integration with OIDC:
On the administration console of your Okta account, select Purposes, then Purposes within the navigation pane.
Select Create App Integration.
For Signal-in methodology, choose OIDC.
For Software sort, choose Net Software.
Select Subsequent.
Give your app integration a reputation.
Choose Authorization Code and Refresh Token for Grant Sort.
Verify that Refresh token habits is ready to Use persistent token.
For Signal-in redirect URIs, present a placeholder worth reminiscent of https://instance.com/authorization-code/callback.
You replace this later with the online expertise URI of the Amazon Q Enterprise software you create.
On the Assignments tab, assign entry to acceptable customers inside your group to your Amazon Q Enterprise software.
On this step, you may choose all customers in your Okta group, or select choose teams, reminiscent of Finance-Group if it’s outlined, or choose particular person customers.
Select Save to avoid wasting the app integration.
Your app integration will look just like the next screenshots.
Be aware the values for Consumer ID and Consumer secret to make use of in subsequent steps.
On the Signal on tab, select Edit subsequent to OpenID Join ID Token.
For Issuer, notice the Okta URL.
Select Cancel.
Within the navigation pane, select Safety after which API.
Below API, Authorization Servers, select default.
On the Claims tab, select Add Declare.
For Title, enter https://aws.amazon.com/tags.
For Embrace in token sort, choose ID Token.
For Worth, enter {“principal_tags”: {“E mail”: {person.e mail}}}.
Select Create.
The declare will look just like the next screenshot. It’s a greatest observe to make use of a customized authorization server. Nevertheless, as a result of that is an illustration, we use the default authorization server.
Arrange an IAM identification supplier for OIDC
To arrange an IAM identification supplier for OIDC, full the next steps:
On the IAM console, select Identification suppliers within the navigation pane.
Select Add supplier.
For Supplier sort, choose OpenID Join.
For Supplier URL, enter the Okta URL you copied earlier, adopted by /oauth2/default.
For Viewers, enter the consumer ID you copied earlier.
Select Add supplier.
Create an Amazon Q Enterprise software with the OIDC IAM identification supplier
Full the next steps to create an Amazon Q Enterprise software with the OIDC IdP:
On the Amazon Q Enterprise console, select Create software.
Give the applying a reputation.
For Entry administration methodology, choose AWS IAM Identification supplier.
For Select an Identification supplier sort, choose OpenID Join (OIDC).
For Choose Identification Supplier, select the IdP you created.
For Consumer ID, enter the consumer ID of the Okta software integration you copied earlier.
Depart the remaining settings as default and select Create.
Within the Choose retriever step, except you need to change the retriever sort or the index sort, select Subsequent.
For now, choose Subsequent on the Join knowledge sources We configure the info supply later.
On the Handle entry web page, in Default subscription settings, Subscription Tier of Q Enterprise Professional is chosen by default. Which means that when an authenticated person begins utilizing the Amazon Q Enterprise software, they are going to routinely get subscribed as Amazon Q Enterprise Professional. The Amazon Q Enterprise administrator can change the subscription tier for a person at any time.
In Net expertise settings uncheck Create net expertise. Select Executed.
On the Amazon Q Enterprise Purposes web page, select the applying you simply created to view the small print.
Within the Software Particulars web page, notice the Software ID.
In a brand new tab of your net browser open the administration console for AWS Secrets and techniques Supervisor. Select Retailer a brand new secret.
For Select secret sort select Different sort of secret. For Key/worth pairs, enter client_secret as key and enter the consumer secret you copied from the Okta software integration as worth. Select Subsequent.
For Configure secret give a Secret title beginning with QBusiness- prefix.
For Configure rotation, except you need to make any modifications, settle for the defaults, and select Subsequent.
For Assessment, assessment the key you simply saved, and select Retailer.
On AWS Secrets and techniques Supervisor, Secrets and techniques web page select the key you simply created. Be aware the Secret title and Secret ARN.
Comply with the directions on IAM function for an Amazon Q net expertise utilizing IAM Federation to create Net expertise IAM function, and Secret Supervisor Position. You’ll require the Amazon Q Enterprise Software ID, Secret title and Secret ARN you copied earlier.
Open the Software Particulars on your Amazon Q Enterprise software. Select Edit.
For Replace software, there isn’t a have to make modifications. Select Replace.
