# Integrate third-party applications (3p apps) in the Amazon Connect agent workspace Integrate third-party applications (3p apps) Amazon Connect agent workspace is a single, intuitive application that provides your agents with the tools and step-by-step guidance they need to resolve issues efficiently, improve customer experiences, and onboard faster. In addition to using first-party applications in your agent workspace, such as Customer Profiles, Cases, and Connect AI agents, you can integrate third-party applications. **Note** This functionality is only supported in the default agent workspace; it is not supported when using a custom CCP. For example, you can integrate your proprietary reservation system or a vendor-provided metrics dashboard, into the Amazon Connect agent workspace. If you are a developer interested in building a third-party application, see the [Agent Workspace Developer Guide](https://docs.aws.amazon.com/agentworkspace/latest/devguide/getting-started.html). **Topics** + [Requirements](#onboard-3p-apps-requirements) + [How to add an integration](#onboard-3p-apps-how-to-integrate) + [Delete integrations](#delete-3p-apps) + [Assign permissions](assign-security-profile-3p-apps.md) + [Iframe permissions when granting third-party application access](3p-apps-iframe-permissions.md) + [Integrate an MCP server](3p-apps-mcp-server.md) + [Events and requests](3p-apps-events-requests.md) + [Access third-party applications in the agent workspace](3p-apps-agent-workspace.md) + [Access the Worklist app](worklist-app.md) + [Third-party application SSO Federation setup](3p-apps-sso.md) + [Use screen pop functionality of third-party applications in the Amazon Connect agent workspace](no-code-ui-builder-app-integration.md) + [Workshop for building a third-party app](https://catalog.workshops.aws/amazon-connect-agent-empowerment/en-US/third-party-applications/test) ## Requirements Requirements If you're using custom IAM policies to manage access to third-party applications, your users need the following IAM permissions to integrate a third-party application using the AWS Management Console. In addition to `AmazonConnect_FullAccess`, users need: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "app-integrations:CreateApplication", "app-integrations:GetApplication", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:app-integrations:us-east-1:111122223333:application/*", "Effect": "Allow" } ] } ``` ------ ## Integrations How to add an integration **Note** To add an integration to your instances, ensure that your instance is using a Service-Linked Role (SLR). If your instance currently does not use an SLR but you wish to add an integration, you will need to migrate to an SLR. Integration can only be add to instances that are using an SLR. For more information, see [For instances created before October 2018](connect-slr.md#migrate-slr). 1. Open the Amazon Connect [console](https://console.aws.amazon.com/connect/) (https://console.aws.amazon.com/connect/). 1. On the left navigation pane, choose **Integrations**. If you do not see this menu, it's because it is not available in your region. To check the regions where this feature is available, see [Availability of Amazon Connect features by Region](regions.md). 1. On the **Integrations** page, choose **Add integration**. ![\[The properties page of the Set contact attributes block.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/integrations-list.png) 1. On the **Add integration** page, enter: 1. **Basic information** 1. **Display name**: A friendly name for the integration. This name is displayed on security profiles and to your agents on the tab in the agent workspace. You can come back and change this name. 1. **Description (optional)**: You may optionally provide any description for this integration. This description is not displayed to agents. 1. **Integration type**: Indicates whether the integration is a standard web application, service, or MCP server. This determines how the integration will be accessed within the system. 1. **Integration identifier**: The official name that is unique for integrations of type standard application or service. If you have only one application per access URL, we recommend that you use the origin of the access URL. You cannot change this name. 1. **Initialization timeout**: The maximum time allowed to establish a connection with the workspace. The time allowed is in milliseconds. This setting helps manage connection issues and ensures timely application startup. 1. **Application details** 1. **Contact Scope**: Indicates whether the web application refreshes for each contact or refreshes only with each new browser session. This setting affects how frequently the application updates its data. 1. **Initialization timeout**: The maximum time allowed to establish a connection with the workspace. The time allowed is in milliseconds. This setting helps manage connection issues and ensures timely application startup. 