Amazon Q Enterprise is a conversational assistant powered by generative synthetic intelligence (AI) that enhances workforce productiveness by answering questions and finishing duties primarily based on data in your enterprise programs, which every consumer is allowed to entry. In an earlier submit, we mentioned how you may construct non-public and safe enterprise generative AI functions with Amazon Q Enterprise and AWS IAM Identification Middle. If you wish to use Amazon Q Enterprise to construct enterprise generative AI functions, and have but to undertake organization-wide use of AWS IAM Identification Middle, you should use Amazon Q Enterprise IAM Federation to immediately handle consumer entry to Amazon Q Enterprise functions out of your enterprise identification supplier (IdP), resembling Okta or Ping Identification. Amazon Q Enterprise IAM Federation makes use of Federation with IAM and doesn’t require using IAM Identification Middle.
AWS recommends utilizing AWS Identification Middle in case you have numerous customers as a way to obtain a seamless consumer entry administration expertise for a number of Amazon Q Enterprise functions throughout many AWS accounts in AWS Organizations. You should use federated teams to outline entry management, and a consumer is charged just one time for his or her highest tier of Amazon Q Enterprise subscription. Though Amazon Q Enterprise IAM Federation allows you to construct non-public and safe generative AI functions, with out requiring using IAM Identification Middle, it’s comparatively constrained with no help for federated teams, and limits the flexibility to cost a consumer just one time for his or her highest tier of Amazon Q Enterprise subscription to Amazon Q Enterprise functions sharing SAML identification supplier or OIDC identification supplier in a single AWS accouGnt.
This submit exhibits how you should use Amazon Q Enterprise IAM Federation for consumer entry administration of your Amazon Q Enterprise functions.
Resolution overview
To implement this answer, you create an IAM identification supplier for SAML or IAM identification supplier for OIDC primarily based in your IdP software integration. When creating an Amazon Q Enterprise software, you select and configure the corresponding IAM identification supplier.
When responding to requests by an authenticated consumer, the Amazon Q Enterprise software makes use of the IAM identification supplier configuration to validate the consumer identification. The applying can reply securely and confidentially by imposing entry management lists (ACLs) to generate responses from solely the enterprise content material the consumer is allowed to entry.
We use the identical instance from Construct non-public and safe enterprise generative AI apps with Amazon Q Enterprise and AWS IAM Identification Middle—a generative AI worker assistant constructed with Amazon Q Enterprise—to exhibit tips on how to set it up utilizing IAM Federation to solely reply utilizing enterprise content material that every worker has permissions to entry. Thus, the workers are capable of converse securely and privately with this assistant.
Structure
Amazon Q Enterprise IAM Federation requires federating the consumer identities provisioned in your enterprise IdP resembling Okta or Ping Identification account utilizing Federation with IAM. This entails a onetime setup of making a SAML or OIDC software integration in your IdP account, after which making a corresponding SAML identification supplier or an OIDC identification supplier in AWS IAM. This SAML or OIDC IAM identification supplier is required so that you can create an Amazon Q Enterprise software. The IAM identification supplier is utilized by the Amazon Q Enterprise software to validate and belief federated identities of customers authenticated by the enterprise IdP, and affiliate a novel identification with every consumer. Thus, a consumer is uniquely recognized throughout all Amazon Q Enterprise functions sharing the identical SAML IAM identification supplier or OIDC IAM identification supplier.
The next diagram exhibits a high-level structure and authentication workflow. The enterprise IdP, resembling Okta or Ping Identification, is used because the entry supervisor for an authenticated consumer to work together with an Amazon Q Enterprise software utilizing an Amazon Q net expertise or a customized software utilizing an API.
The consumer authentication workflow consists of the next steps:
- The shopper software makes an authentication request to the IdP on behalf of the consumer.
- The IdP responds with identification or entry tokens in OIDC mode, or a SAML assertion in SAML 2.0 mode. Amazon Q Enterprise IAM Federation requires the enterprise IdP software integration to offer a particular principal tag e-mail attribute with its worth set to the e-mail tackle of the authenticated consumer. If consumer attributes resembling position or location (metropolis, state, nation) are current within the SAML or OIDC assertions, Amazon Q Enterprise will extract these attributes for personalization. These attributes are included within the identification token claims in OIDC mode, and SAML assertions within the SAML 2.0 mode.
