IAM federation with AWS IAM Identity Center (successor to AWS SSO) for Amazon QuickSight
Note
IAM identity federation doesn't support syncing identity provider groups with Amazon QuickSight. We recommend that you use the first party IAM Identity Center integration with QuickSight. For more details, see Configure your Amazon QuickSight account with IAM Identity Center. For step by step instructions, see Signing up for an Amazon QuickSight subscription.
Introduction
This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for Amazon QuickSight using SAML.
Topics
Prerequisites
You'll need the following to set up SSO access to Amazon QuickSight:
-
Access to the IAM Identity Center console with permissions to manage applications.
-
An Amazon QuickSight account.
-
Administrator access to AWS account having QuickSight subscription.
Setup instructions
- On the Configure page, in the Details section, fill in the Display name and the Description(optional) of the application.
Note
We suggest that you choose a unique display name if you plan to have more than one of the same application.
- Download the IAM Identity Center SAML metadata file.
- Under Application properties, Insert these values:
| Field | Value |
|---|---|
| Relay State | https://quicksight.aws.amazon.com |
-
Under Application metadata, choose If you don't have a metadata file, you can manually type your metadata values. to display the application metadata settings.
-
Insert these values:
| Field | Value |
|---|---|
| Application ACS URL | https://signin.aws.amazon.com/saml |
| Application SAML audience | urn:amazon:webservices |
-
Choose Save Changes.
-
Follow the process described here for setting up your Amazon QuickSight configuration:
a. Create a SAML Identity Provider in AWS IAM console and upload the IAM Identity Center SAML metadata file downloaded in step 2.
b. Create a SAML 2.0 Federation IAM Role that establish a trust relationship between IAM and IAM Identity Center.
c. Embed an Inline Policy for the IAM Role grants federated users access to the Amazon QuickSight.
-
Go back to the IAM Identity Center console page where you are configuring the Application.
-
Choose Attribute Mappings tab. Click on Add a new attribute mapping. Add an attribute for the Role.
| Field | Value | Format |
|---|---|---|
| Subject | ${user:email} | emailAddress |
| https://aws.amazon.com/SAML/Attributes/Role | arn:aws:iam::ACCOUNTID:role/ROLENAME,arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME | unspecified |
| https://aws.amazon.com/SAML/Attributes/RoleSessionName | ${user:email} | unspecified |
| https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email | ${user:email} | uri |
Limitations
You can only map one IAM role per Amazon QuickSight account and one IAM role attribute mapping per IAM Identity Center application instance.
- Assign a user to the application in IAM Identity Center.
Verification
Use the following sections to verify the SSO integration.
Note
Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.
Note
Amazon QuickSight supports Just In Time (JIT) user provisioning. When a user that does not exists in QuickSight logs in via federation, a new user is created in QuickSight. The Role of the created user depends upon the permissions attached to federation role.
Verifying SSO from IAM Identity Center
-
Access the AWS access portal using the credentials of a user assigned to the Amazon QuickSight application.
-
In the list of applications, choose Amazon QuickSight to initiate a login to Amazon QuickSight
-
If login was successful you will be signed-in to the Amazon QuickSight account.
Note
Amazon QuickSight does not support SP initiated SSO.
Troubleshooting
If sign in was not successful, please see the troubleshooting steps.
Troubleshooting
| Error | Issue | Solution |
|---|---|---|
| An error occurred when we tried to process your request. | The Application ACS URL specified in the identity provider is incorrect. | Make sure that the ACS URL in IAM Identity Center application matches https://signin.aws.amazon.com/saml. |
| Other | When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' field (if they are present) from the connected directory to populate the 'Email' in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields. | Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings. |
For general troubleshooting problems, please refer to Troubleshooting Guide.
User Provisioning Types
There are two user provisioning you need to aware of:
-
Preprovisioned users
Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.
-
JIT users
JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.