AWS Business Intelligence Blog
Federate Amazon QuickSight access with OneLogin
Amazon QuickSight is a scalable, serverless, embeddable, machine learning (ML)-powered business intelligence (BI) service built for the cloud that supports identity federation in both Standard and Enterprise editions. Organizations are working toward centralizing their identity and access strategy across all their applications, including on-premises and third-party applications. Many organizations use OneLogin as their identity provider (IdP) to control and manage user authentication and authorization centrally. QuickSight can integrate with OneLogin through the use of single sign-on (SSO) and SAML 2.0 authentication. With this integration, users can access QuickSight using their existing OneLogin credentials, providing a seamless and secure authentication experience. In this post, we walk you through the steps to configure federated SSO to QuickSight with OneLogin as your IdP.
This solution proposes directly integrating QuickSight with OneLogin as your IdP if your organization hasn’t adopted AWS IAM Identity Center. However, if you are already using or planning to implement IAM Identity Center, it’s advisable to integrate OneLogin with IAM Identity Center instead.
With IAM Identity Center, you gain enhanced access management and a seamless user experience, including centralizing user and group management, quickly provisioning new users and teams with minimal effort, effortlessly scaling access as your organization grows, and cross-service identity sharing to use capabilities such as trusted identity propagation and consolidated billing across Amazon Q Business and QuickSight.
Solution overview
The walkthrough includes the following steps:
- Establish the OneLogin application.
- Build a SAML provider in AWS.
- Create QuickSight roles for OneLogin federated users.
- Configure the OneLogin application.
- Set up QuickSight service provider-initiated SSO.
- Access QuickSight using OneLogin SSO.
Prerequisites
To integrate QuickSight with OneLogin, you need to have the following prerequisites in place:
- OneLogin account – You must have an active OneLogin account and permissions to create and modify applications and users.
- QuickSight account – You need a QuickSight account set up in your AWS environment. This account should have the required permissions to configure SAML IdPs.
- IAM permissions – You should have the appropriate AWS Identity and Access Management (IAM) permissions in your AWS account to configure SAML IdPs for QuickSight and to create IAM roles and policies. This typically involves having the necessary IAM policies attached to your user or role.
Before starting the integration process, it’s recommended to gather all the necessary information and make sure you have the required permissions and access to both QuickSight and OneLogin environments. Additionally, it’s a good practice to test the integration in a non-production environment to verify its functionality and identify any potential issues or configuration adjustments needed before deploying to a production environment.
Establish the OneLogin application
In this section, you create the OneLogin application for your enterprise’s use of QuickSight.
- Log in to your OneLogin admin dashboard and choose the Administration tab. If you don’t have an account, you can create a free OneLogin account using your business email.
- Choose Applications from the top menu.
- Choose Add App.
- On the Find Applications page, enter
Amazon Web Services
in the search bar and choose Amazon Web Services (AWS) RelayState.
- Under Configuration, for Display Name, enter a name (for example,
Amazon QuickSight Administrator
) and choose Save.
- In the navigation pane, choose Configuration.
- On the Application details page, for RelayState, enter
https://quicksight.aws.amazon.com
.
- Choose the SSO tab and download the OneLogin XML file by copying the value for Issuer URL and pasting it into a new web browser page.
- In this solution, you need to create a OneLogin application for each QuickSight role (author, reader, and administrator). Repeat the preceding steps to create additional OneLogin applications for the author and reader roles.
Build a SAML provider in AWS
In this section, you create the AWS IdP that integrates with OneLogin.
- On the IAM console, choose Identity providers from the navigation pane.
- Choose Add provider.
- Import the metadata document downloaded in earlier steps and choose Add provider.
- Go to the newly created IdP and make a note of the Amazon Resource Name (ARN) to use later.
- Because OneLogin doesn’t allow multiple roles for an AWS relay application, you need to create a SAML IdP for each QuickSight profile. Create profiles for QuickSight author and QuickSight reader by repeating the previous steps and choosing the corresponding SAML metadata downloaded from OneLogin.
Create QuickSight roles for OneLogin federated users
In this section, you create IAM SAML 2.0 federation roles. We demonstrate how to provision users in QuickSight at initial sign-in to QuickSight. You create privileges in IAM to roles that authenticated OneLogin users will be able to use.