- The shopper software makes an AssumeRoleWithWebIdentity (OIDC mode) or AssumeRoleWithSAML (SAML mode) API name to AWS Safety Token Service (AWS STS) to accumulate AWS Sig V4 credentials. E mail and different attributes are extracted and enforced by the Amazon Q Enterprise software utilizing session tags in AWS STS. The AWS Sig V4 credentials embrace details about the federated consumer.
- The shopper software makes use of the credentials obtained within the earlier step to make Amazon Q Enterprise API calls on behalf of the authenticated consumer. The Amazon Q Enterprise software is aware of the consumer identification primarily based on the credential used to make the API calls, exhibits solely the precise consumer’s dialog historical past, and enforces doc ACLs. The applying retrieves solely these paperwork from the index that the consumer is allowed to entry and are related to the consumer’s question, to be included as context when the question is distributed to the underlying massive language mannequin (LLM). The applying generates a response primarily based solely on enterprise content material that the consumer is allowed to entry.
How subscriptions work with Amazon Q Enterprise IAM Federation
The best way consumer subscriptions are dealt with whenever you use IAM Identification Middle vs. IAM Federation is totally different.
For functions that use IAM Identification Middle, AWS will de-duplicate subscriptions throughout all Amazon Q Enterprise functions accounts, and cost every consumer just one time for his or her highest subscription stage. De-duplication will apply provided that the Amazon Q Enterprise functions share the identical group occasion of IAM Identification Middle. Customers subscribed to Amazon Q Enterprise functions utilizing IAM federation will probably be charged one time after they share the identical SAML IAM identification supplier or OIDC IAM identification supplier. Amazon Q Enterprise functions can share the identical SAML IAM identification supplier or OIDC IAM identification supplier provided that they’re in the identical AWS account. For instance, for those who use Amazon Q Enterprise IAM Federation, and wish to make use of Amazon Q Enterprise functions throughout 3 separate AWS accounts, every AWS account would require its personal SAML identification supplier or OIDC identification supplier to be created and used within the corresponding Amazon Q Enterprise functions, and a consumer subscribed to those three Amazon Q Enterprise functions will probably be charged 3 times. In one other instance, if a consumer is subscribed to some Amazon Q Enterprise functions that use IAM Identification Middle and others that use IAM Federation, they are going to be charged one time throughout all IAM Identification Middle functions and one time per SAML IAM identification supplier or OIDC IAM identification supplier utilized by the Amazon Q Enterprise functions utilizing IAM Federation.
For Amazon Q Enterprise functions utilizing IAM Identification Middle, the Amazon Q Enterprise administrator immediately assigns subscriptions for teams and customers on the Amazon Q Enterprise administration console. For an Amazon Q Enterprise software utilizing IAM federation, the administrator chooses the default subscription tier throughout software creation. When an authenticated consumer logs in utilizing both the Amazon Q Enterprise software net expertise or a customized software utilizing the Amazon Q Enterprise API, that consumer is robotically subscribed to the default tier.
Limitations
On the time of writing, Amazon Q Enterprise IAM Federation has the next limitations:
- Amazon Q Enterprise doesn’t help OIDC for Google and Microsoft Entra ID.
- There isn’t any built-in mechanism to validate a consumer’s membership to federated teams outlined within the enterprise IdP. When you’re utilizing ACLs in your information sources with teams federated from the enterprise IdP, you should use the PutGroup API to outline the federated teams within the Amazon Q Enterprise consumer retailer. This manner, the Amazon Q Enterprise software can validate a consumer’s membership to the federated group and implement the ACLs accordingly. This limitation doesn’t apply to configurations the place teams utilized in ACLs are outlined domestically inside the information sources. For extra data, seek advice from Group mapping.
Pointers to picking a consumer entry mechanism
The next desk summarizes the rules to contemplate when selecting a consumer entry mechanism.
