Considerations and use cases Prerequisites Configuring access

Configuring federated user access to QuickSight through IAM and an external IdP

Architecture diagram of a federated user from an external IdP accessing QuickSight through an IAM role

The following are the characteristics of this architecture:

The Amazon QuickSight user record is linked to an AWS Identity and Access Management (IAM) role and the username in the IdP, such as QuickSightReader/DiegoRamirez@example.com.
Users can self-provision access.
Users log in to their external identity provider.
If email synchronization is disabled, users can provide their preferred email address when they sign into QuickSight. If email synchronization is enabled, QuickSight uses the email address defined in the enterprise IdP. For more information, see QuickSight email synchronization for federated users in this guide.
The IAM role contains a trust policy that allows only federated users from your external IdP to assume the role.

Considerations and use cases

If you already use identity federation to access your AWS accounts, you can use this existing configuration to also extend access to QuickSight. For QuickSight access, you can reuse the same processes that you have in place for provisioning and reviewing access to AWS accounts.

Prerequisites

Administrative permissions in QuickSight.
Your organization is already using an external identity provider, such as Okta or Ping.

Configuring access

For instructions, see Setting up IdP federation using IAM and QuickSight in the QuickSight documentation. For more information about configuring the permissions policy for QuickSight, see Configuring IAM policies in this guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Federated users

IAM Identity Center