Embed Amazon Fast Suite chat brokers in enterprise purposes

Organizations can face two vital challenges with conversational AI. First, customers want solutions the place they work—of their CRM, assist console, or analytics portal—not in separate instruments. Second, implementing a safe embedded chat of their purposes can require weeks of improvement to construct authentication, token validation, area safety, and world distribution infrastructure.

Amazon Fast Suite embedded chat helps remedy the primary problem by bringing conversational AI straight into your purposes, so customers can question structured information, search paperwork, and set off actions with out switching instruments.

On this submit, we present you find out how to remedy the second problem with a one-click deployment answer to embed the chat brokers utilizing the Fast Suite Embedding SDK in enterprise portals.

Answer overview

The answer deploys a safe internet portal for the embedded chat utilizing Amazon CloudFront for world content material supply, Amazon Cognito for OAuth 2.0 authentication, Amazon API Gateway for REST API endpoints, AWS Lambda for serverless API processing, and OpenID Join (OIDC) federation for identification integration with the Fast Suite.

The answer implements defense-in-depth safety with a number of layers of safety: DDoS safety on CloudFront, a non-public Amazon Easy Storage Service (Amazon S3) bucket with origin entry management serving to stop direct entry to frontend belongings, AWS WAF charge limiting safety on API Gateway, and JSON Net Token (JWT) signature validation utilizing Amazon Cognito public keys earlier than producing time-limited user-specific embed URLs with least-privilege AWS Id and Entry Administration (IAM) permissions.

The next diagram illustrates the answer structure.

The workflow consists of the next steps:

1. Customers entry the online portal URL, which routes to CloudFront.
2. CloudFront makes use of origin entry management to fetch HTML, CSS, and JavaScript information from a non-public S3 bucket.
3. The online utility checks for a legitimate authentication token and redirects unauthenticated customers to the Amazon Cognito hosted UI for OAuth 2.0 login.
4. Customers enter credentials on the Amazon Cognito login web page, which validates them and redirects again to the CloudFront URL with a single-use authorization code.
5. The appliance extracts the authorization code and makes an HTTPS API name to API Gateway, which passes via AWS WAF charge limiting.
6. API Gateway invokes a Lambda perform with the authorization code.
7. The Lambda perform makes a server-to-server HTTPS name to the Amazon Cognito OAuth token endpoint, exchanging the authorization code for JWT tokens (ID token, entry token, refresh token).
8. The perform validates the ID token’s cryptographic signature utilizing Amazon Cognito public keys JSON Net Key Set (JWKS) with thread-safe caching.

The next is a decoded JWT instance:

{"at_hash": "abcdefifB5vH2D0HEvLghi", "sub": "12345678-abcd-1234-efgh-123456789012", "email_verified": true, "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_EXAMPLE123", "cognito:username": "12345678-abcd-1234-efgh-123456789012", "origin_jti": "abcd1234-5678-90ef-ghij-klmnopqrstuv", "aud": "1a2b3c4d5e6f7g8h9i0j1k2l3m", "event_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "token_use": "id", "auth_time": 1704063600, "exp": 1704067200, "iat": 1704063600, "jti": "abcdef12-3456-7890-abcd-ef1234567890", "e-mail": "user123@instance.com"}

9. The Lambda perform calls the AWS Safety Token Service (AWS STS) AssumeRoleWithWebIdentity API with the verified ID token to imagine the IAM internet identification position and obtain short-term AWS credentials.
10. The perform makes use of the short-term credentials to name the Fast Suite ListUsers API to confirm the person exists, then calls the GenerateEmbedUrlForRegisteredUser API to assist generate a safe embedded URL with area restrictions.
11. The perform returns the embed URL in a JSON response with cross-origin useful resource sharing (CORS) headers via API Gateway to CloudFront. The next is an embed URL instance:

    {"ChatEmbedUrl": "https://us-east-1.quicksight.aws.amazon.com/embedding/abcdefe827dd4ef8b4e1fb921db046c4/fast/chat?code=Abcdef....&identityprovider=quicksight&isauthcode=true", "person": "user123@instance.com"}

12. The CloudFront utility makes use of the Fast Suite Embedding SDK to create an embedding context and render the chat interface in an HTML iframe with safe cross-origin communication.

You possibly can deploy the answer with the next high-level steps:

1. Deploy the serverless infrastructure utilizing the AWS Cloud Improvement Equipment (AWS CDK).
2. Provision customers in Amazon Cognito and Fast Suite.
3. Share the Fast Suite belongings (chat agent and related connections, information base).
4. Entry the online portal to make use of Fast Suite chat brokers.

Stipulations

The next conditions are required to deploy the answer demonstrated on this submit:

Deploy serverless infrastructure utilizing AWS CDK

Full the next steps to deploy the serverless infrastructure utilizing the AWS CDK:

1. Clone the GitHub repository:

git clone git@github.com:aws-samples/sample-quicksuite-chat-embedding.git 
cd sample-quicksuite-chat-embedding

2. Deploy the infrastructure:

You can be prompted to enter your AWS Area code, AWS CloudFormation stack ID and portal title, and your AWS CLI profile.

Provision customers in Amazon Cognito and Fast Suite

Full the next steps to provision customers in Amazon Cognito and Fast Suite:

1. Create an Amazon Cognito person in an Amazon Cognito person pool:

python scripts/create_cognito_user.py --profile  

2. Create a federated person in Fast Suite:

python scripts/create_quicksuite_user.py --profile  

Share Fast Suite chat agent

Full the next steps to share your Fast Suite chat agent:

1. Register to the Fast Suite console utilizing credentials with the Fast Suite Creator Professional position.
2. Select Chat brokers within the navigation pane.
3. Choose the brokers you need to share (for instance, AnyCompany Ecom order assistant) and select Share.

4. Seek for the person title (for instance, user123@instance.com) you created earlier.
5. Select Share.

After sharing this agent, you additionally must share every linked useful resource of the agent individually to verify full performance.

Entry internet portal to make use of the Fast Suite chat brokers

Full the next steps to entry the online portal and begin utilizing the chat brokers:

1. Search for the short-term password within the Amazon Cognito verification e-mail.
2. Entry the CloudFront URL out of your internet browser with the person ID and short-term password.
3. You can be prompted to vary your password at your first login.

After the profitable login, you’ll be able to see My Assistant within the chat interface.

4. Select the Area to connect with the customized Fast Suite chat brokers.

5. To see the chat brokers shared with you, select Shared with me below Filter.

6. Select the agent you need and begin chatting.

The next screenshots present chat interactions of a customer support consultant monitoring an instance on-line order and processing its return as requested by a verified buyer over the telephone.

Clear up

To wash up your sources, delete the AWS sources deployed:

Conclusion

This answer addresses core challenges for embedding conversational AI at scale: securing authentication for 1000’s of concurrent customers throughout world places, sustaining enterprise-grade safety with complete audit trails, and simplifying deployment with automated infrastructure provisioning. You possibly can customise the portal branding, modify safety insurance policies, and combine with present identification suppliers. You possibly can scale to 1000’s of concurrent customers mechanically whereas sustaining pay-as-you-go pricing.

To do this answer, clone the GitHub repository and deploy the entire infrastructure with one click on to embed Fast Suite chat brokers.

In regards to the authors

Satyanarayana Adimula is a Senior Builder in AWS Generative AI Innovation & Supply. Leveraging over 20 years of knowledge and analytics experience, he focuses on constructing agentic AI techniques that allow massive enterprises to automate advanced workflows, speed up decision-making, and obtain measurable enterprise outcomes.