AWS Big Data Blog
Enabling Amazon QuickSight federation with Azure AD
As of August 2023, Amazon QuickSight is now an AWS IAM Identity Center enabled application. This capability allows administrators who subscribe to QuickSight to use IAM Identity Center to enable their users to log in with Azure AD and other external identity providers. For more information, see Simplify business intelligence identity management with Amazon QuickSight and IAM Identity Center (AWS blog post) and Configure your Amazon QuickSight account with IAM Identity Center in the QuickSight documentation. We recommend that you use this new integration. This blog post is provided as a reference for existing account configurations. |
Customers today want to establish a single identity and access strategy across all of their own apps, such as on-premises apps, third-party cloud apps (SaaS), or apps in AWS. If your organization use Azure Active Directory (Azure AD) for cloud applications, you can enable single sign-on (SSO) for applications like Amazon QuickSight without needing to create another user account or remember passwords. You can also enable role-based access control to make sure users get appropriate role permissions in QuickSight based on their entitlement stored in Active Directory attributes or granted through Active Directory group membership. The setup also allows administrators to focus on managing a single source of truth for user identities in Azure AD while having the convenience of configuring access to other AWS accounts and apps centrally.
In this post, we walk through the steps required to configure federated SSO between QuickSight and Azure AD. We also demonstrate ways to assign a QuickSight role based on Azure AD group membership. Administrators can publish the QuickSight app in the Azure App portal to enable users to SSO to QuickSight using their Azure AD or Active Directory credentials.
The solution in this post uses an identity provider (IdP)-initiated SSO, which means your end-users must log in to Azure AD and choose the published QuickSight app in the Azure App Portal portal to sign in to QuickSight.
Registering a QuickSight application in Azure AD
Your first step is to create a QuickSight application in Azure AD.
- Log in to your Azure portal using the administrator account in the Azure AD tenant where you want to register the QuickSight application.
- Under Azure Services, open Azure Active Directory and under Manage, choose Enterprise Application.
- Choose New Application.
- Select Non-gallery application.
- For Name, enter
Amazon QuickSight
.
- Choose Add to register the application.
Creating users and groups in Azure AD
You can now create new users and groups or choose existing users and groups that can access QuickSight.
- Under Manage, choose All applications and open Amazon QuickSight
- Under Getting Started, choose Assign users and groups.
- For this post, you create three groups, one for each QuickSight role:
QuickSight-Admin
QuickSight-Author
QuickSight-Reader
For instructions on creating groups in Azure AD, see Create a basic group and add members using Azure Active Directory.
Configuring SSO in Azure AD
You can now start configuring the SSO settings for the app.
- Under Manage, choose Single sign-on.
- For Select a single sign-on method, choose SAML.
- To configure the sections, choose Edit.
- In the Basic SAML Configuration section, for Identifier (Entity ID), enter
URN:AMAZON:WEBSERVICES
.
This is the entity ID passed during the SAML exchange. Azure requires that this value be unique for each application. For additional AWS applications, you can append a number to the string; for example, URN:AMAZON:WEBSERVICES2
.
- For Reply URL, enter
https://signin.thinkwithwp.com/saml
. - Leave Sign on URL blank.
- For Relay State, enter
https://quicksight.thinkwithwp.com
. - Leave Logout Url blank.
- Under SAML Signing Certificate, choose Download next to Federation Metadata XML.
You use this XML document later when setting up the SAML provider in AWS Identity and Access Management (IAM).
- Leave this tab open in your browser while moving on to the next steps.
Creating Azure AD as your SAML IdP in AWS
You now configure Azure AD as your SAML IdP.
- Open a new tab in your browser.
- Log in to the IAM console in your AWS account with admin permissions.
- On the IAM console, choose Identity providers.
- Choose Create provider.
- For Provider name, enter
AzureActiveDirectory
. - Choose Choose File to upload the metadata document you downloaded earlier.
- Choose Next Step.
- Verify the provider information and choose Create.
- On the summary page, record the value for the provider ARN (
arn:aws:iam::<AccountID>:saml-provider/AzureActiveDirectory
).
You need this ARN to configure claims rules later in this post.
You can also complete this configuration using the AWS Command Line Interface (AWS CLI).
Configuring IAM policies
In this step, you create three IAM policies for different role permissions in QuickSight:
QuickSight-Federated-Admin
QuickSight-Federated-Author
QuickSight-Federated-Reader
Use the following steps to set up QuickSight-Federated-Admin policy. This policy grants admin privileges in QuickSight to the federated user:
- On the IAM console, choose Policies.
- Choose Create Policy.
- Choose JSON and replace the existing text with the following code:
- Choose Review policy
- For Name enter QuickSight-Federated-Admin.
- Choose Create policy.
Now repeat the steps to create QuickSight-Federated-Author
and QuickSight-Federated-Reader
policy using the following JSON codes for each policy:
QuickSight-Federated-Author
The following policy grants author privileges in QuickSight to the federated user:
QuickSight-Federated-Reader
The following policy grants reader privileges in QuickSight to the federated user:
Configuring IAM roles
Next, create the roles that your Azure AD users assume when federating into QuickSight. The following steps set up the admin role:
- On the IAM console, choose Roles.
- Choose Create role.
- For Select type of trusted entity, choose SAML 2.0 federation.
- For SAML provider, choose the provider you created earlier (
AzureActiveDirectory
). - Select Allow programmatic and AWS Management Console access.
- For Attribute, make sure SAML:aud is selected.
- Value should show
https://signin.thinkwithwp.com/saml
.
- Choose Next: Permissions.
- Choose the
QuickSight-Federated-Admin
IAM policy you created earlier. - Choose Next: Tags.