For Replace retriever, there isn’t a have to make modifications. Select Subsequent.
For Join knowledge sources, there isn’t a have to make modifications. Select Subsequent.
For Replace entry, choose Create net expertise.
For Service function title choose the online expertise IAM function you created earlier.
For AWS Secrets and techniques Supervisor secret, choose the key you saved earlier.
For Net Expertise to make use of Secrets and techniques: Service function title, choose the Secret Supervisor Position you created earlier.
Select Replace.
On the Amazon Q Enterprise Purposes web page, select the applying you simply up to date to view the small print.
Be aware the worth for Deployed URL.
Earlier than you should utilize the online expertise to work together with the Amazon Q Enterprise software you simply created, it’s essential replace the Okta software integration with the redirect URL of the online expertise.
Open the Okta administration console, then open the Okta software integration you created earlier.
On the Normal tab, select Edit subsequent to Normal Settings.
For Signal-in redirect URIs, exchange the placeholder https://instance.com/ with the worth for Deployed URL of your net expertise. Make certain the authorization-code/callback suffix is just not deleted. The complete URL ought to seem like https://your_deployed_url/authorization-code/callback.
Select Save.
Create an Amazon Q Enterprise software with a SAML 2.0 IAM identification supplier
The method to arrange an Amazon Q Enterprise software with a SAML 2.0 IAM identification supplier is just like creating an software utilizing OIDC. You first configure an Okta software integration utilizing SAML 2.0. You then create an IAM identification supplier for that SAML 2.0 app integration, and create an Amazon Q Enterprise software utilizing the SAML 2.0 IAM identification supplier. Lastly, you replace the Okta software integration with the online expertise URIs of the newly created Amazon Q Enterprise software.
Create an Okta software integration with SAML 2.0
Full the next steps to create your Okta software integration with SAML 2.0:
On the administration console of your Okta account, select Purposes, then Purposes within the navigation pane.
Select Create App Integration.
For Signal-in methodology, choose SAML 2.0.
Select Subsequent.
On the Normal Settings web page, enter an app title and select Subsequent.
This may open the Create SAML Integration web page.
For Single sign-on URL, enter a placeholder URL reminiscent of https://instance.com/saml and deselect Use this for Recipient URL and Vacation spot URL.
For Recipient URL, enter https://signin.aws.amazon.com/saml.
For Vacation spot URL, enter the placeholder https://instance.com/saml.
For Viewers URL (SP Entity ID), enter https://signin.aws.amazon.com/saml.
For Title ID format, select Persistent.
Select Subsequent after which End.
The placeholder values of https://instance.com will have to be up to date with the deployment URL of the Amazon Q Enterprise net expertise, which you create in subsequent steps.
On the Signal On tab of the app integration you simply created, notice the worth for Metadata URL.
Open the URL in your net browser, and reserve it in your native laptop.
The metadata shall be required in subsequent steps.
Arrange an IAM identification supplier for SAML 2.0
To arrange an IAM IdP for SAML 2.0, full the next steps:
On the IAM console, select Identification suppliers within the navigation pane.
Select Add supplier.
For Supplier sort, choose SAML.
Enter a supplier title.
For Metadata doc, select Select file and add the metadata doc you saved earlier.
Select Add supplier.
From the record of identification suppliers, select the identification supplier you simply created.
Be aware the values for ARN, Issuer URL, and SSO service location to make use of in subsequent steps.
Create an Amazon Q Enterprise software with the SAML 2.0 IAM identification supplier
Full the next steps to create an Amazon Q Enterprise software with the SAML 2.0 IAM identification supplier:
On the Amazon Q Enterprise console, select Create software.
Give the applying a reputation.
For Entry administration methodology, choose AWS IAM Identification supplier.
For Select an Identification supplier sort, choose SAML.
For Choose Identification Supplier, select the IdP you created.
Depart the remaining settings as default and select Create.
Within the Choose retriever step, except you need to change the retriever sort or the index sort, select Subsequent.
For now, select Subsequent on the Join knowledge sources We are going to configure the info supply later.
On the Handle entry web page, in Default subscription settings, Subscription Tier of Q Enterprise Professional is chosen by default. Which means that when an authenticated person begins utilizing the Amazon Q Enterprise software, they are going to routinely get subscribed as Amazon Q Enterprise Professional. The Amazon Q Enterprise administrator can change the subscription tier for a person at any time.
