Construct non-public and safe enterprise generative AI purposes with Amazon Q Enterprise utilizing IAM Federation

Amazon Q Enterprise is a conversational assistant powered by generative synthetic intelligence (AI) that enhances workforce productiveness by answering questions and finishing duties primarily based on info in your enterprise programs, which every person is allowed to entry. In an earlier submit, we mentioned how one can construct non-public and safe enterprise generative AI purposes with Amazon Q Enterprise and AWS IAM Id Middle. If you wish to use Amazon Q Enterprise to construct enterprise generative AI purposes, and have but to undertake organization-wide use of AWS IAM Id Middle, you need to use Amazon Q Enterprise IAM Federation to straight handle person entry to Amazon Q Enterprise purposes out of your enterprise id supplier (IdP), resembling Okta or Ping Id. Amazon Q Enterprise IAM Federation makes use of Federation with IAM and doesn’t require using IAM Id Middle.

AWS recommends utilizing AWS Id Middle in case you have numerous customers in an effort to obtain a seamless person entry administration expertise for a number of Amazon Q Enterprise purposes throughout many AWS accounts in AWS Organizations. You should utilize federated teams to outline entry management, and a person is charged just one time for his or her highest tier of Amazon Q Enterprise subscription. Though Amazon Q Enterprise IAM Federation lets you construct non-public and safe generative AI purposes, with out requiring using IAM Id Middle, it’s comparatively constrained with no help for federated teams, and limits the flexibility to cost a person just one time for his or her highest tier of Amazon Q Enterprise subscription to Amazon Q Enterprise purposes sharing SAML id supplier or OIDC id supplier in a single AWS accouGnt.

This submit reveals how you need to use Amazon Q Enterprise IAM Federation for person entry administration of your Amazon Q Enterprise purposes.

Answer overview

To implement this answer, you create an IAM id supplier for SAML or IAM id supplier for OIDC primarily based in your IdP utility integration. When creating an Amazon Q Enterprise utility, you select and configure the corresponding IAM id supplier.

When responding to requests by an authenticated person, the Amazon Q Enterprise utility makes use of the IAM id supplier configuration to validate the person id. The applying can reply securely and confidentially by implementing entry management lists (ACLs) to generate responses from solely the enterprise content material the person is allowed to entry.

We use the identical instance from Construct non-public and safe enterprise generative AI apps with Amazon Q Enterprise and AWS IAM Id Middle—a generative AI worker assistant constructed with Amazon Q Enterprise—to display set it up utilizing IAM Federation to solely reply utilizing enterprise content material that every worker has permissions to entry. Thus, the staff are in a position to converse securely and privately with this assistant.

Structure

Amazon Q Enterprise IAM Federation requires federating the person identities provisioned in your enterprise IdP resembling Okta or Ping Id account utilizing Federation with IAM. This includes a onetime setup of making a SAML or OIDC utility integration in your IdP account, after which making a corresponding SAML id supplier or an OIDC id supplier in AWS IAM. This SAML or OIDC IAM id supplier is required so that you can create an Amazon Q Enterprise utility. The IAM id supplier is utilized by the Amazon Q Enterprise utility to validate and belief federated identities of customers authenticated by the enterprise IdP, and affiliate a singular id with every person. Thus, a person is uniquely recognized throughout all Amazon Q Enterprise purposes sharing the identical SAML IAM id supplier or OIDC IAM id supplier.

The next diagram reveals a high-level structure and authentication workflow. The enterprise IdP, resembling Okta or Ping Id, is used because the entry supervisor for an authenticated person to work together with an Amazon Q Enterprise utility utilizing an Amazon Q net expertise or a customized utility utilizing an API.

