Amazon QuickSight SAML-based Single-Sign-On Setup

Amazon QuickSight is used is as the default visualization BI tool for the Symbee Connect Business Intelligence solution. See Symbee Connect Business Intelligence Introduction for further details.

To return to the Initial Setup section, click here.

The following provides a quick step-by-step for Amazon QuickSight SAML-based SSO setup using Microsoft Office 365 Azure AD as the Identity Provider (as its very common). For more details, further Amazon QuickSight SSO options and administration, and using other Identity Providers, start by referring to the Identity and Access Management section in the official Amazon QuickSight User Guide here.

Setting up SAML-based Single Sign-On (SSO) using an External IdP

In general, Amazon QuickSight Single-Sign-On (SSO) using an external Identity Provider (IdP) requires you to first set up a SAML trust between your IdP and your AWS Account. Once you have the federation working between your IdP and your AWS Account Console, you then set the SAML RelayState on the federation to land the user immediately at the Amazon QuickSight URL/portal at the completion of Authentication. This is very similar to how you set up SSO for your Amazon Connect agents.

In summary:

Ensure the Authentication Method in Amazon QuickSight supports federation

To use SAML SSO with Amazon QuickSight, the Authentication method in Amazon QuickSight needs to be one of of the 2 methods that support IAM federated identities:

To confirm your account is one of these, in Amazon QuickSight go into the Manage QuickSight page (via the dropdown menu after clicking on the little user icon in the very top right of the Amazon QuickSight console). Then check whether you have the Single sign-on (SSO) option near the bottom of the left navigation bar.

Step by Step for SSO setup using Microsoft 365 Azure AD

The following sections walk through SSO setup using Microsoft Office 365 Azure AD as an example. If you are using a different SAML-enabled IdP, functionally the steps will be similar, but refer to AWS documentation for further details about specific IAM setup for other common SAML-based IdP's.

Part 1 - In Microsoft Azure, create a new Enterprise App to represent Amazon QuickSight SSO

  1. Login as an Admin into your Office 365 Portal.

  2. On the left navigation bar, click Show All... at the bottom, and click Identity, to get to the Microsoft Entra admin center (formerly Microsoft Azure)

  3. On the left navigation bar, under Identity, click Applications, then Enterprise Applications

  4. At the top of the Enterprise Applications listing screen, click the "+ New Application" button

  5. Under Browse Microsoft Entra ID Gallery, under Cloud platform, click on the big Amazon Web Services (AWS) icon.

  6. Select the AWS Single-Single-Account Access icon

  7. The Enterprise App you are creating will represent access to Amazon QuickSight in your target AWS Account. Change the default name of the new Enterprise App to represent this. For example: "QuickSight-in-AccountName". Click Create at the bottom.

  8. After the Enterprise App is created, select Single sign-on on the left navigation bar within the Enterprise App Overview page, and select SAML in the Select a single sign-on method.

  9. In the Set up Single Sign-On with SAML page

    • Under 1 - Basic SAML Configuration,

      • Set the Identifier (Entity ID) - it will be in the pattern of https://signin.aws.amazon.com/saml...but needs to be unique in your Azure account, so if you have other Enterprise App's that already federate to AWS, add something on the end of the default pattern to be unique - for example: https://signin.aws.amazon.com/saml-qs
      • Set the Relay State to: https://quicksight.aws.amazon.com
    • Under 2 - Attributes & Claims

      • Keep all the defaults already provided
      • Click "+ Add new claim" to add one further Claim / SAML Attribute to the list. On the Manage Claim screen,
        • Set the Namespace to https://aws.amazon.com/SAML/Attributes
        • Set the Source to Attribute
        • Set the Source Attribute to the field you want to use as the Email address of the user's account inside Amazon QuickSight (for example: user.userprincipalname)
    • Under 3 - SAML Certificates

      • if you don't already have a token signing certificate generated, click edit and then under SAML Signing Certificate click "+ New Certificate". If you already have a SAML Signing Certificate then use the one you have.
      • Click the Download link beside Federation Metadata XML. Save the resulting file locally - you need to upload this file into AWS IAM when creating the Identity Provider in IAM
  10. After completing the Single Sign-on Setup, go to the Properties page of the new Enterprise App, and copy the User access URL. You need to use this within the SSO configuration within Amazon QuickSight in Part 4 further below.

Part 2 - In your AWS Account, configure Microsoft Azure as a federated Identity Provider

  1. Login to your AWS Console and navigate to IAM.

The following steps create the Identity Provider definition in IAM that represents your third-party IdP (in this case Office 365 Azure), with an IAM Role assigned to it to allow the federation, and an inline policy on that federation role to allow access into Amazon QuickSight.

