Setting Up Service Provider–Initiated Federation with Amazon QuickSight Enterprise Edition - Amazon QuickSight

Setting Up Service Provider–Initiated Federation with Amazon QuickSight Enterprise Edition

    Applies to: Enterprise Edition 

    Intended audience: System administrators 

After you have finished configuring your identity provider with AWS Identity and Access Management (IAM), you can set up service provider–initiated sign in through Amazon QuickSight Enterprise Edition. For QuickSight-initiated SSO to work, you need to authorize QuickSight to send the authentication request to your IdP. A QuickSight administrator can configure this by adding the following information provided by the IdP:

  • The IdP URL – QuickSight redirects users to this URL for authentication..

  • The relay state parameter – This parameter relays the state that the browser session was in when it was redirected for authentication. The IdP redirects the user back to the original state after authentication. The state is provided in the form of a URL.

The following table shows the standard authentication URL and relay state parameter for redirecting the user to the QuickSight URL that you provide.

Identity provider Parameter Authentication URL

Auth0

RelayState

https://<sub_domain>.auth0.com/samlp/<app_id>

Google accounts

RelayState

https://accounts.google.com/o/saml2/initsso?idpid=<idp_id>&spid=<sp_id>&forceauthn=false

Microsoft Azure

RelayState

https://myapps.microsoft.com/signin/<app_name>/<app_id>?tenantId=<tenant_id>

Okta

RelayState

https://<sub_domain>.okta.com/app/<app_name>/<app_id>/sso/saml

PingFederate

TargetResource

https://<host>/idp/<idp_id>/startSSO.ping?PartnerSpId=<sp_id>

PingOne

TargetResource

https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=<app_id>&idpid=<idp_id>

QuickSight supports connecting to one IdP per AWS account. The configuration page in QuickSight provides you with test URLs based on your entries, so you can test the settings before you turn the feature on. To make the process even more seamless, QuickSight provides a parameter (enable-sso=0) to temporarily turn off QuickSight initiated SSO, in case you need to disable it temporarily.

To set up QuickSight as a service provider that can initiate SSO for an existing IdP

  1. Make sure that you already have SSO set up in your IdP, in IAM, and QuickSight. To test this setup, check if you can share a dashboard with another person in your company's domain.

  2. Open QuickSight, and choose Manage QuickSight from your profile menu at upper right.

    To perform this procedure, you need to be a QuickSight administrator. If you aren't, you can't see Manage QuickSight under your profile menu.

  3. Choose Single sign-on (SSO) from the navigation pane.

  4. For Configuration, IdP URL, enter the URL that your IdP provides to authenticate users.

  5. For IdP URL, enter the parameter that your IdP provides to relay state, for example RelayState. The actual name of the parameter is provided by your IdP.

  6. Test signing in:

    • To test signing in with your identity provider, use the custom URL provided in Test starting with your IdP. You should arrive at the start page for QuickSight, for example https://quicksight.aws.amazon.com/sn/start.

    • To test signing in with QuickSight first, use the custom URL provided in Test the end-to-end experience. The enable-sso parameter is appended to the URL. If enable-sso=1, SSO attempts to authenticate.

  7. Choose Save to keep your settings.

To enable service provider–initiated SSO IdP

  1. Make sure your SSO settings are configured and tested. If you're not sure about the configuration, test the connection by using the URLs from the previous procedure.

  2. Open QuickSight, and choose Manage QuickSight from your profile menu.

  3. Choose Single sign-on (SSO) from the navigation pane.

  4. For Status, choose ON.

  5. Verify that it's working by disconnecting from your IdP and opening QuickSight.

To disable service provider initiated SSO

  1. Open QuickSight, and choose Manage QuickSight from your profile menu.

  2. Choose Single sign-on (SSO) from the navigation pane.

  3. For Status, choose OFF.