Federation Kind | AWS Account Kind | Amazon Q Enterprise Subscription Billing Scope | Supported Identification Supply | Different Concerns |
Federated with IAM Identification Middle | A number of accounts managed by AWS Organizations | AWS group, help for federated group-level subscriptions to Amazon Q Enterprise functions | All identification sources supported by IAM Identification Middle: IAM Identification Middle listing, Energetic Listing, and IdP | AWS recommends this feature in case you have numerous customers and a number of functions, with many federated teams used to outline entry management and permissions. |
Federated with IAM utilizing OIDC IAM identification supplier | Single, standalone account | All Amazon Q Enterprise functions inside a single standalone AWS account sharing the identical OIDC IAM identification supplier | IdP with OIDC software integration | This methodology is extra easy to configure in comparison with a SAML 2.0 supplier. It’s additionally much less complicated to share IdP software integrations throughout Amazon Q Enterprise net experiences and customized functions utilizing Amazon Q Enterprise APIs. |
Federated with IAM utilizing SAML IAM identification supplier | Single, standalone account | All Amazon Q Enterprise functions inside a single standalone AWS account sharing the identical SAML IAM identification supplier | IdP with SAML 2.0 software integration | This methodology is extra complicated to configure in comparison with OIDC, and requires a separate IdP software integration for every Amazon Q Enterprise net expertise. Some sharing is feasible for customized functions utilizing Amazon Q Enterprise APIs. |
Stipulations
To implement the pattern use case described on this submit, you want an Okta account. This submit covers workflows for each OIDC and SAML 2.0, so you may comply with both one or each workflows primarily based in your curiosity. You’ll want to create software integrations for OIDC or SAML mode, after which configure the respective IAM identification suppliers in your AWS account, which will probably be required to create and configure your Amazon Q Enterprise functions. Although you employ the identical Okta account and the identical AWS account to create two Amazon Q Enterprise functions one utilizing an OIDC IAM identification supplier, and the opposite utilizing SAML IAM identification supplier, the identical consumer subscribed to each these Amazon Q Enterprise functions will probably be charged twice, since they don’t share the underlying SAML or OIDC IAM identification suppliers.
Create an Amazon Q Enterprise software with an OIDC IAM identification supplier
To arrange an Amazon Q Enterprise software with an OIDC IAM identification identifier, you first configure the Okta software integration utilizing OIDC. You then create an IAM identification supplier for that OIDC app integration, and create an Amazon Q Enterprise software utilizing that OIDC IAM identification supplier. Lastly, you replace the Okta software integration with the online expertise URIs of the newly created Amazon Q Enterprise software.
Create an Okta software integration with OIDC
Full the next steps to create your Okta software integration with OIDC:
- On the administration console of your Okta account, select Purposes, then Purposes within the navigation pane.
- Select Create App Integration.
- For Signal-in methodology, choose OIDC.
- For Software kind, choose Net Software.
- Select Subsequent.
- Give your app integration a reputation.
- Choose Authorization Code and Refresh Token for Grant Kind.
- Verify that Refresh token habits is ready to Use persistent token.
- For Signal-in redirect URIs, present a placeholder worth resembling
https://instance.com/authorization-code/callback
.
You replace this later with the online expertise URI of the Amazon Q Enterprise software you create.
- On the Assignments tab, assign entry to applicable customers inside your group to your Amazon Q Enterprise software.
On this step, you may choose all customers in your Okta group, or select choose teams, resembling Finance-Group
if it’s outlined, or choose particular person customers.
- Select Save to avoid wasting the app integration.
Your app integration will look just like the next screenshots.
- Observe the values for Consumer ID and Consumer secret to make use of in subsequent steps.
- On the Signal on tab, select Edit subsequent to OpenID Join ID Token.
- For Issuer, word the Okta URL.
- Select Cancel.
- Within the navigation pane, select Safety after which API.
- Underneath API, Authorization Servers, select default.
- On the Claims tab, select Add Declare.
- For Title, enter
https://aws.amazon.com/tags
. - For Embrace in token kind, choose ID Token.