1. **Access** 1. **Access URL**: This is the URL where your application is hosted. The URL must be secure, starting with https, unless it's a local host. **Note** Not all URLs can be iframed. Here are two ways to check if the URL can be iframed: There is a third-party tool available to help check if a URL can be iframed that is called [Iframe Tester](http://iframetester.com/). If a URL can be iframed, it will render in a preview on this page. If a URL cannot be iframed, it will display an error in the preview on this page. It is possible that this website displays an error, and the app can still be iframed in the agent workspace. This is because the app developer can lock down their app to only be embeddable into the workspace and nowhere else. If you received this app from an app developer, we recommend that you still try integrating this app into the agent workspace. For technical users: Check the security policy content of the application you are trying to integrate. Firefox: Hamburger menu > More tools > Web developer tools > Network Chrome: 3 dots menu > More tools > Developer tools > Network Other browsers: Locate the network settings in the developer tools. The Content-Security-Policy frame-ancestors directive should be `https://your-instance.my.connect.aws`. If the directive is `same origin` or `deny`, then this URL cannot be iframed by AWS/Amazon Connect Here's what you can do if the app cannot be iframed: + If you control the app/URL, you can update the app's content security policy. Follow the best practices for app developers/ Ensuring that apps can only be embedded in the Amazon Connect agent workspace section [here](https://docs.aws.amazon.com/agentworkspace/latest/devguide/recommendations-and-best-practices.html). + If you do not control the app/URL, you can try reaching out to the app developer and asking them to update the app's content security policy. 1. **Approved origins (optional)**: Allowlist URLs that should be permitted, if different than the access URL. The URL must be secure, starting with https, unless it's a local host. 1. Add permissions to [events and requests](3p-apps-events-requests.md). The following is an example of how you can onboard a new application and assign permissions to it by using the AWS Management Console. In this example, six different permissions are assigned to the application. **Providing basic information and access details** 1. **Instance association** 1. You may give any instance(s) within this account-region access to this application. 1. While associating the integration with an instance is optional, you will not be able to use this application until you associate it with instance(s). **Note** For MCP servers, you can only select the instance that is configured with the selected Gateway's Discovery URL. ![\[Providing basic information and access details.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/integrations-add-basic-info.png) **Granting permissions to the application for workspace data integration** ![\[Granting permissions to the application for workspace data integration.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/integrations-add-permissions.png) **Iframe configuration** ![\[Iframe configuration.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/integrations-add-iframe-config.png) 1. Choose **Add integration**. 1. If the integration was successfully created, you will be sent to the **Integration details** page, and you will see a success banner. ![\[Granting permissions to the application for workspace data integration.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/integrations-view.png) You can edit certain attributes of an existing app, such as its Display Name, Access URL, and Permissions. 1. If there was an error in either creating the application or associating the application to an instance, then you will see an error message, and you can take the corresponding action to correct the issue. ## Delete integrations Delete integrations If you no longer want to use an integration in the foreseeable future, you can delete it. If you temporarily want to stop using it, but you may want to use it again in the foreseeable future, we recommend that you disassociate it from an instance to avoid having to add it again. To delete integrations, navigate to the AWS Management Console, select an integration, and choose **Delete**. **Troubleshooting** + The operation will fail if the integration is associated with any instance. You will first have to disassociate the integration from any instance. Then you can come back and delete it. **Tip** If you created an integration before Dec 15, 2023, then you may encounter issues when updating the association of the integration to instance(s). This is because you need to make updates to your IAM policy. ![\[IAM error when trying to delete an integration due to insufficient permissions\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/delete-3p-apps.png) Your IAM policy will need to be updated to include the following