For Net expertise settings, uncheck Create net expertise. Select Executed.
On the Amazon Q Enterprise Purposes web page, select the applying you simply created.
Within the Software Particulars web page, notice the Software ID.
Comply with the directions on IAM function for an Amazon Q net expertise utilizing IAM Federation to create Net expertise IAM function. You’ll require the Amazon Q Enterprise Software ID you copied earlier.
Open the Software Particulars on your Amazon Q Enterprise software. Select Edit.
For Replace software, there isn’t a have to make modifications. Select Replace.
For Replace retriever, there isn’t a have to make modifications. Select Subsequent.
For Join knowledge sources, there isn’t a have to make modifications. Select Subsequent.
For Replace entry, choose Create net expertise.
For this submit, we proceed with the default setting.
For Authentication URL, enter the worth for SSO service location that you simply copied earlier.
Select Replace.
On the Amazon Q Enterprise Purposes web page, select the applying you simply up to date to view the small print.
Be aware the values for Deployed URL and Net expertise IAM function ARN to make use of in subsequent steps.
 Earlier than you should utilize the online expertise to work together with the Amazon Q Enterprise software you simply created, it’s essential replace the Okta software integration with the redirect URL of the online expertise.
Open the Okta administration console, then open the Okta software integration you created earlier.
On the Normal tab, select Edit subsequent to SAML Settings.
For Single sign-on URL and Vacation spot URL, exchange the placeholder https://instance.com/ with the worth for Deployed URL of your net expertise. Make certain the /saml suffix isn’t deleted.
Select Save.
On the Edit SAML Integration web page, within the Attribute Statements (non-compulsory) part, add attribute statements as listed within the following desk.
This step is just not non-compulsory and these attributes are utilized by the Amazon Q Enterprise software to find out the identification of the person, so you’ll want to verify their correctness.
Title
Title format
Worth
https://aws.amazon.com/SAML/Attributes/PrincipalTag:E mail
Unspecified
person.e mail
https://aws.amazon.com/SAML/Attributes/Position
Unspecified
<Net expertise IAM function ARN>,<identity-provider-arn>
https://aws.amazon.com/SAML/Attributes/RoleSessionName
Unspecified
person.e mail
For the worth of the https://aws.amazon.com/SAML/Attributes/Position attribute, it’s essential concatenate the online expertise IAM function ARN and IdP ARN you copied earlier with a comma between them, with out areas or every other characters.
Select Subsequent and End.
On the Assignments tab, assign customers who can entry the app integration you simply created.
This step controls entry to acceptable customers inside your group to your Amazon Q Enterprise software. On this step, you may allow self-service so that every one customers in your Okta group, or select choose teams, reminiscent of Finance-Group if it’s outlined, or choose particular person customers.
Arrange the info supply
Whether or not you created the Amazon Q Enterprise software utilizing an OIDC IAM identification supplier or SAML 2.0 IAM identification supplier, the process to create a knowledge supply stays the identical. For this submit, we arrange a knowledge supply for Atlassian Confluence. The next steps present methods to configure the info supply for the Confluence setting. For extra particulars on methods to arrange a Confluence knowledge supply, consult with Connecting Confluence (Cloud) to Amazon Q Enterprise.
On the Amazon Q Enterprise Software particulars web page, select Add knowledge supply.
On the Add knowledge supply web page, select Confluence.
For Knowledge supply title, enter a reputation.
For Supply, choose Confluence Cloud and enter the Confluence URL.
For Authentication, choose Primary authentication and enter the Secrets and techniques Supervisor secret.
For IAM function, choose Create a brand new service function.
Depart the remaining settings as default.
For Sync scope, choose the suitable content material to sync.
Below House and regex patterns, present the Confluence areas to be included.
For Sync mode, choose Full sync.
For Sync run schedule, select Run on demand.
Select Add knowledge supply.
After the info supply creation is full, select Sync now to begin the info supply sync.
Wait till the sync is full earlier than logging in to the online expertise to begin querying.
Worker AI assistant use case
As an instance how one can construct a safe and personal generative AI assistant on your staff utilizing Amazon Q Enterprise purposes, let’s take a pattern use case of an worker AI assistant in an enterprise company. Two new staff, Mateo Jackson and Mary Main, have joined the corporate on two completely different tasks, and have completed their worker orientation. They’ve been given company laptops, and their accounts are provisioned within the company IdP. They’ve been instructed to get assist from the worker AI assistant for any questions associated to their new group member actions and their advantages.