You first create the policies needed and then create the corresponding roles for each QuickSight user type (administrator, author, and reader).
Create IAM policies
Complete the following steps to create your IAM policies:
- On the IAM console, under Access management in the navigation pane, choose Policies.
- Choose Create policy.
- Under Specify permissions, choose JSON and replace the sample policy template with the following code and choose Next. This policy is to create admin users and will be attached to the role in the following steps.
- On the Review and create page, enter the name
QuickSightOneLoginCreateAdminPolicy
and choose Create policy.
- Repeat the previous steps to create policies for author and reader personas using the following JSON code:
QuickSightOneLoginCreateAuthorPolicy
:QuickSightOneLoginCreateReaderPolicy
:
Create IAM roles
To automate synchronization of users, groups, and group memberships, create author, reader, and administrator IAM roles.
- On the IAM console, under Access management in the navigation pane, choose Roles.
- Choose Create role.
- For Trusted entity type, select SAML 2.0 federation.
- In the SAML 2.0 Federation section, for SAML 2.0-based provider, choose the
OneLoginQuickSightAdministrator
IdP created earlier, and for Access to be allowed, select Allow programmatic and AWS Management Console access. - Choose Next.
- Add the permissions created for the QuickSight administrator profile by searching for and selecting
QuickSightOneLoginCreateAdminPolicy
, then choose Next
- Under Name, review, and create, enter
QuickSightOneLoginAdminRole
for Role name, and choose Create role.
- Go to the role you just created (
QuickSightOneLoginAdminRole
) and make a note of the ARN of the role (for example:arn:aws:iam::555555555555:role/QuickSightOneLoginAdminRole
).
- Because OneLogin doesn’t allow multiple roles per AWS relay application, you need to create additional SAML roles for each QuickSight profile. Create QuickSight author and QuickSight reader profiles by repeating the previous steps and selecting the corresponding policies
QuickSightOneLoginCreateAuthorPolicy
andQuickSightOneLoginCreateReaderPolicy
created in the previous section.
Configure the OneLogin application
In this section, you go back to OneLogin to update the applications (Amazon QuickSight Administrator, Amazon QuickSight Author, and Amazon QuickSight Reader) created with the corresponding IAM roles from the previous section.
- Log in to OneLogin and access your application dashboard.
- Choose the administrator OneLogin application previously created (Amazon QuickSight Administrator).
- Choose Parameters from the navigation pane and update the credential as follows:
- For Amazon Username, enter
Email
.
- For Role, choose Macro
- For Value and enter the
QuickSightOneLoginAdminRole
ARN and the IdP ARN forOneLoginQuickSightAdministrator
separated by a comma. For example:arn:aws:iam::555555555555:role/QuickSightOneLoginAdminRole,arn:aws:iam::123456789012:saml-provider/OneLoginQuickSightAdministrator
. - For Flags, check the Include in SAML assertion
- For Value and enter the
- For RoleSessionName, enter
Email
.
- For Amazon Username, enter
- Choose Save.
- Add users to the application on OneLogin by going to the Users tab on OneLogin.
- Choose the user that requires access to the application.
- Choose Applications in the navigation pane.
- Choose the plus sign to add an application.
- Assign the Amazon QuickSight Admin application to your user.
- Choose Continue.
Set up QuickSight service provider-initiated SSO
In this section, you set up the service provider-initiated federation with QuickSight Enterprise edition.
- Sign in to the QuickSight console and choose Manage QuickSight.
- In the navigation pane, choose Single sign-on (SSO).
- To turn on the service provider-initiated SSO, select On under Status.
- Under Configuration, enter in the following parameters:
- For IdP URL, enter
https://<sub_domain>.onelogin.com/trust/saml2/http-redirect/sso/<app_id>?RelayState=https%3A%2F%2Fquicksight.aws.amazon.com%2Fsn%2Fstart
.- For sub_domain, log in to your OneLogin portal page, copy the URL, and access the portion before
.onelogin.com/portal
For example:https://mycompany.onelogin.com/portal
. - For app_id, log in to your OneLogin portal page, go to the list of applications, choose your QuickSight application, and copy the URL on the application page. For example:
https://mycompany.onelogin.com/apps/3512905/edit
. - A complete example is:
https://mycompany.onelogin.com/trust/saml2/http-redirect/sso/3512905?RelayState=https%3A%2F%2Fquicksight.aws.amazon.com%2Fsn%2Fstart
.
