Initiating sign-on from Amazon QuickSight - Amazon QuickSight

Important: We've redesigned the Amazon QuickSight analysis workspace. You might encounter screenshots or procedural text that doesn't reflect the new look in the QuickSight console. We're in the process of updating screenshots and procedural text.

To find a feature or item, use the Quick search bar.

For more information on QuickSight's new look, see Introducing new analysis experience on Amazon QuickSight.

Initiating sign-on from Amazon QuickSight

 Applies to: Enterprise Edition 
   Intended audience: System administrators 

IAM identity federation doesn't support syncing identity provider groups with Amazon QuickSight.

In this scenario, your user initiates the sign-on process from an Amazon QuickSight application portal without being signed on to the identity provider. In this case, the user has a federated account managed by a third-party IdP. The user might have a user account on QuickSight. QuickSight sends an authentication request to the IdP. After the user is authenticated, QuickSight opens.

Beginning with the user signing into QuickSight, authentication flows through these steps:

  1. The user opens QuickSight. At this point, the user isn't signed in to the IdP.

  2. The user attempts to sign in to QuickSight.

  3. QuickSight redirects the user's input to the federation service and requests authentication.

  4. The federation service and the IdP authenticate the user:

    1. The federation service requests authentication from the organization's identity store.

    2. The identity store authenticates the user and returns the authentication response to the federation service.

    3. When authentication is successful, the federation service posts the SAML assertion to the user's browser.

    4. The user's browser posts the SAML assertion to the AWS Sign-In SAML endpoint (

    5. AWS Sign-In receives the SAML request, processes the request, authenticates the user, and forwards the authentication token to the Amazon QuickSight service.

  5. Amazon QuickSight accepts the authentication token from AWS and presents QuickSight to the user.

From the user's perspective, the process happens transparently. The user starts at an Amazon QuickSight application portal. Amazon QuickSight negotiates authentication with your organization's federation service and AWS. QuickSight opens, without the user needing to supply any additional credentials.