Managing user access with SSO
Important
Amazon FinSpace Dataset Browser will be discontinued on November 29,
2024. Starting November 29, 2023, FinSpace will no longer accept the creation of new Dataset Browser
environments. Customers using Amazon FinSpace with Managed Kdb Insights
This section describes how you can manage users in an Amazon FinSpace environment created with SAML based SSO authentication.
Note
-
In order to create and manage users, you must be a superuser or a member of a group with necessary permissions - Manage Users and Permission Groups.
-
You will need administrator privileges to assign and remove users to your configured FinSpace application in your Identity Provider.
You can invite users by creating a FinSpace account for them. When using SAML based Single Sign On as the authentication method for your FinSpace environment, you need to execute two steps to add users in FinSpace.
-
Assign user to your FinSpace application in your Identity Provider (IdP) with their email.
-
Create the user in FinSpace environment. The email of the user created in FinSpace environment must match their email in their identity record with the Identity provider.
If above steps are not followed, a user will not be successfully authenticated to use FinSpace.
Creating the first superuser
The first superuser must be created after a new FinSpace environment is created. The user must be assigned to the FinSpace application created in your IdP. See details in this section. Once the first superuser is created, they can sign in to FinSpace web application and setup other superusers and application users. Subsequent superusers can be created by the first superuser in the FinSpace web application.
Inviting users to access FinSpace
In FinSpace, you can invite users by creating a FinSpace account for them. For more information about signing in for the first time, see Signing in to the Amazon FinSpace web application.
To create FinSpace accounts and invite users
-
Assign the new user to the application created for FinSpace in your IdP.
Sign in to the FinSpace web application. For more information, see Signing in to the Amazon FinSpace web application.
-
On the left navigation bar of the home page, choose Users and Groups.
-
On the Users and Permission Groups page, choose Add User.
-
On the Create User page, specify the User Details. The email that you enter must match the email of the user record in your IdP.
-
For Superuser, choose Yes to designate the user as a superuser or No to designate this user as an application user.
-
For Programmatic Access, choose Yes to provide access to use FinSpace APIs and SDK or choose No to deny programmatic access.
When you choose Yes, you are required to specify the IAM Principal ARN for this user in the format
arn:partition:service::region::account::resource. -
Choose Create User.
-
After the account is created, copy the credentials to clipboard and share them with the new user. The user can sign in to FinSpace with their SSO credentials.
Viewing user details
To view details of a user
Sign in to the FinSpace web application. For more information, see Signing in to the Amazon FinSpace web application.
On the left navigation bar of the home page, choose Users and Groups. The Users and Permission Groups page, displays the list of users under the FinSpace Users tab.
Select a user to view their details.
Deactivating a user
To deactivate a user
-
Remove the user from the list of assigned users from the FinSpace application in your Identity Provider (IdP).
Sign in to the FinSpace web application. For more information, see Signing in to the Amazon FinSpace web application.
On the left navigation bar of the home page, choose Users and Groups.
Choose FinSpace Users tab.
Select a user to view their details.
On the top right corner, choose More menu.
Choose Deactivate User. This button is only visible to superusers and users with necessary permissions – Manage Users and Permission Groups.
On the confirmation dialog box, choose Deactivate. You can activate a user again later if necessary.