The corporate makes use of Confluence to handle their enterprise content material. The pattern Amazon Q software used to run the situations for this submit is configured with a knowledge supply utilizing the built-in connector for Confluence to index the enterprise Confluence areas utilized by staff. The instance makes use of three Confluence areas with the next permissions:
HR House – All staff, together with Mateo and Mary
AnyOrgApp Mission House – Staff assigned to the undertaking, together with Mateo
ACME Mission House – Staff assigned to the undertaking, together with Mary
Let’s have a look at how Mateo and Mary expertise their worker AI assistant.
Each are supplied with the URL of the worker AI assistant net expertise. They use the URL and check in to the IdP from the browsers of their laptops. Mateo and Mary each need to find out about their new group member actions and their fellow group members. They ask the identical inquiries to the worker AI assistant however get completely different responses, as a result of every has entry to separate tasks. Within the following screenshots, the browser window on the left is for Mateo Jackson and the one on the correct is for Mary Main. Mateo will get details about the AnyOrgApp undertaking and Mary will get details about the ACME undertaking.
Mateo chooses Sources below the query about group members to take a better have a look at the group member info, and Mary chooses Sources below the query for the brand new group member guidelines. The next screenshots present their up to date views.
Mateo and Mary need to discover out extra about the advantages their new job provides and the way the advantages are relevant to their private and household conditions.
The next screenshot exhibits that Mary asks the worker AI assistant questions on her advantages and eligibility.
Mary can even consult with the supply paperwork.
The next screenshot exhibits that Mateo asks the worker AI assistant completely different questions on his eligibility.
Mateo appears on the following supply paperwork.
Each Mary and Mateo first need to know their eligibility for advantages. However after that, they’ve completely different inquiries to ask. Despite the fact that the benefits-related paperwork are accessible by each Mary and Mateo, their conversations with the worker AI assistant are non-public and private. The reassurance that their dialog historical past is non-public and may’t be seen by every other person is important for the success of a generative AI worker productiveness assistant.
Clear up
If you happen to created a brand new Amazon Q Enterprise software to check out the combination with IAM federation, and don’t plan to make use of it additional, you may unsubscribe, take away routinely subscribed customers from the applying, and delete it in order that your AWS account doesn’t accumulate prices.
To unsubscribe and take away customers, go to the applying particulars web page and select Handle subscriptions.
Choose all of the customers, select Take away to take away subscriptions, and select Executed.
To delete the applying after eradicating the customers, return to the applying particulars web page and select Delete.
Conclusion
For enterprise generative AI assistants such because the one proven on this submit to achieve success, they need to respect entry management in addition to guarantee the privateness and confidentiality of each worker. Amazon Q Enterprise achieves this by integrating with IAM Identification Heart or with IAM Federation to supply an answer that authenticates every person and validates the person identification at every step to implement entry management together with privateness and confidentiality.
On this submit, we confirmed how Amazon Q Enterprise IAM Federation makes use of SAML 2.0 and OIDC IAM identification suppliers to uniquely determine a person authenticated by the enterprise IdP, after which that person identification is used to match up doc ACLs arrange within the knowledge supply. At question time, Amazon Q Enterprise responds to a person question using solely these paperwork that the person is permitted to entry. This performance is just like that achieved by the combination of Amazon Q Enterprise with IAM Identification Heart we noticed in an earlier submit. Moreover, we additionally supplied the rules to contemplate when selecting a person entry mechanism.
To study extra, consult with Amazon Q Enterprise, now typically accessible, helps enhance workforce productiveness with generative AI and the Amazon Q Enterprise Consumer Information.
In regards to the authors
Abhinav Jawadekar is a Principal Options Architect within the Amazon Q Enterprise service group at AWS. Abhinav works with AWS clients and companions to assist them construct generative AI options on AWS.
Venky Nagapudi is a Senior Supervisor of Product Administration for Q Enterprise, Amazon Comprehend and Amazon Translate. His focus areas on Q Enterprise embody person identification administration, and utilizing offline intelligence from paperwork to enhance Q Enterprise accuracy and helpfulness.