permissions: + `app-integrations:CreateApplicationAssociation` + `app-integrations:DeleteApplicationAssociation` ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "app-integrations:CreateApplication", "app-integrations:GetApplication" ], "Resource": "arn:aws:app-integrations:us-east-1:111122223333:application/*", "Effect": "Allow" }, { "Action": [ "app-integrations:CreateApplicationAssociation", "app-integrations:DeleteApplicationAssociation" ], "Resource": "arn:aws:app-integrations:us-east-1:111122223333:application-association/*", "Effect": "Allow" }, { "Action": [ "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::111122223333:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect_*", "Effect": "Allow" } ] } ``` ------ # Security profile permissions for using third-party applications in Amazon Connect Assign permissions This topic describes the security profiles permissions that are required to access third-party applications that you have onboarded and associated. For a list of third-party application permissions and their API name, see [List of security profile permissions in Amazon Connect](security-profile-list.md). ## Third-party application permissions Third-party application permissions **Note** After associating an application to an instance, you may have to wait up to 10 minutes to see the application appear the **Agent Applications** section of the **Security profiles** page. Any applications that you have onboarded to AWS and associated with your Amazon Connect instance appear in the **Agent Applications** section of the **Security profiles** page, as in the following image. ![\[The Agent applications section of the Security profiles page.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/assign-security-profile-3p-apps-displayed.png) You also need to give access to the CCP in order for the app launcher menu to appear. ![\[Applied access permissions for the CCP Access Contact Control Panel.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/assign-security-profile-3p-apps-ccp-permissions.png) After you assign permissions, review how to [Access third-party applications in the Amazon Connect agent workspace](3p-apps-agent-workspace.md). # Iframe permissions when granting third-party applications access to Amazon Connect Iframe permissions when granting third-party application access When configuring third-party applications through either the AWS Console's `onboarding` UI or API, you have the ability to specify `iframe` permission settings. These permissions can be modified even after the application has been set up. By default, all third-party applications are granted four basic `iframe` permissions: `allow-forms`, `allow-popups`, `allow-same-origin`, and `allow-scripts`. Since some applications may require enhanced functionality, additional `iframe` permissions can be requested during the application registration process. **Note** The browser compatibility for the following permissions could vary by different browser implementations. | Permission | Description | | --- | --- | | Allow | | | clipboard-read | Controls whether the application is allowed to read data from the clipboard. Its currently supported by Chrome, but not by Firefox and Safari. | | clipboard-write | Controls whether the application is allowed to write data to the clipboard. Its currently supported by Chrome, but not by Firefox and Safari. | | microphone | Controls whether the application is allowed to use audio input devices. | | camera | Controls whether the application is allowed to use video input devices. | | Sandbox | | | allow-forms | Allows the page to submit forms. Its supported by default. | | allow-popups | Allows the application to open popups. Its supported by default. | | allow-same-origin | If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs). Its supported by default. | | allow-scripts | Allows the page to run scripts. Its supported by default. | | allow-downloads | Allows downloading files through an or element with the download attribute, as well as through the navigation that leads to a download of a file | | allow-modal | Allows the page to open modal windows by Window.alert(), Window.confirm(), Window.print() and Window.prompt(), while opening a is allowed regardless of this keyword | | allow-storage-access-by-user-activation | Allows to use the Storage Access API to request access to unpartitioned cookies. | | allow-popups-to-escape-sandbox | Allows to open a new browsing context without forcing the sandboxing flags upon it | ## Sample Configuration Sample Configuration Iframe permissions can be configured using a similar template to the following. For example, to grant clipboard permissions: ``` { "IframeConfig": { "Allow": [ "clipboard-read", "clipboard-write" ], "Sandbox": [ "allow-forms", "allow-popups", "allow-same-origin", "allow-scripts" ] } } ``` **Important Notes** 1. By default, if the iframe configuration field is left blank or set to empty curly braces \$1\$1, the following sandbox permissions