The person authentication workflow consists of the next steps:

1. The consumer utility makes an authentication request to the IdP on behalf of the person.
2. The IdP responds with id or entry tokens in OIDC mode, or a SAML assertion in SAML 2.0 mode. Amazon Q Enterprise IAM Federation requires the enterprise IdP utility integration to supply a particular principal tag electronic mail attribute with its worth set to the e-mail deal with of the authenticated person. If person attributes resembling position or location (metropolis, state, nation) are current within the SAML or OIDC assertions, Amazon Q Enterprise will extract these attributes for personalization. These attributes are included within the id token claims in OIDC mode, and SAML assertions within the SAML 2.0 mode.
3. The consumer utility makes an AssumeRoleWithWebIdentity (OIDC mode) or AssumeRoleWithSAML (SAML mode) API name to AWS Safety Token Service (AWS STS) to accumulate AWS Sig V4 credentials. E-mail and different attributes are extracted and enforced by the Amazon Q Enterprise utility utilizing session tags in AWS STS. The AWS Sig V4 credentials embrace details about the federated person.
4. The consumer utility makes use of the credentials obtained within the earlier step to make Amazon Q Enterprise API calls on behalf of the authenticated person. The Amazon Q Enterprise utility is aware of the person id primarily based on the credential used to make the API calls, reveals solely the particular person’s dialog historical past, and enforces doc ACLs. The applying retrieves solely these paperwork from the index that the person is allowed to entry and are related to the person’s question, to be included as context when the question is distributed to the underlying giant language mannequin (LLM). The applying generates a response primarily based solely on enterprise content material that the person is allowed to entry.

How subscriptions work with Amazon Q Enterprise IAM Federation

The way in which person subscriptions are dealt with once you use IAM Id Middle vs. IAM Federation is completely different.

For purposes that use IAM Id Middle, AWS will de-duplicate subscriptions throughout all Amazon Q Enterprise purposes accounts, and cost every person just one time for his or her highest subscription degree. De-duplication will apply provided that the Amazon Q Enterprise purposes share the identical group occasion of IAM Id Middle. Customers subscribed to Amazon Q Enterprise purposes utilizing IAM federation can be charged one time after they share the identical SAML IAM id supplier or OIDC IAM id supplier. Amazon Q Enterprise purposes can share the identical SAML IAM id supplier or OIDC IAM id supplier provided that they’re in the identical AWS account. For instance, when you use Amazon Q Enterprise IAM Federation, and wish to make use of Amazon Q Enterprise purposes throughout 3 separate AWS accounts, every AWS account would require its personal SAML id supplier or OIDC id supplier to be created and used within the corresponding Amazon Q Enterprise purposes, and a person subscribed to those three Amazon Q Enterprise purposes can be charged 3 times. In one other instance, if a person is subscribed to some Amazon Q Enterprise purposes that use IAM Id Middle and others that use IAM Federation, they are going to be charged one time throughout all IAM Id Middle purposes and one time per SAML IAM id supplier or OIDC IAM id supplier utilized by the Amazon Q Enterprise purposes utilizing IAM Federation.

For Amazon Q Enterprise purposes utilizing IAM Id Middle, the Amazon Q Enterprise administrator straight assigns subscriptions for teams and customers on the Amazon Q Enterprise administration console. For an Amazon Q Enterprise utility utilizing IAM federation, the administrator chooses the default subscription tier throughout utility creation. When an authenticated person logs in utilizing both the Amazon Q Enterprise utility net expertise or a customized utility utilizing the Amazon Q Enterprise API, that person is routinely subscribed to the default tier.

Limitations

On the time of writing, Amazon Q Enterprise IAM Federation has the next limitations:

1. Amazon Q Enterprise doesn’t help OIDC for Google and Microsoft Entra ID.
2. There isn’t a built-in mechanism to validate a person’s membership to federated teams outlined within the enterprise IdP. In the event you’re utilizing ACLs in your information sources with teams federated from the enterprise IdP, you need to use the PutGroup API to outline the federated teams within the Amazon Q Enterprise person retailer. This fashion, the Amazon Q Enterprise utility can validate a person’s membership to the federated group and implement the ACLs accordingly. This limitation doesn’t apply to configurations the place teams utilized in ACLs are outlined regionally throughout the information sources. For extra info, discuss with Group mapping.

Pointers to picking a person entry mechanism

The next desk summarizes the rules to think about when selecting a person entry mechanism.

