How do I set up IAM Identity Center as the identity provider for QuickSight?

Last updated: 2022-12-19

I want to use AWS IAM Identity Center (successor to AWS Single Sign-On) for both the IAM Identity Center and Amazon QuickSight. How do I add IAM Identity Center as the identity provider?

Short description

To use IAM Identity Center as your identity provider, follow these steps:

  1. Add QuickSight as an application in IAM Identity Center.
  2. Create a SAML identity provider.
  3. Create an AWS Identity and Access Management (IAM) role for SAML 2.0 federation.
  4. Configure attributes in IAM Identity Center.
  5. Assign users to IAM Identity Center.
  6. Configure your QuickSight account.

Resolution

Add QuickSight as an application in IAM Identity Center

  1. Open the IAM Identity Center console.
  2. In the left navigation pane, choose Applications, and then choose Add application.
  3. In the Preintegrated applications section, choose Amazon QuickSight. Then, choose Next.
  4. On the Configure application page, enter a Display name for your application. For example, Amazon QuickSight Authors.
  5. In the IAM Identity Center metadata section, under IAM Identity Center SAML metadata file, choose the Download icon.
  6. Under Application properties set https://quicksight.aws.amazon.com as the value for the Relay state.
    Note: Make sure that Application start URL is blank.
  7. Choose Submit.

Note: You can also use another identity provider such as, Okta, Azure Active Directory (Azure AD), Google Workspace, PingFederate, or PingOne.

Create a SAML identity provider

  1. Open the IAM console.
  2. In the left navigation pane, choose Identity providers, and then choose Add provider.
  3. For Provider type, choose SAML.
  4. For Provider name, enter a name for the identity provider.
  5. For Metadata document, choose Choose file, and then choose the SAML metadata document that you downloaded.
  6. Optional: For Add tags, add key-value pairs to help you identify and organize your identity providers.
  7. Note the ARN of the identity provider. You must use it to configure attributes in the IAM Identity Center application.
  8. Choose Add provider.

Create a SAML 2.0 federation IAM role

  1. Open the IAM console.
  2. In the left navigation pane, choose Roles, and then choose Create role.
  3. For Trusted entity type, select SAML 2.0 federation.
  4. For SAML 2.0–based provider, select the SAML provider that you created. Then, choose the Allow programmatic and AWS Management Console access option.
  5. Choose Next.
  6. On the Name, review, and create page, under Role details, enter a name for the role.
  7. Optional: For Add tags, add key–value pairs to help you identify and organize your roles.
  8. Note the ARN of the role. You must use it to configure attributes in your IAM Identity Center application.
  9. Choose Create role.
  10. After you create the role, access the Add Permissions page. Attach an inline policy to the role to limit the actions that IAM Identity Center users can perform in QuickSight.
    Note: QuickSight supports Just In Time (JIT) user provisioning. When a user federates in to QuickSight for the first time, QuickSight automatically creates a new user. The user role depends on the permissions that are attached to the IAM role for SAML 2.0 federation. See Configure permissions in AWS for your federated users for more details.

Important: You can map only one IAM role per QuickSight account and one IAM role attribute mapping per IAM Identity Center instance. Therefore, you must create an IAM Identity Center application for each role.

Configure attributes in IAM Identity Center

  1. Open the IAM Identity Center console.
  2. In the left navigation pane, choose Applications. Then, select the application that you created in the Add QuickSight as an application in IAM Identity Center section of this article.
  3. Choose Actions and then choose Edit attribute mappings from the dropdown.
  4. For User attribute in the application, enter https://aws.amazon.com/SAML/Attributes/Role.
  5. For Maps to this string value or user attribute in IAM Identity Center, enter the ARNs of the identity provider and role in the format:
    arn:aws:iam::ACCOUNTID:role/ROLENAME,arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME
  6. Choose Save changes.

Assign users to IAM Identity Center

  1. In the IAM Identity Center console, choose the Assigned users tab, and then choose Assign users.
  2. Choose the Users tab, and then add your required users.
  3. Choose Assign users.
  4. Choose the Groups tab, and then add your required groups.
  5. Choose Assign users.

Configure your QuickSight account

Set up QuickSight to send authentication requests to IAM Identity Center

  1. In the left navigation pane of the IAM Identity Center console, choose Dashboard.
  2. In the AWS Access Portal, sign in with the IAM Identity Center user name and password.
  3. Choose the Amazon QuickSight icon, and open it in a new browser tab. Then, copy the URL.
  4. In another browser tab, sign in to QuickSight as administrator.
  5. Choose Manage QuickSight.
  6. In the left navigation pane, choose Single sign-on (SSO).
  7. For IdP URL configuration, add the URL from step 3.
  8. For IdP redirect URL parameter, enter RelayState.
  9. Choose Save.
  10. Turn off Service Provider Initiated SSO. Make sure that it remains off.

Configure the email attribute to sync email for federated users

1.    From the IAM console, update the trust relationship for the IAM role with AssumeRoleWithSAML or AssumeRoleWithWebIdentity:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::account-id:saml-provider/SAMLPROVIDERNAME"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::account-id:saml-provider/SAMLPROVIDERNAME"
      },
      "Action": "sts:TagSession",
      "Condition": {
        "StringLike": {
          "aws:RequestTag/Email": "*"
        }
      }
    }
  ]
}

2.    To configure the email attribute, follow the steps in the preceding Configure attributes in IAM Identity Center section.
       For User attribute in the application, enter https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email.
       For Maps to this string value or user attribute in IAM Identity Center, enter ${user:email}.

3.    Turn on email syncing for federated users in QuickSight:
       Sign in to QuickSight as administrator.
       Choose Manage QuickSight, and then choose Single sign-on (SSO).
       On the Service Provider Initiated SSO page, choose On for Email Syncing for Federated users.

After the setup is complete, you can start signing in to your QuickSight account from the IAM Identity Center portal.


Did this article help?


Do you need billing or technical support?