How do I set up AWS SSO as the identity provider for QuickSight?

Last updated: 2022-07-19

I want to use AWS Single Sign-On (AWS SSO) for both the AWS SSO portal and Amazon QuickSight. How do I add AWS SSO as the identity provider?

Short description

To use AWS SSO as the identity provider for the AWS SSO portal and QuickSight, follow these steps:

  1. Add QuickSight as an application in AWS SSO.
  2. Create a SAML identity provider.
  3. Create an Identity and Access Management (IAM) role for SAML 2.0 federation.
  4. Configure attributes in AWS SSO.
  5. Assign users to AWS SSO.
  6. Configure your QuickSight account.

Resolution

Add QuickSight as an application in AWS SSO

  1. Open the AWS SSO console.
  2. In the left navigation pane, choose Applications, and then choose Add a new application.
  3. In the AWS SSO Application Catalog section, choose Amazon QuickSight.
  4. On the Configure Amazon QuickSight page, under Details, enter a display name for your application. For example, Amazon QuickSight Authors.
  5. In the AWS SSO metadata section, choose Download for AWS SSO SAML metadata file.
  6. Under Application Properties set https://quicksight.aws.amazon.com as the value for the Relay state.
    Note: Make sure that Application start URL is blank.
  7. Choose Save changes.

Note: You can also use another identity provider such as, Okta, Azure Active Directory (Azure AD), Google Workspace, PingFederate, or PingOne.

Create a SAML identity provider

  1. Open the IAM console.
  2. In the left navigation pane, choose Identity providers, and then choose Add provider.
  3. For Provider type, choose SAML.
  4. For Provider name, enter a name for the identity provider.
  5. For Metadata document, choose Choose file, and then choose the SAML metadata document that you downloaded.
  6. Optional: For Add tags, add key-value pairs to help you identify and organize your identity providers.
  7. Note the ARN of the identity provider. You must use it to configure attributes in the AWS SSO application.
  8. Choose Add provider.

Create a SAML 2.0 federation IAM role

  1. Open the IAM console.
  2. In the left navigation pane, choose Roles, and then choose Create role.
  3. For Trusted entity type, select SAML 2.0 federation.
  4. For Choose a SAML 2.0 provider, select the SAML provider that you created, and then choose the Allow programmatic and AWS Management Console access option.
  5. Choose Next.
  6. On the Add Permissions page, attach an inline policy to the role to limit the actions that AWS SSO users can perform in QuickSight.
    Note: QuickSight supports Just In Time (JIT) user provisioning. When a user federates in to QuickSight for the first time, QuickSight automatically creates a new user. The user role depends on the permissions that are attached to the IAM role for SAML 2.0 federation. See Configure permissions in AWS for your federated users for more details.
  7. Choose Next.
  8. On the Name, review, and create page, under Role details, enter a name for the role.
  9. Optional: For Add tags, add key–value pairs to help you identify and organize your roles.
  10. Note the ARN of the role. You must use it to configure attributes in your AWS SSO application.
  11. Choose Create role.

Important: You can map only one IAM role per QuickSight account and one IAM role attribute mapping per AWS SSO instance. Therefore, you must create an AWS SSO application for each role.

Configure attributes in AWS SSO

  1. Open the AWS SSO console.
  2. In the left navigation pane, choose Applications, and then choose Amazon QuickSight.
  3. Choose the Attribute mappings tab, and then choose Add a new attribute mapping.
  4. For User attribute in the application, enter https://aws.amazon.com/SAML/Attributes/Role.
  5. For Maps to this string value or user attribute in AWS SSO, enter the ARNs of the identity provider and role in the following format:
    arn:aws:iam::ACCOUNTID:role/ROLENAME,arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME
  6. Choose Save changes.

Assign users to AWS SSO

  1. In the AWS SSO console, choose the Assigned users tab, and then choose Assign users.
  2. Choose the Users tab, and then add your required users.
  3. Choose Assign users.
  4. Choose the Groups tab, and then add your required groups.
  5. Choose Assign users.

Configure your QuickSight account

Set up QuickSight to send authentication requests to AWS SSO

  1. In the left navigation pane of the AWS SSO console, choose Dashboard.
  2. In User portal, sign in with the AWS SSO user name and password.
  3. Choose the Amazon QuickSight icon, and open it in a new browser tab. Then, copy the URL.
  4. In another browser tab, sign in to QuickSight as administrator.
  5. Choose Manage QuickSight.
  6. In the left navigation pane, choose Single sign-on (SSO).
  7. For IdP URL configuration, add the URL from step 3.
  8. For IdP redirect URL parameter, enter RelayState.
  9. Choose Save.
  10. Turn off Service Provider Initiated SSO. Make sure that it remains off.

Configure the email attribute to sync email for federated users

1.    From the AWS SSO console, update the trust relationship for the IAM role with AssumeRoleWithSAML or AssumeRoleWithWebIdentity:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::account-id:saml-provider/SAMLPROVIDERNAME"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::account-id:saml-provider/SAMLPROVIDERNAME"
      },
      "Action": "sts:TagSession",
      "Condition": {
        "StringLike": {
          "aws:RequestTag/Email": "*"
        }
      }
    }
  ]
}

2.    To configure the email attribute, follow the steps in the preceding Configure attributes in AWS SSO section.
       For User attribute in the application, enter https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email.
       For Maps to this string value or user attribute in AWS SSO, enter ${user:email}.

3.    Turn on email syncing for federated users in QuickSight:
       Sign in to QuickSight as administrator.
       Choose Manage QuickSight, and then choose Single sign-on (SSO).
       On the Service Provider Initiated SSO page, choose On for Email Syncing for Federated users.

After the setup is complete, you can start signing in to your QuickSight account from the AWS SSO portal.


Did this article help?


Do you need billing or technical support?