are automatically granted: + allow-forms + allow-popups + allow-same-origin + allow-scripts ``` { "IframeConfig": { "Allow": [], "Sandbox": ["allow-forms", "allow-popups", "allow-same-origin", "allow-scripts"] } } ``` 1. To explicitly configure an application with no permissions, you must set empty arrays for both `Allow` and `Sandbox`: ``` { "IframeConfig": { "Allow": [], "Sandbox": [] } } ``` # Integrate an MCP server with Amazon Connect Integrate an MCP server To integrate an MCP server with Amazon Connect, you must configure a Bedrock AgentCore gateway. The gateway transforms your APIs, Lambda functions, and services into MCP-compatible tools for AI agents. **Note** Only one instance can be associated with a gateway, and that instance must be configured with the gateway's Discovery URL in Bedrock AgentCore. Each gateway can only be used with one MCP server. ## How to integrate an MCP server 1. On the **Add integration** page, enter the following information: 1. **Basic information** + **Display name** – A friendly name for the application. This name is displayed on security profiles and to your agents on the tab in the agent workspace. You can change this name later. + **Description (optional)** – You may optionally provide a description for this application. + **Integration type** – Select **MCP server**. ![\[The Add integration page showing Basic information fields for an MCP server application.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/integrations-3p-mcp-app.png) 1. **Application details** Select a Bedrock AgentCore gateway to connect with Amazon Connect. Gateways convert APIs, Lambda functions, and services into MCP-compatible tools for AI agents. If no gateways currently exist, create a new one using Bedrock AgentCore. ![\[The Application details section showing gateway selection.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/integrations-3p-mcp-select-gateway.png) A new gateway can be created in Bedrock AgentCore. **Note** The Discovery URL must follow this format: `[connect instance URL]/.well-known/openid-configuration`. For example: `https://my-instance.my.connect.aws/.well-known/openid-configuration`. ![\[Additional gateway configuration options.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/3p-apps-mcp-bedrock.png) 1. **Instance association (optional)** Select the instance that is configured with the selected gateway's Discovery URL. Defaults to **None**. If you are not ready to select an instance or if no instance has been associated with the selected gateway's Discovery URL, you may still create the MCP server integration now and associate an instance later. ![\[The Instance association section showing instance selection options.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/3p-apps-mcp-instance.png) 1. Choose **Add integration**. 1. If the integration was successfully created, you will be sent to the **View integration** page where you will see a success banner and the integration summary. ![\[The View integration page showing a success banner after integrating an MCP server.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/3p-apps-mcp-success.png) # Events and requests when granting third-party applications access to Amazon Connect Events and requests This topic lists the permissions you must explicitly give to third party applications to access Amazon Connect data. **Note** If you are a developer, review how to create applications that react to events: [Integrate application with Amazon Connect Agent Workspace agent data](https://docs.aws.amazon.com/agentworkspace/latest/devguide/integrate-with-agent-data.html). When you onboard third-party applications by using the API or the onboarding UI in the AWS Management Console, you must explicitly give third-party applications permissions to Amazon Connect data. You can also edit the permissions on an existing app. To understand the effects of assigning a particular permission, review the following permissions, description, and corresponding requests and events. For example, if you assign the permission `User.Details.View` to the application, then it will have the ability to make the following requests: `agent.getName` and `agent.getARN`. If your app attempts to subscribe to an event or make a request for data that it does not have permission for, your app may not function as intended. To learn more about each request and event, see the [API Reference](https://docs.aws.amazon.com/agentworkspace/latest/devguide/api-reference-3p-apps-events-and-requests.html.html). | Permission | Description | Requests | Events | | --- | --- | --- | --- | | User.Details.View | Details about the agent, such as their full name and User ARN | agent/getName agent/getARN | | | User.Configuration.View | Configuration information about the agent, such as their associated routing profile | agent/getRoutingProfile agent/getChannelConcurrency agent/getExtension getLanguage agent/listAvailabilityStates agent/listQuickConnects voice/getOutboundCallPermission