- For Worth, enter
{"principal_tags": {"E mail": {consumer.e-mail}}}.
- Select Create.
The declare will look just like the next screenshot. It’s a greatest apply to make use of a customized authorization server. Nonetheless, as a result of that is an illustration, we use the default authorization server.
Arrange an IAM identification supplier for OIDC
To arrange an IAM identification supplier for OIDC, full the next steps:
- On the IAM console, select Identification suppliers within the navigation pane.
- Select Add supplier.
- For Supplier kind, choose OpenID Join.
- For Supplier URL, enter the Okta URL you copied earlier, adopted by
/oauth2/default
. - For Viewers, enter the shopper ID you copied earlier.
- Select Add supplier.
Create an Amazon Q Enterprise software with the OIDC IAM identification supplier
Full the next steps to create an Amazon Q Enterprise software with the OIDC IdP:
- On the Amazon Q Enterprise console, select Create software.
- Give the applying a reputation.
- For Entry administration methodology, choose AWS IAM Identification supplier.
- For Select an Identification supplier kind, choose OpenID Join (OIDC).
- For Choose Identification Supplier, select the IdP you created.
- For Consumer ID, enter the shopper ID of the Okta software integration you copied earlier.
- Go away the remaining settings as default and select Create.
- Within the Choose retriever step, until you wish to change the retriever kind or the index kind, select Subsequent.
- For now, choose Subsequent on the Join information sources We configure the info supply later.
On the Handle entry web page, in Default subscription settings, Subscription Tier of Q Enterprise Professional is chosen by default. Which means that when an authenticated consumer begins utilizing the Amazon Q Enterprise software, they may robotically get subscribed as Amazon Q Enterprise Professional. The Amazon Q Enterprise administrator can change the subscription tier for a consumer at any time.
- In Net expertise settings uncheck Create net expertise. Select Finished.
- On the Amazon Q Enterprise Purposes web page, select the applying you simply created to view the small print.
- Within the Software Particulars web page, word the Software ID.
- In a brand new tab of your net browser open the administration console for AWS Secrets and techniques Supervisor. Select Retailer a brand new secret.
- For Select secret kind select Different kind of secret. For Key/worth pairs, enter client_secret as key and enter the shopper secret you copied from the Okta software integration as worth. Select Subsequent.
- For Configure secret give a Secret identify.
- For Configure rotation, until you wish to make any modifications, settle for the defaults, and select Subsequent.
- For Evaluate, assessment the key you simply saved, and select Retailer.
- On AWS Secrets and techniques Supervisor, Secrets and techniques web page select the key you simply created. Observe the Secret identify and Secret ARN.
- Comply with the directions on IAM position for an Amazon Q net expertise utilizing IAM Federation to create Net expertise IAM position, and Secret Supervisor Position. You’ll require the Amazon Q Enterprise Software ID, Secret identify and Secret ARN you copied earlier.
- Open the Software Particulars in your Amazon Q Enterprise software. Select Edit.
- For Replace software, there is no such thing as a have to make modifications. Select Replace.
- For Replace retriever, there is no such thing as a have to make modifications. Select Subsequent.
- For Join information sources, there is no such thing as a have to make modifications. Select Subsequent.
- For Replace entry, choose Create net expertise.
- For Service position identify choose the online expertise IAM position you created earlier.
- For AWS Secrets and techniques Supervisor secret, choose the key you saved earlier.
- For Net Expertise to make use of Secrets and techniques: Service position identify, choose the Secret Supervisor Position you created earlier.
- Select Replace.
- On the Amazon Q Enterprise Purposes web page, select the applying you simply up to date to view the small print.
- Observe the worth for Deployed URL.
Earlier than you should use the online expertise to work together with the Amazon Q Enterprise software you simply created, you’ll want to replace the Okta software integration with the redirect URL of the online expertise.
- Open the Okta administration console, then open the Okta software integration you created earlier.
- On the Common tab, select Edit subsequent to Common Settings.
