Deploying and Configuring Access for Your Amazon Q Chatbot: A Step-by-Step Guide

Angelo Malatacca
5 min readApr 3, 2024

In the previous blog, we embarked on a culinary journey, creating a bot that recommends delicious recipes, all powered by Amazon Q features. Today we’ll look at how to deploy the web experience and configure access via an Identity Provider (IdP). This will allow us to seamlessly access our new application, not through the AWS console, but directly through the designated web address.

Deploy the web experience

The first thing to do is select the application created and then click on Deploy web experience

Create a new service role

And now we need to connect and Identity Provider (IdP) for the application. The IdP will handle the login and registration for everyone wanting to use the chatbot. There are several options you can choose from, Microsoft Entra ID, formerly known as Azure Active Directory, Okta or AWS IAM Identity Center, formerly called AWS Single-Sign On. The latter should not be confused with AWS Identity and Access Management (IAM) which manages AWS account user roles.

In this blog we will use AWS IAM Identity Center so search for IAM in the services search bar and select it, being careful not to close the page relating to the deployment of the web experience.

In the options on the left select Applications and then at the top right Add application.

Select the option I have an application i want to set up

Scroll down and select SAML 2.0 as Application type and click Next.

Give the application a name, a description (optional) and download the IAM Identity Center SAML metadata file.

Scrolling further down we can ignore the options relating to Application properties and fill in those relating to Application metadata. These two values, Application ACS URL e Application SAML audience are found on the web experience deployment page that we left open previously. Let’s go back to that page and copy the two values.

Paste them where required and continue with Submit.

Return to the page relating to the deployment of the web experience. Import the metadata file downloaded before and insert Email in the Email attribute of SAML assertion field. Finally, click on Deploy.

Now you’ll have the link to the web experience. By opening it you’ll be redirected to the chatbot but first we need to create a user.

Create a user

On the AWS IAM Identity Center page, click on Users on the left and Add user on the right.

Choose a Username, how to receive the password and enter Email address, First name e Last name.

Click on next, choose if you want to add the user to a group (optional) on the next page and continue with Next, check that the data is correct on the next page and proceed with Add user. Now we have added our user

and we should have received the email containing all the information to log in.

Click on Accept invitation and you’ll be redirected to the page that will allow you to create the access password.

Let’s go back to the AWS console and in the left menu click on Applications, then on the Customer managed tab and then open the application.

Open the Actions menu at the top right and select Edit attribute mappings.

In the field Maps to this string value or user attribute in IAM Identity Center insert ${user:email}, add a new attribute mapping, call it Email and use ${user:email} as a value making sure that both are set as Format unpsecified. Then save the changes.

At this point we need to assign users to the application. To do this, click on Assign users and groups.

Select the created user and click on Assign users.

Now you can use the user to access the web experience. Go back to the Amazon Q applications page and click on the Deployed URL relating to the application.

Use the credentials received via email and select the application created.

And now you can have fun using your chatbot.

And there you have it! You’ve successfully created a user, assigned to your application, and logged into the web experience of your chatbot. This is a significant step in making your chatbot accessible to a wider audience without the need for the AWS console.

Remember, the AWS IAM Identity Center allows you to manage users and their access to your application. You can add more users, assign them to groups, and manage their permissions as needed.

Thank you for following along in this blog post. I hope you found it informative and helpful.
If you missed the previous blog, you can find it here.



Angelo Malatacca

AWS Solutions Architect certified | ex AWS Community Builder | IT lover and addicted