Initiating sign-on from the identity provider (IdP) - Amazon QuickSight

Important: We've redesigned the Amazon QuickSight analysis workspace. You might encounter screenshots or procedural text that doesn't reflect the new look in the QuickSight console. We're in the process of updating screenshots and procedural text.

To find a feature or item, use the Quick search bar.

For more information on QuickSight's new look, see Introducing new analysis experience on Amazon QuickSight.

Initiating sign-on from the identity provider (IdP)

   Applies to: Enterprise Edition and Standard Edition 
   Intended audience: System administrators 
Note

IAM identity federation doesn't support syncing identity provider groups with Amazon QuickSight.

In this scenario, your users initiate the sign-on process from the identity provider's portal. After the users are authenticated, they sign in to QuickSight. After QuickSight checks that they are authorized, your users can access QuickSight.

Beginning with a user signing into the IdP, authentication flows through these steps:

  1. The user browses to https://applications.example.com and signs on to the IdP. At this point, the user isn't signed in to the service provider.

  2. The federation service and the IdP authenticate the user:

    1. The federation service requests authentication from the organization's identity store.

    2. The identity store authenticates the user and returns the authentication response to the federation service.

    3. When authentication is successful, the federation service posts the SAML assertion to the user’s browser.

  3. The user opens QuickSight:

    1. The user's browser posts the SAML assertion to the AWS Sign-In SAML endpoint (https://signin.aws.amazon.com/saml).

    2. AWS Sign-In receives the SAML request, processes the request, authenticates the user, and forwards the authentication token to the Amazon QuickSight service.

  4. Amazon QuickSight accepts the authentication token from AWS and presents QuickSight to the user.

From the user's perspective, the process happens transparently. The user starts at your organization's internal portal and lands at an Amazon QuickSight application portal, without ever having to supply any AWS credentials.

In the following diagram, you can find an authentication flow between Amazon QuickSight and a third-party identity provider (IdP). In this example, the administrator has set up a sign-in page to access Amazon QuickSight, called applications.example.com. When a user signs in, the sign-in page posts a request to a federation service that complies with SAML 2.0. The end user initiates authentication from the sign-on page of the IdP.

Amazon QuickSight SAML Diagram. The diagram contains two boxes. The first one describes an authentication process inside the enterprise. The second one describes authentication inside AWS. The process is described in the text following the table.