- For Signal-in redirect URIs, exchange the placeholder
https://instance.com/
with the worth for Deployed URL of your net expertise. Ensure that theauthorization-code/callback
suffix shouldn’t be deleted. The total URL ought to appear to behttps://your_deployed_url/authorization-code/callback
. - Select Save.
Create an Amazon Q Enterprise software with a SAML 2.0 IAM identification supplier
The method to arrange an Amazon Q Enterprise software with a SAML 2.0 IAM identification supplier is just like creating an software utilizing OIDC. You first configure an Okta software integration utilizing SAML 2.0. You then create an IAM identification supplier for that SAML 2.0 app integration, and create an Amazon Q Enterprise software utilizing the SAML 2.0 IAM identification supplier. Lastly, you replace the Okta software integration with the online expertise URIs of the newly created Amazon Q Enterprise software.
Create an Okta software integration with SAML 2.0
Full the next steps to create your Okta software integration with SAML 2.0:
- On the administration console of your Okta account, select Purposes, then Purposes within the navigation pane.
- Select Create App Integration.
- For Signal-in methodology, choose SAML 2.0.
- Select Subsequent.
- On the Common Settings web page, enter an app identify and select Subsequent.
This can open the Create SAML Integration web page.
- For Single sign-on URL, enter a placeholder URL resembling
https://instance.com/saml
and deselect Use this for Recipient URL and Vacation spot URL. - For Recipient URL, enter
https://signin.aws.amazon.com/saml
. - For Vacation spot URL, enter the placeholder
https://instance.com/saml
. - For Viewers URL (SP Entity ID), enter
https://signin.aws.amazon.com/saml
. - For Title ID format, select Persistent.
- Select Subsequent after which End.
The placeholder values of https://instance.com
will should be up to date with the deployment URL of the Amazon Q Enterprise net expertise, which you create in subsequent steps.
- On the Signal On tab of the app integration you simply created, word the worth for Metadata URL.
- Open the URL in your net browser, and reserve it in your native laptop.
The metadata will probably be required in subsequent steps.
Arrange an IAM identification supplier for SAML 2.0
To arrange an IAM IdP for SAML 2.0, full the next steps:
- On the IAM console, select Identification suppliers within the navigation pane.
- Select Add supplier.
- For Supplier kind, choose SAML.
- Enter a supplier identify.
- For Metadata doc, select Select file and add the metadata doc you saved earlier.
- Select Add supplier.
- From the listing of identification suppliers, select the identification supplier you simply created.
- Observe the values for ARN, Issuer URL, and SSO service location to make use of in subsequent steps.
Create an Amazon Q Enterprise software with the SAML 2.0 IAM identification supplier
Full the next steps to create an Amazon Q Enterprise software with the SAML 2.0 IAM identification supplier:
- On the Amazon Q Enterprise console, select Create software.
- Give the applying a reputation.
- For Entry administration methodology, choose AWS IAM Identification supplier.
- For Select an Identification supplier kind, choose SAML.
- For Choose Identification Supplier, select the IdP you created.
- Go away the remaining settings as default and select Create.
- Within the Choose retriever step, until you wish to change the retriever kind or the index kind, select Subsequent.
- For now, select Subsequent on the Join information sources We’ll configure the info supply later.
On the Handle entry web page, in Default subscription settings, Subscription Tier of Q Enterprise Professional is chosen by default. Which means that when an authenticated consumer begins utilizing the Amazon Q Enterprise software, they may robotically get subscribed as Amazon Q Enterprise Professional. The Amazon Q Enterprise administrator can change the subscription tier for a consumer at any time.
- For Net expertise settings, uncheck Create net expertise. Select Finished.
- On the Amazon Q Enterprise Purposes web page, select the applying you simply created.
- Within the Software Particulars web page, word the Software ID.
- Comply with the directions on IAM position for an Amazon Q net expertise utilizing IAM Federation to create Net expertise IAM position. You’ll require the Amazon Q Enterprise Software ID you copied earlier.
- Open the Software Particulars in your Amazon Q Enterprise software. Select Edit.
- For Replace software, there is no such thing as a have to make modifications. Select Replace.
- For Replace retriever, there is no such thing as a have to make modifications. Select Subsequent.