- Choose Next: Review
- For Role name, enter QuickSight-Admin-Role.
- For Role description, enter a description.
- Choose Create role.
- On the IAM console, in the navigation pane, choose Roles.
- Choose the
QuickSight-Admin-Role
role you created to open the role’s properties. - Record the role ARN to use later.
- On the Trust Relationships tab, choose Edit Trust Relationship.
- Under Trusted Entities, verify that the IdP you created is listed.
- Under Conditions, verify that SAML:aud with a value of
https://signin.thinkwithwp.com/saml
is present.
- Repeat these steps to create your author and reader roles and attach the appropriate policies:
- For
QuickSight-Author-Role
, use the policyQuickSight-Federated-Author
. - For
QuickSight-Reader-Role
, use the policyQuickSight-Federated-Reader
.
- For
Configuring user attributes and claims in Azure AD
In this step, you return to the application in Azure portal and configure the user claims that Azure AD sends to AWS.
By default, several SAML attributes are populated for the new application, but you don’t need these attributes for federation into QuickSight. Under Additional Claims, select the unnecessary claims and choose Delete.
For this post, you create three claims:
Role
RoleSessionName
SAML_SUBJECT
Creating the Role claim
To create the Role
claim, complete the following steps:
- Under Manage, choose Single sign-on.
- Choose Edit on User Attributes & Claims section
- Choose Add new claim.
- For Name, enter
Role
. - For Namespace, enter
https://thinkwithwp.com/SAML/Attributes
. - Under Claim conditions, add a condition for the admin, author, and reader roles. Use the parameters in the following table and make sure to replace <Account ID> with your AWS account ID:
User Type | Scoped Group | Source | Value |
Any | QuickSight-Admin | Attribute | arn:aws:iam::<Account ID>:role/QuickSight-Admin-Role,arn:aws:iam::<Account ID>:saml-provider/AzureActiveDirectory |
Any | QuickSight-Author | Attribute | arn:aws:iam::<Account ID>:role/QuickSight-Author-Role,arn:aws:iam::<Account ID>:saml-provider/AzureActiveDirectory |
Any | QuickSight-Reader | Attribute | arn:aws:iam::<Account ID>:role/QuickSight-Reader-Role,arn:aws:iam::<Account ID>:saml-provider/AzureActiveDirectory |
Creating the RoleSessionName claim
To create your RoleSessionName
claim, complete the following steps:
- Choose Add new claim.
- For Name, enter
RoleSessionName
. - For Namespace, enter
https://thinkwithwp.com/SAML/Attributes.
- For Source, choose Transformation.
- For Transformation, enter
ExtractMailPrefix()
. - For Parameter 1, enter
user.userprincipalname
.
We use the ExtractMailPrefix()
function to extract the name from the userprincipalname
attribute. For example, the function extracts the name joe
from the user principal name value of joe@example.com
. IAM uses RoleSessionName
to build the role session ID for the user signing into QuickSight. The role session ID is made up of the Role
name and RoleSessionName
, in Role
/RoleSessionName
format. Users are registered in QuickSight with the role session ID as the username.
Creating the SAML_SUBJECT claim
To create your final claim, SAML_SUBJECT
, complete the following steps:
- Choose Add new claim.
- For Name, enter
SAML_SUBJECT
. - For Namespace, enter
https://thinkwithwp.com/SAML/Attributes
. - For Source, choose Attribute.
- For Source attribute, enter
““Azure AD - QuickSight SSO””
.
Testing the application
You’re now ready to test the application.
- In the Azure portal, on the Azure Active Directory page, choose All groups.
- Update the group membership of the
QuickSight-Admin
group by adding the current user to it.
- Under Enterprise Applications, choose Amazon QuickSight.
- Under Manage, choose Single sign-on.
- Choose Test this application to test the authentication flow.
- Log in to QuickSight as an admin.
The following screenshot shows you the QuickSight dashboard for the admin user.
- Remove the current user from
QuickSight-Admin
Azure AD group and add it toQuickSight-Author
group.
When you test the application flow, you log in to QuickSight as an author.
- Remove the current user from
QuickSight-Author
group and add it toQuickSight-Reader
group.
When you test the application flow again, you log in as a reader.
By removing the user from the Azure AD group will not automatically remove the registered user in QuickSight. You have to remove the user manually in the QuickSight admin console. The user management inside QuickSight is documented in this article.
Deep-linking QuickSight dashboards
You can share QuickSight dashboards using the sign-on URL for the QuickSight application published in the Azure Apps portal. This allows users to federate directly into the QuickSight dashboard without having to land first on the QuickSight homepage.
To deep-link to a specific QuickSight dashboard with SSO, complete the following steps:
- Under Enterprise Applications, choose Amazon QuickSight
- Under Manage, choose Properties.
- Locate the User access URL.
- Append
?RelayState
to the end of the URL containing the URL of your dashboard. For example,https://myapps.microsoft.com/signin/Amazon%20QuickSight/a06d28e5-4aa4-4888-bb99-91d6c2c4eae8?RelayState=https://us-east-1.quicksight.thinkwithwp.com/sn/dashboards/224103be-0470-4de4-829f-390e55b3ef96
.
You can test it by creating a custom sign-in URL using the RelayState
parameter pointing to an existing dashboard. Make sure the user signing in to the dashboard has been granted proper access.
Summary
This post provided step-by-step instructions to configure a federated SSO with Azure AD as the IdP. We also discussed how to map users and groups in Azure AD to IAM roles for secure access into QuickSight.
If you have any questions or feedback, please leave a comment.
About the Author
Adnan Hasan is a Global GTM Analytics Specialist at Amazon Web Services, helping customers transform their business using data, machine learning and advanced analytics.