Setting up service provider–initiated federation with Amazon QuickSight Enterprise edition - Amazon QuickSight

Important: We've redesigned the Amazon QuickSight analysis workspace. You might encounter screenshots or procedural text that doesn't reflect the new look in the QuickSight console. We're in the process of updating screenshots and procedural text.

To find a feature or item, use the Quick search bar.

For more information on QuickSight's new look, see Introducing new analysis experience on Amazon QuickSight.

Setting up service provider–initiated federation with Amazon QuickSight Enterprise edition

 Applies to: Enterprise Edition 
   Intended audience: System administrators 
Note

IAM identity federation doesn't support syncing identity provider groups with Amazon QuickSight.

After you have finished configuring your identity provider with AWS Identity and Access Management (IAM), you can set up service provider–initiated sign in through Amazon QuickSight Enterprise Edition. For QuickSight-initiated IAM federation to work, you need to authorize QuickSight to send the authentication request to your IdP. A QuickSight administrator can configure this by adding the following information provided by the IdP:

  • The IdP URL – QuickSight redirects users to this URL for authentication.

  • The relay state parameter – This parameter relays the state that the browser session was in when it was redirected for authentication. The IdP redirects the user back to the original state after authentication. The state is provided as a URL.

The following table shows the standard authentication URL and relay state parameter for redirecting the user to the Amazon QuickSight URL that you provide.

Identity provider Parameter Authentication URL

Auth0

RelayState

https://<sub_domain>.auth0.com/samlp/<app_id>

Google accounts

RelayState

https://accounts.google.com/o/saml2/initsso?idpid=<idp_id>&spid=<sp_id>&forceauthn=false

Microsoft Azure

RelayState

https://myapps.microsoft.com/signin/<app_name>/<app_id>?tenantId=<tenant_id>

Okta

RelayState

https://<sub_domain>.okta.com/app/<app_name>/<app_id>/sso/saml

PingFederate

TargetResource

https://<host>/idp/<idp_id>/startSSO.ping?PartnerSpId=<sp_id>

PingOne

TargetResource

https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=<app_id>&idpid=<idp_id>

QuickSight supports connecting to one IdP per AWS account. The configuration page in QuickSight provides you with test URLs based on your entries, so you can test the settings before you turn on the feature. To make the process even more seamless, QuickSight provides a parameter (enable-sso=0) to temporarily turn off QuickSight initiated IAM federation, in case you need to disable it temporarily.

To set up QuickSight as a service provider that can initiate IAM federation for an existing IdP

  1. Make sure that you already have IAM federation set up in your IdP, in IAM, and QuickSight. To test this setup, check if you can share a dashboard with another person in your company's domain.

  2. Open QuickSight, and choose Manage QuickSight from your profile menu at upper right.

    To perform this procedure, you need to be a QuickSight administrator. If you aren't, you can't see Manage QuickSight under your profile menu.

  3. Choose Single sign-on (IAM federation) from the navigation pane.

  4. For Configuration, IdP URL, enter the URL that your IdP provides to authenticate users.

  5. For IdP URL, enter the parameter that your IdP provides to relay state, for example RelayState. The actual name of the parameter is provided by your IdP.

  6. Test signing in:

    • To test signing in with your identity provider, use the custom URL provided in Test starting with your IdP. You should arrive at the start page for QuickSight, for example https://quicksight.aws.amazon.com/sn/start.

    • To test signing in with QuickSight first, use the custom URL provided in Test the end-to-end experience. The enable-sso parameter is appended to the URL. If enable-sso=1, IAM federation attempts to authenticate.

  7. Choose Save to keep your settings.

To enable service provider–initiated IAM federation IdP

  1. Make sure your IAM federation settings are configured and tested. If you're not sure about the configuration, test the connection by using the URLs from the previous procedure.

  2. Open QuickSight, and choose Manage QuickSight from your profile menu.

  3. Choose Single sign-on (IAM federation) from the navigation pane.

  4. For Status, choose ON.

  5. Verify that it's working by disconnecting from your IdP and opening QuickSight.

To disable service provider initiated IAM federation

  1. Open QuickSight, and choose Manage QuickSight from your profile menu.

  2. Choose Single sign-on (IAM federation) from the navigation pane.

  3. For Status, choose OFF.