Federation Sort	AWS Account Sort	Amazon Q Enterprise Subscription Billing Scope	Supported Id Supply	Different Concerns
Federated with IAM Id Middle	A number of accounts managed by AWS Organizations	AWS group, help for federated group-level subscriptions to Amazon Q Enterprise purposes	All id sources supported by IAM Id Middle: IAM Id Middle listing, Energetic Listing, and IdP	AWS recommends this selection in case you have numerous customers and a number of purposes, with many federated teams used to outline entry management and permissions.
Federated with IAM utilizing OIDC IAM id supplier	Single, standalone account	All Amazon Q Enterprise purposes inside a single standalone AWS account sharing the identical OIDC IAM id supplier	IdP with OIDC utility integration	This technique is extra easy to configure in comparison with a SAML 2.0 supplier. It’s additionally much less advanced to share IdP utility integrations throughout Amazon Q Enterprise net experiences and customized purposes utilizing Amazon Q Enterprise APIs.
Federated with IAM utilizing SAML IAM id supplier	Single, standalone account	All Amazon Q Enterprise purposes inside a single standalone AWS account sharing the identical SAML IAM id supplier	IdP with SAML 2.0 utility integration	This technique is extra advanced to configure in comparison with OIDC, and requires a separate IdP utility integration for every Amazon Q Enterprise net expertise. Some sharing is feasible for customized purposes utilizing Amazon Q Enterprise APIs.

Stipulations

To implement the pattern use case described on this submit, you want an Okta account. This submit covers workflows for each OIDC and SAML 2.0, so you’ll be able to observe both one or each workflows primarily based in your curiosity. It’s essential create utility integrations for OIDC or SAML mode, after which configure the respective IAM id suppliers in your AWS account, which can be required to create and configure your Amazon Q Enterprise purposes. Although you utilize the identical Okta account and the identical AWS account to create two Amazon Q Enterprise purposes one utilizing an OIDC IAM id supplier, and the opposite utilizing SAML IAM id supplier, the identical person subscribed to each these Amazon Q Enterprise purposes can be charged twice, since they don’t share the underlying SAML or OIDC IAM id suppliers.

Create an Amazon Q Enterprise utility with an OIDC IAM id supplier

To arrange an Amazon Q Enterprise utility with an OIDC IAM id identifier, you first configure the Okta utility integration utilizing OIDC. Then you definately create an IAM id supplier for that OIDC app integration, and create an Amazon Q Enterprise utility utilizing that OIDC IAM id supplier. Lastly, you replace the Okta utility integration with the online expertise URIs of the newly created Amazon Q Enterprise utility.

Create an Okta utility integration with OIDC

Full the next steps to create your Okta utility integration with OIDC:

1. On the administration console of your Okta account, select Purposes, then Purposes within the navigation pane.
2. Select Create App Integration.
3. For Signal-in technique, choose OIDC.
4. For Utility sort, choose Net Utility.
5. Select Subsequent.
   

6. Give your app integration a reputation.
7. Choose Authorization Code and Refresh Token for Grant Sort.
8. Affirm that Refresh token habits is ready to Use persistent token.
9. For Signal-in redirect URIs, present a placeholder worth resembling https://instance.com/authorization-code/callback.

You replace this later with the online expertise URI of the Amazon Q Enterprise utility you create.

10. On the Assignments tab, assign entry to applicable customers inside your group to your Amazon Q Enterprise utility.

On this step, you’ll be able to choose all customers in your Okta group, or select choose teams, resembling Finance-Group if it’s outlined, or choose particular person customers.

11. Select Save to save lots of the app integration.

Your app integration will look just like the next screenshots.

12. Be aware the values for Shopper ID and Shopper secret to make use of in subsequent steps.
    
    

13. On the Signal on tab, select Edit subsequent to OpenID Join ID Token.
14. For Issuer, word the Okta URL.
15. Select Cancel.
    

16. Within the navigation pane, select Safety after which API.
17. Underneath API, Authorization Servers, select default.
18. On the Claims tab, select Add Declare.
19. For Identify, enter https://aws.amazon.com/tags.
20. For Embrace in token sort, choose ID Token.
21. For Worth, enter {"principal_tags": {"E-mail": {person.electronic mail}}}.
22. Select Create.