voice/listDialableCountries | onLanguageChanged | | User.Status.View | Details about the agent's status | agent/getState | agent/onStateChanged | | Contact.Details.View | Details about the contact available in the workspace | contact/getInitialContactId contact/getChannelType contact/getStateDuration contact/getQueue contact/getQueueTimestamp | contact/onCleared contact/onMissed contact/onStartingAcw contact/onConnected | | Contact.CustomerDetails.View | Details about your customers, such as the phone number they're calling from (Voice only) | voice/getInitialCustomerPhoneNumber | | | Contact.Attributes.View | Metadata about the contact | contact/getAttribute contact/getAttributes | | | User.Status.Edit | Modify agent status | agent/setAvailabilityState agent/setAvailabilityStateByName agent/setOffline | | | Contact.Details.Edit | Contact edit capabilities, like making outbound calls or transferring calls. | voice/createOutboundCall contact/transfer contact/addParticipant contact/accept contact/clear | | | \$1 | Provides access to all requests and events. | | | # Access third-party applications in the Amazon Connect agent workspace Access third-party applications in the agent workspace ## Important things to know Important things to know + On Jul 22, 2024, Google [announced](https://privacysandbox.com/news/privacy-sandbox-update/) that they no longer plan to deprecate third-party cookies and instead provide an opt-in mechanism for deprecating third-party cookies. Opting into third-party cookie deprecation may impact the third-party applications experience. If you are using third-party apps in the Amazon Connect Agent workspace on the Chrome browser, we recommend that you: + **Temporary solution**: Update [Enterprise Chrome policies](https://support.google.com/chrome/a/answer/7679408?sjid=16745203858910744446-EU#upChromeBrsrBB117)). You can set `BlockThirdPartyCookies` Policy to false and safeguard your agent experience from immediate impact due to 3P Cookie Deprecation. + **Permanent solution**: We recommend that app developers follow [best practices](https://developers.google.com/privacy-sandbox/3pcd) that will continue to pass third-party cookies. + You must have [integrated the application](https://docs.aws.amazon.com/connect/latest/adminguide/3p-apps.html) and the agent must have [access to the application](https://docs.aws.amazon.com/connect/latest/adminguide/assign-security-profile-3p-apps.html) by using security profiles. The agent must also have access to the CCP in order for the application launcher to appear. ## Use the app launcher to access third-party applications Use the app launcher Agents can access third-party applications in the agent workspace by using the apps launcher, shown in the following image. The apps launcher appears on the agent workspace after you have successfully [onboarded](3p-apps.md) your third-party app. ![\[The apps launcher on the agent workspace.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/agent-workspace-apps-launcher.png) The app launcher shows a list of applications that the agent has access to. The agent can launch applications when they don't have any contacts (they are in the idle state) or when they are on a contact (call, chat, or task). After an app is opened for a given contact, it stays open until that contact is closed. ## Required security profile permissions to access third-party applications Required security profile permissions Agents need the following security profiles permissions to access third-party apps: + **Contact Control Panel (CCP) - Access the CCP** + Access to at least one third-party application - it appears in the security profile page after you have successfully [onboarded](3p-apps.md) your third-party app. ## Pin apps on the agent workspace Pin apps on the agent workspace Agents can pin an app as open. On the apps tab, choose the More icon and then select **Pin tab**, as shown in the following image. ![\[The pin tab open on the agent workspace.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/3p-apps-agent-workspace-pinned-1.png) After an app is pinned, it stays open in the idle state and pops open for any contacts that come in. The app stays pinned for that user and browser until the user clears the cookies on the browser. An agent can unpin the tab if they no longer want this app to always be open; they will still be able to open and close the app as needed. ### Examples of apps pinned on the agent workspace Examples of pinned apps The following image shows an example of a third-party app named NoteTest that is pinned to the agent workspace. ![\[A third-party note test app that is pinned to the agent workspace.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/3p-apps-agent-workspace-notes-app.png) The following image shows an example of a third-party app named Maps that is pinned to the agent workspace. ![\[A third-party maps app that is pinned to the agent workspace.