- For sub_domain, log in to your OneLogin portal page, copy the URL, and access the portion before
- For IdP redirect URL parameter, enter
RelayState
.
- For IdP URL, enter
- To test the integration, choose Copy under Test starting with your IdP and Test the end-to-end experience and paste the URLs into a browser window that isn’t signed in to QuickSight.
- After you have tested and verified the SSO functionality, choose Save.
Access QuickSight using OneLogin SSO
In this section, you access QuickSight using the OneLogin applications and SSO.
- Log in to your organization’s OneLogin page, for example,
https://<sub_domain>.onelogin.com/portal
- There are two options to access QuickSight:
- For the first option, enter the QuickSight login page –
https://us-east-1.quicksight.aws.amazon.com/sn/auth/signin?enable-sso=1.
- For the second option, go to your OneLogin application page and choose the QuickSight application created previously.
- For the first option, enter the QuickSight login page –
- Enter the OneLogin user’s email address to access QuickSight.
- Choose Continue.
Alternate solution
This post shows you how to integrate OneLogin as your IdP using IAM roles to enable SSO to QuickSight. This solution creates three OneLogin applications, one for each QuickSight role that you want to assign to users. You then assign users to the corresponding OneLogin application. There’s an alternative solution if you want to create a single OneLogin application. This alternative solution follows the same process with a few changes. To have a single OneLogin application to manage, you need to add the ARN for the desired QuickSight role and the ARN for the SAML provider for each user in OneLogin.
Make the following changes for the alternate solution:
- Create a single OneLogin application instead of three.
- For the OneLogin user profile, create a custom field named
Role
, in this field, enter the QuickSight role ARN for the user, then a comma, then the SAML provider ARN. For example:arn:aws:iam::555555555555:role/<role_name>, arn:aws:iam:: 555555555555:saml-provider/<provider_name>
. - In the application parameters, add a field named
Role
as before with a value of Role, which pulls the role from the user’s metadata.
Clean up
When done, clean up the resources created to avoid future charges.
- Delete your QuickSight subscription.
- Delete the following IAM policies:
QuickSightOneLoginCreateAdminPolicy
QuickSightOneLoginCreateAuthorPolicy
QuickSightOneLoginCreateReaderPolicy
- Delete the following IAM roles:
QuickSightOneLoginAdminRole
QuickSightOneLoginAuthorRole
QuickSightOneLoginReaderRole
- Remove OneLogin as an IdP in IAM.
- Delete the QuickSight applications in OneLogin.
Conclusion
By integrating QuickSight with OneLogin, organizations can benefit from the following:
- Centralized identity management through OneLogin for applications, including QuickSight
- Improved security posture by inheriting strong authentication policies from OneLogin
- Better user experience with single sign-on instead of separate QuickSight credentials
- Reduced IT operational overhead by eliminating separate QuickSight user provisioning
Federated access to QuickSight with OneLogin as the IdP enables organizations to securely scale their business analytics while streamlining access management and improving the user experience.
If you have questions or feedback, leave a comment. For additional discussion and help getting answers to your questions, visit the QuickSight Community.
About the Authors
Sean Bjurstrom is a Technical Account Manager in ISV accounts at Amazon Web Services, where he specializes in analytics technologies and draws on his background in consulting to support customers on their analytics and cloud journeys. Sean is passionate about helping businesses harness the power of data to drive innovation and growth. Outside of work, he enjoys running and has participated in several marathons.
Seun Akinyosoye is a Sr. Technical Account Manager supporting public sector customers at Amazon Web Services. Seun has a background in analytics and data engineering, which he uses to help customers achieve their outcomes and goals. Outside of work, Seun enjoys spending time with his family, reading, traveling, and supporting his favorite sports teams.
Anupa Bhattacharyya is an Enterprise Support Lead in CIENG at Amazon Web Services, where she guides Enterprise customers through their cloud journey. With over 15 years of experience in data and analytics, she excels in defining strategic initiatives for enterprise customers. Outside of work, she enjoys painting, traveling, family time, and savoring new cuisines.