The declare will look just like the next screenshot. It’s a greatest follow to make use of a customized authorization server. Nonetheless, as a result of that is an illustration, we use the default authorization server.

Arrange an IAM id supplier for OIDC

To arrange an IAM id supplier for OIDC, full the next steps:

1. On the IAM console, select Id suppliers within the navigation pane.
2. Select Add supplier.
3. For Supplier sort, choose OpenID Join.
4. For Supplier URL, enter the Okta URL you copied earlier, adopted by /oauth2/default.
5. For Viewers, enter the consumer ID you copied earlier.
6. Select Add supplier.
   

Create an Amazon Q Enterprise utility with the OIDC IAM id supplier

Full the next steps to create an Amazon Q Enterprise utility with the OIDC IdP:

1. On the Amazon Q Enterprise console, select Create utility.
2. Give the appliance a reputation.
3. For Entry administration technique, choose AWS IAM Id supplier.
4. For Select an Id supplier sort, choose OpenID Join (OIDC).
5. For Choose Id Supplier, select the IdP you created.
6. For Shopper ID, enter the consumer ID of the Okta utility integration you copied earlier.
7. Depart the remaining settings as default and select Create.
   

8. Within the Choose retriever step, until you need to change the retriever sort or the index sort, select Subsequent.
9. For now, choose Subsequent on the Join information sources We configure the info supply later.

On the Handle entry web page, in Default subscription settings, Subscription Tier of Q Enterprise Professional is chosen by default. Because of this when an authenticated person begins utilizing the Amazon Q Enterprise utility, they may routinely get subscribed as Amazon Q Enterprise Professional. The Amazon Q Enterprise administrator can change the subscription tier for a person at any time.

10. In Net expertise settings uncheck Create net expertise. Select Carried out.
    
11. On the Amazon Q Enterprise Purposes web page, select the appliance you simply created to view the main points.
12. Within the Utility Particulars web page, word the Utility ID.
    
13. In a brand new tab of your net browser open the administration console for AWS Secrets and techniques Supervisor. Select Retailer a brand new secret.
14. For Select secret sort select Different sort of secret. For Key/worth pairs, enter client_secret as key and enter the consumer secret you copied from the Okta utility integration as worth. Select Subsequent.
    
15. For Configure secret give a Secret identify.
16. For Configure rotation, until you need to make any adjustments, settle for the defaults, and select Subsequent.
17. For Evaluate, evaluation the key you simply saved, and select Retailer.
18. On AWS Secrets and techniques Supervisor, Secrets and techniques web page select the key you simply created. Be aware the Secret identify and Secret ARN.
    
19. Observe the directions on IAM position for an Amazon Q net expertise utilizing IAM Federation to create Net expertise IAM position, and Secret Supervisor Position. You’ll require the Amazon Q Enterprise Utility ID, Secret identify and Secret ARN you copied earlier.
20. Open the Utility Particulars in your Amazon Q Enterprise utility. Select Edit.
21. For Replace utility, there is no such thing as a have to make adjustments. Select Replace.
22. For Replace retriever, there is no such thing as a have to make adjustments. Select Subsequent.
23. For Join information sources, there is no such thing as a have to make adjustments. Select Subsequent.
24. For Replace entry, choose Create net expertise.
25. For Service position identify choose the online expertise IAM position you created earlier.
26. For AWS Secrets and techniques Supervisor secret, choose the key you saved earlier.
27. For Net Expertise to make use of Secrets and techniques: Service position identify, choose the Secret Supervisor Position you created earlier.
28. Select Replace.
    
29. On the Amazon Q Enterprise Purposes web page, select the appliance you simply up to date to view the main points.
30. Be aware the worth for Deployed URL.
    

Earlier than you need to use the online expertise to work together with the Amazon Q Enterprise utility you simply created, that you must replace the Okta utility integration with the redirect URL of the online expertise.

18. Open the Okta administration console, then open the Okta utility integration you created earlier.
19. On the Basic tab, select Edit subsequent to Basic Settings.
20. For Signal-in redirect URIs, exchange the placeholder https://instance.com/ with the worth for Deployed URL of your net expertise. Make sure that the authorization-code/callback suffix will not be deleted. The total URL ought to appear to be https://your_deployed_url/authorization-code/callback.
21. Select Save.
    