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/3p-apps-agent-workspace-maps-app.png) # Access the Worklist app in the Amazon Connect agent workspace Access the Worklist app The Worklist app enables agents with the required permissions and routing profile settings to manually prioritize and assign queued work to themselves. The following steps explain how to provide your users access to the Worklist app in their workspaces. **Note** An agent can only access the Worklist App in the Agent Workspace if they have a Security Profile with the appropriate permissions described below. 1. Update the security profiles by selecting one of these permissions: + **Allow 'Assign to me' for any contact** permission - Enables agents to view contacts under any of these conditions: + Current Agent is the only Preferred Agent on the Contact. + Current Agent is one of the Preferred Agents on the Contact. + Any Agent or set of Agents are Preferred Agents on the Contact. + Contact with no Preferred Agents. + **Allow 'Assign to me' for my contact** permission - Enables agents to view contacts under these conditions: + Current Agent is the only Preferred Agent on the Contact. + Current Agent is one of the Preferred Agents on the Contact. ![\[Contact actions for the Worklist app.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/worklist-app-1.png) Once these permissions are assigned, they will be reflected on the **Security Profile Page**. ![\[Security profile permissions for the Worklist app.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/worklist-security-profile.png) ![\[Security profile permissions for the Worklist app.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/worklist-security-profile-2.png) 1. Update the routing profile settings to specify queue / channels for manual assignment in the new section. ![\[Routing profile settings for the Worklist app.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/worklist-routing-profile.png) 1. Once the security profile and routing profile settings are updated, the agent will see the Worklist app in their workspace: ![\[Worklist app in the agent workspace.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/worklist-workspace-view.png) ## Available filter options The available filter options depend on the agent's permissions: + An Agent with **Allow 'Assign to me' for any contact** can view these filter options: ![\[Filter options for agents with 'Assign to me' for any contact permission.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/worklist-filter-any-contact.png) + An Agent with **Allow 'Assign to me' for my contact** can view these filter options: ![\[Filter options for agents with 'Assign to me' for my contact permission.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/worklist-filter-my-contact.png) ## Time Range filter for contact history By default, the Worklist app displays contacts created in the last 2 weeks. To view contacts created beyond this timeframe, use the Time Range filter to select a specific date range. The Time Range filter allows you to select any date range within the past 90 days. ![\[The Worklist app showing the Time Range filter for selecting contact history date ranges.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/worklist-time-range-filter.png) # Set up SSO Federation for third-party apps in your Amazon Connect instance Third-party application SSO Federation setup A user can use Single-Sign-On to federate into multiple third-party applications that have been setup within their Amazon Connect instance without the need to authenticate separately for each application. **Note** Your third-party (3P) application can seamlessly complete the Sign-On flow within an iframe, provided that the Identity Provider supports iframing their sign-in page. Refer to the Identity Provider guides for detailed information on iframing capabilities. **Setup SSO for third-party apps that exist within your Amazon Connect instances** 1. Set up an Identity Provider or use an existing Identity Provider. 1. Set up users within the Identity Provider. 1. Set up an Amazon Connect instance and [Configure SAML with IAM for Amazon Connect](configure-saml.md). 1. Set up other applications within your Identity Provider which you will be integrating with your Amazon Connect instance. 1. Attach each individual user identity to any applications within the Identity Provider that will be integrated with your Amazon Connect instance. You can control which agent has access to an application on the Amazon Connect agent workspace by providing more granular application specific permissions in security profiles. For more information, see [Security profile permissions for using third-party applications in Amazon Connect](assign-security-profile-3p-apps.md). 1. After a user has signed into their Identity Provider, they can federate into their Amazon Connect instance which has third-party applications configured and they can federate into each application (if the application has been setup for SSO) without the need of their username and password.