  1. In the left navigation bar, select Identity Providers, and click Add Provider,

    • Select the Provider Type to be: SAML
    • Provide a name that represents your Office 365 Azure IdP
    • Under Metadata Document, click Choose File, and upload the Metadata XML file you downloaded from your Azure Enterprise App when you were creating your Enterprise Application above (Part 1, end of Step 9).
    • Click Add Provider at the bottom to complete
  2. Then, in the left navigation bar, select Roles, and click, Create Role,

    • On the Create Role screen, under Trusted Entity Type, select SAML 2.0
    • Under SAML 2.0 federation, select the new Identity Provider you created above
    • Under Access to be allowed, select Allow programmatic access only
    • For Attribute, select SAML:aud
    • For the Value, use: https://signin.aws.amazon.com/saml
    • Click Next
    • On the Add Permissions screen, don't select anything, just click Next (you will come back here and add an Inline Policy after the Role is created)
    • On the final screen, give your Role a name representing your IdP's federation to your AWS account
    • Finally click Create at the bottom to create your Role
  3. With your Identity Provider Role created, go back to the Roles listing screen, find the Role you just created, and click to edit the Role,

    • On the Role screen, to the right click Add permissions, and select Create inline policy
    • In the Specify Permissions screen, switch to JSON view
    • Refer to the Amazon QuickSight Admin Guide for the details of the Inline Policy to create - see: Configure permissions in AWS for your federated users
    • After adding the JSON, Click Next, and give your inline policy a name - for example: AllowQuickSightAccess

    • Click Create Policy in the bottom right to complete the inline policy

The following steps create a (non-console, programmatic access only) "service" IAM user with a set of Access credentials that Microsoft 365 Azure uses during provisioning, to discover the Identity Provider and IAM Role ARN's to use in the SAML RoleName attribute when a User in Azure is assigned to the Enterprise App that represents the Amazon QuickSight federation.

  1. Remaining in IAM, in the left navigation bar, select Users, and then Create User

    • Provide a name for the user. For example: O365FederationServiceUser or similar
    • Leave the Provide user access to the AWS Management Console unchecked, and click Next
    • Under Permissions, just click Next (you will come back after the user is created, and add an Inline Policy to the user)
    • Click Create User on the final screen to create the user
  2. Back on the Users listing screen, find the new IAM User you just created above, and click to edit it

  3. On the User details screen, in the first Permissions tab, to the right click Add permissions, and select Create inline policy

  4. In the Specify Permissions screen, switch to JSON view, and add the following policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowRoleDiscoveryForO365Provisioning",
                "Effect": "Allow",
                "Action": [
                    "iam:ListRoles",
                    "iam:ListAccountAliases"
                ],
            "Resource": "*"
            }
        ]
    }
  1. Then select Next, and give the Policy a name. For example: AllowRoleDiscovery

    • Click Create Policy to complete the creation of the inline policy on your user.
  2. Then, while still in the User details page, switch to the Security credentials tab

    • Under Access Keys, click Create access key, select Other, and click Next.
    • Set the Description tag to something useful, such as: "User in Office 365 Azure for SSO provisioning", and click Create access key
    • Copy the Access key and Secret access key values - you paste these into the Microsoft Auto Provisioning screen of your Enterprise App in the steps further below.


Part 3 - Back in Microsoft Entra admin center (formerly Azure), enable Provisioning on your Enterprise App

Enable Provisioning on your new Enterprise App, to tie it to the AWS Account, and IAM Role to use when the user federates to the AWS Account to enter Amazon QuickSight.

Within the definition of the Enterprise Application:

  1. Select Provisioning on the left navigation bar, and then under Manage, select Provisioning again.

  2. Within the resulting Provision screen of the Enterprise App

    • Set Provisioning Mode to: Automatic
    • Under Admin Credentials, paste the Access key and Secret access key from your IAM service user created above, into the clientSecret and Secret Token fields respectively.
    • Click Test connection to confirm the authentication/communication is good.
    • Click Save at the top.
  3. Return to the Provisioning Overview screen after saving the above changes,

    • Click on: Start provisioning at the top.
    • Click Refresh (also at the top) until you see the overview screen indicate at least 1 provisioning cycle has been performed.

Finally, assign one or more test users to your new Enterprise App to test single sign-on:

  1. Within the definition of the Enterprise App, select Users and groups on the left navigation bar

  2. In the Users and groups screen, click Add user/group at the top. In the resulting Add Assignment screen,

    • First click and select the Users or groups to be assigned
    • Then click and select the role to associated with the assignment. In the list of roles provided to choose from, you should see the IAM Role associated with the Identity Provider definition you created earlier above in IAM in your AWS account.
    • Select that role, and click Assign at the bottom to complete the assignment.

From back on your Office 365 portal, now find your new Enterprise App representing Amazon QuickSight, and click it to confirm Single-Sign-On into Amazon QuickSight works.

This test is referred to as an "IdP initiated Single sign-on".


Part 4 - In Amazon QuickSight, enable Service-Provider initiated SSO

The following steps set up SAML "Service Provider initiated SSO" - meaning, if the user goes to the Amazon QuickSight login URL first rather than through your IdP portal, then the user is redirected back to your IdP for authentication before entering Amazon QuickSight.

  1. Log into Amazon QuickSight as an Administrator user.

  2. Click on the little user icon in the very top right of the QuickSight console, and select Manage QuickSight from the drop-down menu.

  3. From the QuickSight management screen, select Single sign-on (SSO) near the bottom of the left navigation bar.

  4. In the Single Sign-on Configuration screen, in the Service Provider Initiated SSO section:

    • First, set the IdP URL parameter to the User access URL of the Azure Enterprise App you obtained in Part 1, step 10.
    • Then, set the IdP redirect URL parameter to: RelayState
    • Lastly, change the Status radio to ON
  5. Use the test links provided, in another browser, to try out the "Service Provider initiated SSO" and confirm it works.