Create an Amazon Q Enterprise utility with a SAML 2.0 IAM id supplier

The method to arrange an Amazon Q Enterprise utility with a SAML 2.0 IAM id supplier is just like creating an utility utilizing OIDC. You first configure an Okta utility integration utilizing SAML 2.0. Then you definately create an IAM id supplier for that SAML 2.0 app integration, and create an Amazon Q Enterprise utility utilizing the SAML 2.0 IAM id supplier. Lastly, you replace the Okta utility integration with the online expertise URIs of the newly created Amazon Q Enterprise utility.

Create an Okta utility integration with SAML 2.0

Full the next steps to create your Okta utility integration with SAML 2.0:

1. On the administration console of your Okta account, select Purposes, then Purposes within the navigation pane.
2. Select Create App Integration.
3. For Signal-in technique, choose SAML 2.0.
4. Select Subsequent.
   

5. On the Basic Settings web page, enter an app identify and select Subsequent.

This may open the Create SAML Integration web page.

6. For Single sign-on URL, enter a placeholder URL resembling https://instance.com/saml and deselect Use this for Recipient URL and Vacation spot URL.
7. For Recipient URL, enter https://signin.aws.amazon.com/saml.
8. For Vacation spot URL, enter the placeholder https://instance.com/saml.
9. For Viewers URL (SP Entity ID), enter https://signin.aws.amazon.com/saml.
10. For Identify ID format, select Persistent.
11. Select Subsequent after which End.

The placeholder values of https://instance.com will must be up to date with the deployment URL of the Amazon Q Enterprise net expertise, which you create in subsequent steps.

12. On the Signal On tab of the app integration you simply created, word the worth for Metadata URL.
    

13. Open the URL in your net browser, and put it aside in your native pc.

The metadata can be required in subsequent steps.

Arrange an IAM id supplier for SAML 2.0

To arrange an IAM IdP for SAML 2.0, full the next steps:

1. On the IAM console, select Id suppliers within the navigation pane.
2. Select Add supplier.
3. For Supplier sort, choose SAML.
4. Enter a supplier identify.
5. For Metadata doc, select Select file and add the metadata doc you saved earlier.
6. Select Add supplier.
   

7. From the checklist of id suppliers, select the id supplier you simply created.
8. Be aware the values for ARN, Issuer URL, and SSO service location to make use of in subsequent steps.
   

Create an Amazon Q Enterprise utility with the SAML 2.0 IAM id supplier

Full the next steps to create an Amazon Q Enterprise utility with the SAML 2.0 IAM id supplier:

1. On the Amazon Q Enterprise console, select Create utility.
2. Give the appliance a reputation.
3. For Entry administration technique, choose AWS IAM Id supplier.
4. For Select an Id supplier sort, choose SAML.
5. For Choose Id Supplier, select the IdP you created.
6. Depart the remaining settings as default and select Create.
   

7. Within the Choose retriever step, until you need to change the retriever sort or the index sort, select Subsequent.
8. For now, select Subsequent on the Join information sources We’ll configure the info supply later.

On the Handle entry web page, in Default subscription settings, Subscription Tier of Q Enterprise Professional is chosen by default. Because of this when an authenticated person begins utilizing the Amazon Q Enterprise utility, they may routinely get subscribed as Amazon Q Enterprise Professional. The Amazon Q Enterprise administrator can change the subscription tier for a person at any time.

1. For Net expertise settings, uncheck Create net expertise. Select Carried out.
2. On the Amazon Q Enterprise Purposes web page, select the appliance you simply created.
3. Within the Utility Particulars web page, word the Utility ID.
   
4. Observe the directions on IAM position for an Amazon Q net expertise utilizing IAM Federation to create Net expertise IAM position. You’ll require the Amazon Q Enterprise Utility ID you copied earlier.
5. Open the Utility Particulars in your Amazon Q Enterprise utility. Select Edit.
6. For Replace utility, there is no such thing as a have to make adjustments. Select Replace.
7. For Replace retriever, there is no such thing as a have to make adjustments. Select Subsequent.
8. For Join information sources, there is no such thing as a have to make adjustments. Select Subsequent.
9. For Replace entry, choose Create net expertise.
10. For this submit, we proceed with the default setting.
11. For Authentication URL, enter the worth for SSO service location that you just copied earlier.
12. Select Replace.
    