- For Join information sources, there is no such thing as a have to make modifications. Select Subsequent.
- For Replace entry, choose Create net expertise.
- For this submit, we proceed with the default setting.
- For Authentication URL, enter the worth for SSO service location that you simply copied earlier.
- Select Replace.
- On the Amazon Q Enterprise Purposes web page, select the applying you simply up to date to view the small print.
- Observe the values for Deployed URL and Net expertise IAM position ARN to make use of in subsequent steps.
Earlier than you should use the online expertise to work together with the Amazon Q Enterprise software you simply created, you’ll want to replace the Okta software integration with the redirect URL of the online expertise.
- Open the Okta administration console, then open the Okta software integration you created earlier.
- On the Common tab, select Edit subsequent to SAML Settings.
- For Single sign-on URL and Vacation spot URL, exchange the placeholder
https://instance.com/
with the worth for Deployed URL of your net expertise. Ensure that the/saml
suffix isn’t deleted. - Select Save.
- On the Edit SAML Integration web page, within the Attribute Statements (optionally available) part, add attribute statements as listed within the following desk.
This step shouldn’t be optionally available and these attributes are utilized by the Amazon Q Enterprise software to find out the identification of the consumer, so remember to affirm their correctness.
Title | Title format | Worth |
https://aws.amazon.com/SAML/Attributes/PrincipalTag:E mail |
Unspecified | consumer.e-mail |
https://aws.amazon.com/SAML/Attributes/Position |
Unspecified | <Net expertise IAM position ARN>,<identity-provider-arn> |
https://aws.amazon.com/SAML/Attributes/RoleSessionName |
Unspecified | consumer.e-mail |
For the worth of the https://aws.amazon.com/SAML/Attributes/Position
attribute, you’ll want to concatenate the online expertise IAM position ARN and IdP ARN you copied earlier with a comma between them, with out areas or some other characters.
- Select Subsequent and End.
- On the Assignments tab, assign customers who can entry the app integration you simply created.
This step controls entry to applicable customers inside your group to your Amazon Q Enterprise software. On this step, you may allow self-service so that every one customers in your Okta group, or select choose teams, resembling Finance-Group
if it’s outlined, or choose particular person customers.
Arrange the info supply
Whether or not you created the Amazon Q Enterprise software utilizing an OIDC IAM identification supplier or SAML 2.0 IAM identification supplier, the process to create a knowledge supply stays the identical. For this submit, we arrange a knowledge supply for Atlassian Confluence. The next steps present tips on how to configure the info supply for the Confluence setting. For extra particulars on tips on how to arrange a Confluence information supply, seek advice from Connecting Confluence (Cloud) to Amazon Q Enterprise.
- On the Amazon Q Enterprise Software particulars web page, select Add information supply.
- On the Add information supply web page, select Confluence.
- For Information supply identify, enter a reputation.
- For Supply, choose Confluence Cloud and enter the Confluence URL.
- For Authentication, choose Primary authentication and enter the Secrets and techniques Supervisor secret.
- For IAM position, choose Create a brand new service position.
- Go away the remaining settings as default.
- For Sync scope, choose the suitable content material to sync.
- Underneath House and regex patterns, present the Confluence areas to be included.
- For Sync mode, choose Full sync.
- For Sync run schedule, select Run on demand.
- Select Add information supply.
- After the info supply creation is full, select Sync now to start out the info supply sync.
Wait till the sync is full earlier than logging in to the online expertise to start out querying.
Worker AI assistant use case
As an example how one can construct a safe and personal generative AI assistant in your workers utilizing Amazon Q Enterprise functions, let’s take a pattern use case of an worker AI assistant in an enterprise company. Two new workers, Mateo Jackson and Mary Main, have joined the corporate on two totally different tasks, and have completed their worker orientation. They’ve been given company laptops, and their accounts are provisioned within the company IdP. They’ve been informed to get assist from the worker AI assistant for any questions associated to their new staff member actions and their advantages.