13. On the Amazon Q Enterprise Purposes web page, select the appliance you simply up to date to view the main points.
14. Be aware the values for Deployed URL and Net expertise IAM position ARN to make use of in subsequent steps.
    

 Earlier than you need to use the online expertise to work together with the Amazon Q Enterprise utility you simply created, that you must replace the Okta utility integration with the redirect URL of the online expertise.

15. Open the Okta administration console, then open the Okta utility integration you created earlier.
16. On the Basic tab, select Edit subsequent to SAML Settings.
17. For Single sign-on URL and Vacation spot URL, exchange the placeholder https://instance.com/ with the worth for Deployed URL of your net expertise. Make sure that the /saml suffix isn’t deleted.
18. Select Save.
    

19. On the Edit SAML Integration web page, within the Attribute Statements (optionally available) part, add attribute statements as listed within the following desk.

This step will not be optionally available and these attributes are utilized by the Amazon Q Enterprise utility to find out the id of the person, so be sure you affirm their correctness.

Identify	Identify format	Worth
https://aws.amazon.com/SAML/Attributes/PrincipalTag:E-mail	Unspecified	person.electronic mail
https://aws.amazon.com/SAML/Attributes/Position	Unspecified	<Net expertise IAM position ARN>,<identity-provider-arn>
https://aws.amazon.com/SAML/Attributes/RoleSessionName	Unspecified	person.electronic mail

For the worth of the https://aws.amazon.com/SAML/Attributes/Position attribute, that you must concatenate the online expertise IAM position ARN and IdP ARN you copied earlier with a comma between them, with out areas or every other characters.

20. Select Subsequent and End.
21. On the Assignments tab, assign customers who can entry the app integration you simply created.

This step controls entry to applicable customers inside your group to your Amazon Q Enterprise utility. On this step, you’ll be able to allow self-service so that each one customers in your Okta group, or select choose teams, resembling Finance-Group if it’s outlined, or choose particular person customers.

Arrange the info supply

Whether or not you created the Amazon Q Enterprise utility utilizing an OIDC IAM id supplier or SAML 2.0 IAM id supplier, the process to create an information supply stays the identical. For this submit, we arrange an information supply for Atlassian Confluence. The next steps present configure the info supply for the Confluence setting. For extra particulars on arrange a Confluence information supply, discuss with Connecting Confluence (Cloud) to Amazon Q Enterprise.

1. On the Amazon Q Enterprise Utility particulars web page, select Add information supply.
   

2. On the Add information supply web page, select Confluence.
   

3. For Knowledge supply identify, enter a reputation.
4. For Supply, choose Confluence Cloud and enter the Confluence URL.
   

5. For Authentication, choose Primary authentication and enter the Secrets and techniques Supervisor secret.
6. For IAM position, choose Create a brand new service position.
7. Depart the remaining settings as default.
   

8. For Sync scope, choose the suitable content material to sync.
9. Underneath Area and regex patterns, present the Confluence areas to be included.
10. For Sync mode, choose Full sync.
11. For Sync run schedule, select Run on demand.
12. Select Add information supply.
    

13. After the info supply creation is full, select Sync now to begin the info supply sync.
    

Wait till the sync is full earlier than logging in to the online expertise to begin querying.

Worker AI assistant use case

For instance how one can construct a safe and personal generative AI assistant in your workers utilizing Amazon Q Enterprise purposes, let’s take a pattern use case of an worker AI assistant in an enterprise company. Two new workers, Mateo Jackson and Mary Main, have joined the corporate on two completely different initiatives, and have completed their worker orientation. They’ve been given company laptops, and their accounts are provisioned within the company IdP. They’ve been instructed to get assist from the worker AI assistant for any questions associated to their new crew member actions and their advantages.

The corporate makes use of Confluence to handle their enterprise content material. The pattern Amazon Q utility used to run the eventualities for this submit is configured with an information supply utilizing the built-in connector for Confluence to index the enterprise Confluence areas utilized by workers. The instance makes use of three Confluence areas with the next permissions:

• HR Area – All workers, together with Mateo and Mary
• AnyOrgApp Undertaking Area – Staff assigned to the venture, together with Mateo
• ACME Undertaking Area – Staff assigned to the venture, together with Mary

Let’s take a look at how Mateo and Mary expertise their worker AI assistant.

Each are supplied with the URL of the worker AI assistant net expertise. They use the URL and register to the IdP from the browsers of their laptops. Mateo and Mary each need to find out about their new crew member actions and their fellow crew members. They ask the identical inquiries to the worker AI assistant however get completely different responses, as a result of every has entry to separate initiatives. Within the following screenshots, the browser window on the left is for Mateo Jackson and the one on the correct is for Mary Main. Mateo will get details about the AnyOrgApp venture and Mary will get details about the ACME venture.

Mateo chooses Sources beneath the query about crew members to take a better take a look at the crew member info, and Mary chooses Sources beneath the query for the brand new crew member guidelines. The next screenshots present their up to date views.

Mateo and Mary need to discover out extra about the advantages their new job presents and the way the advantages are relevant to their private and household conditions.

The next screenshot reveals that Mary asks the worker AI assistant questions on her advantages and eligibility.

Mary also can discuss with the supply paperwork.

The next screenshot reveals that Mateo asks the worker AI assistant completely different questions on his eligibility.

Mateo appears to be like on the following supply paperwork.

Each Mary and Mateo first need to know their eligibility for advantages. However after that, they’ve completely different inquiries to ask. Though the benefits-related paperwork are accessible by each Mary and Mateo, their conversations with the worker AI assistant are non-public and private. The reassurance that their dialog historical past is non-public and might’t be seen by every other person is crucial for the success of a generative AI worker productiveness assistant.

Clear up

In the event you created a brand new Amazon Q Enterprise utility to check out the combination with IAM federation, and don’t plan to make use of it additional, you’ll be able to unsubscribe, take away routinely subscribed customers from the appliance, and delete it in order that your AWS account doesn’t accumulate prices.

1. To unsubscribe and take away customers, go to the appliance particulars web page and select Handle subscriptions.
   

2. Choose all of the customers, select Take away to take away subscriptions, and select Carried out.
   

3. To delete the appliance after eradicating the customers, return to the appliance particulars web page and select Delete.
   

Conclusion

For enterprise generative AI assistants such because the one proven on this submit to achieve success, they need to respect entry management in addition to guarantee the privateness and confidentiality of each worker. Amazon Q Enterprise achieves this by integrating with IAM Id Middle or with IAM Federation to supply an answer that authenticates every person and validates the person id at every step to implement entry management together with privateness and confidentiality.

On this submit, we confirmed how Amazon Q Enterprise IAM Federation makes use of SAML 2.0 and OIDC IAM id suppliers to uniquely establish a person authenticated by the enterprise IdP, after which that person id is used to match up doc ACLs arrange within the information supply. At question time, Amazon Q Enterprise responds to a person question using solely these paperwork that the person is allowed to entry. This performance is just like that achieved by the combination of Amazon Q Enterprise with IAM Id Middle we noticed in an earlier submit. Moreover, we additionally supplied the rules to think about when selecting a person entry mechanism.

To be taught extra, discuss with Amazon Q Enterprise, now typically accessible, helps enhance workforce productiveness with generative AI and the Amazon Q Enterprise Person Information.

---

In regards to the authors

Abhinav Jawadekar is a Principal Options Architect within the Amazon Q Enterprise service crew at AWS. Abhinav works with AWS prospects and companions to assist them construct generative AI options on AWS.

Venky Nagapudi is a Senior Supervisor of Product Administration for Q Enterprise, Amazon Comprehend and Amazon Translate. His focus areas on Q Enterprise embrace person id administration, and utilizing offline intelligence from paperwork to enhance Q Enterprise accuracy and helpfulness.