The corporate makes use of Confluence to handle their enterprise content material. The pattern Amazon Q software used to run the situations for this submit is configured with a knowledge supply utilizing the built-in connector for Confluence to index the enterprise Confluence areas utilized by workers. The instance makes use of three Confluence areas with the next permissions:
- HR House – All workers, together with Mateo and Mary
- AnyOrgApp Mission House – Staff assigned to the undertaking, together with Mateo
- ACME Mission House – Staff assigned to the undertaking, together with Mary
Let’s have a look at how Mateo and Mary expertise their worker AI assistant.
Each are supplied with the URL of the worker AI assistant net expertise. They use the URL and sign up to the IdP from the browsers of their laptops. Mateo and Mary each wish to find out about their new staff member actions and their fellow staff members. They ask the identical inquiries to the worker AI assistant however get totally different responses, as a result of every has entry to separate tasks. Within the following screenshots, the browser window on the left is for Mateo Jackson and the one on the precise is for Mary Main. Mateo will get details about the AnyOrgApp undertaking and Mary will get details about the ACME undertaking.
Mateo chooses Sources beneath the query about staff members to take a better have a look at the staff member data, and Mary chooses Sources beneath the query for the brand new staff member guidelines. The next screenshots present their up to date views.
Mateo and Mary wish to discover out extra about the advantages their new job affords and the way the advantages are relevant to their private and household conditions.
The next screenshot exhibits that Mary asks the worker AI assistant questions on her advantages and eligibility.
Mary also can seek advice from the supply paperwork.
The next screenshot exhibits that Mateo asks the worker AI assistant totally different questions on his eligibility.
Mateo seems to be on the following supply paperwork.
Each Mary and Mateo first wish to know their eligibility for advantages. However after that, they’ve totally different inquiries to ask. Regardless that the benefits-related paperwork are accessible by each Mary and Mateo, their conversations with the worker AI assistant are non-public and private. The reassurance that their dialog historical past is non-public and may’t be seen by some other consumer is crucial for the success of a generative AI worker productiveness assistant.
Clear up
When you created a brand new Amazon Q Enterprise software to check out the combination with IAM federation, and don’t plan to make use of it additional, you may unsubscribe, take away robotically subscribed customers from the applying, and delete it in order that your AWS account doesn’t accumulate prices.
- To unsubscribe and take away customers, go to the applying particulars web page and select Handle subscriptions.
- Choose all of the customers, select Take away to take away subscriptions, and select Finished.
- To delete the applying after eradicating the customers, return to the applying particulars web page and select Delete.
Conclusion
For enterprise generative AI assistants such because the one proven on this submit to achieve success, they have to respect entry management in addition to guarantee the privateness and confidentiality of each worker. Amazon Q Enterprise achieves this by integrating with IAM Identification Middle or with IAM Federation to offer an answer that authenticates every consumer and validates the consumer identification at every step to implement entry management together with privateness and confidentiality.
On this submit, we confirmed how Amazon Q Enterprise IAM Federation makes use of SAML 2.0 and OIDC IAM identification suppliers to uniquely establish a consumer authenticated by the enterprise IdP, after which that consumer identification is used to match up doc ACLs arrange within the information supply. At question time, Amazon Q Enterprise responds to a consumer question using solely these paperwork that the consumer is allowed to entry. This performance is just like that achieved by the combination of Amazon Q Enterprise with IAM Identification Middle we noticed in an earlier submit. Moreover, we additionally supplied the rules to contemplate when selecting a consumer entry mechanism.
To study extra, seek advice from Amazon Q Enterprise, now usually obtainable, helps enhance workforce productiveness with generative AI and the Amazon Q Enterprise Consumer Information.
In regards to the authors
Abhinav Jawadekar is a Principal Options Architect within the Amazon Q Enterprise service staff at AWS. Abhinav works with AWS prospects and companions to assist them construct generative AI options on AWS.
Venky Nagapudi is a Senior Supervisor of Product Administration for Q Enterprise, Amazon Comprehend and Amazon Translate. His focus areas on Q Enterprise embrace consumer identification administration, and utilizing offline intelligence from paperwork to enhance Q Enterprise accuracy and helpfulness.