Enable federation to Amazon QuickSight with automatic provisioning of users between AWS IAM Identity Center and Microsoft Azure AD

What's New / Blog Blog
1

Organizations are working towards centralizing their identity and access strategy across all their applications, including on-premises, third-party, and applications on AWS. Many organizations use identity providers (IdPs) based on OIDC or SAML-based protocols like Microsoft Azure Active Directory (Azure AD) and manage user authentication along with authorization centrally. This authorizes users to access Amazon QuickSight assets-analyses, dashboards, folders, and datasets-through centrally managed Azure AD and AWS IAM Identity Center (successor to AWS Single Sign-On).

IAM Identity Center is an authentication process that allows users to sign into multiple applications with a single set of usernames and passwords. IAM Identity Center makes it easy to centrally manage access to multiple AWS accounts and business applications. It provides your workforce with single sign-on (SSO) access to all assigned accounts and applications from one place.

In this post, we walk you through the steps required to configure federated SSO along with automated email sync between QuickSight and Azure AD via IAM Identity Center. We also demonstrate ways System for Cross-domain Identity Management (SCIM) keeps your IAM Identity Center identities in sync with identities from your IdP.

Solution overview

The following is the reference architecture for configuring IAM Identity Center with Azure AD for automated federation to QuickSight and the AWS Management Console.

The following are the steps involved to set up federated SSO from Azure to QuickSight:

  1. Configure Azure as an IdP in IAM Identity Center.
  2. Register an IAM Identity Center application in Azure AD.
  3. Configure the application in Azure AD.
  4. Enable automatic provisioning of users and groups.
  5. Enable email syncing for federated users in QuickSight console.
  6. Create a QuickSight application in IAM Identity Center.
  7. Add the IAM Identity Center application as a SAML IdP.
  8. Configure AWS Identity and Access Management (IAM) policies and roles.
  9. Configure attribute mappings in IAM Identity Center.
  10. Validate federation to QuickSight from IAM Identity Center.

Prerequisites

To complete this walkthrough, you must have the following prerequisites:

  • An Azure AD subscription with Administrator permission.
  • QuickSight account subscription with Administrator permission.
  • IAM Administrator account.
  • IAM Identity Center Administrator account.

Configure Azure as IdP in IAM Identity Center

To configure Azure as an IdP, complete the following steps:

  1. On the IAM Identity Center console, choose Enable.
    choose Enable
  2. Choose Choose your identity source.
    Choose your identity source.
  3. Select External identity provider to manage all users and groups.
  4. Choose Next.
    Choose Next.
  5. In the Configure external identity provider section, download the service provider metadata file.
  6. Save the AWS access portal sign-in URL, IAM Identity Center Assertion Consumer Service (ACS) URL, and IAM Identity Center issuer URL.
    These are used later in this post.
  7. Leave this tab open in your browser while proceeding to the next steps.

Register an IAM Identity Center application in Azure AD

To register an IAM Identity Center application in Azure AD, complete the following steps:

  1. Sign in to your Azure portal using an administrator account.
  2. Under Azure Services, choose Azure AD and under Manage, choose Enterprise applications.
    Under Azure Services, choose Azure AD and under Manage, choose Enterprise applications.
  3. Choose New application.
  4. Choose Create your own application.
  5. Enter a name for the application.
  6. Select the option Integrate any other application you don’t find in the gallery (Non-gallery).
  7. Choose Create.
    Choose Create.

Configure the application in Azure AD

To configure your application, complete the following steps:

  1. Under Enterprise applications, choose All applications and select the application created in the previous step.
  2. Under Manage, choose Single Sign-on.
  3. Choose SAML.
    Choose SAML.
  4. Choose Single Sign-on to set up SSO with SAML.
  5. Choose Upload metadata file, and upload the file you downloaded from IAM Identity Center.
  6. Choose Edit to edit the Basic SAML Configuration section.
    6. Choose Edit to edit the Basic SAML Configuration section.
  • For Identifier (Entity ID), enter the IAM Identity Center issuer URL.
  • For Reply URL (Assertion Consumer Service URL), enter the IAM Identity Center ACS URL.
  1. Under SAML Signing Certificate, choose Download next to Federation Metadata XML.
    7. Under SAML Signing Certificate, choose Download next to Federation Metadata XML.

We use this XML document in later steps when setting up the SAML provider in IAM and in IAM Identity Center.

  1. Leave this tab open in your browser while moving to the next steps.
  2. Switch to the IAM Identity Center tab to complete its setup.
  3. Under Identity provider metadata, choose IdP SAML metadata and upload the federation metadata XML file you downloaded.
    10. Under Identity provider metadata, choose IdP SAML metadata and upload the federation metadata XML file you downloaded.
  4. Review and confirm the changes.
    11. Review and confirm the changes.

Enable automatic provisioning of users and groups

IAM Identity Center supports System for Cross-domain Identity Management (SCIM) v2.0 standard. SCIM keeps your IAM Identity Center identities in sync with external IdPs. This includes any provisioning, updates, and deprovisioning of users between IdP and IAM Identity Center. To enable SCIM, complete the following steps:

  1. On the IAM Identity Center console, choose Settings in the navigation pane.
  2. Next to Automatic provisioning, choose Enable.
    2. Next to Automatic provisioning, choose Enable.
  3. Copy the SCIM endpoint and Access token.
    Copy the SCIM endpoint and Access token.
  4. Switch to the Azure AD tab.
  5. On the Default Directory Overview page, under Manage, choose Users.
    5. On the Default Directory Overview page, under Manage, choose Users.
  6. Choose New user and Create new user(s).
    Make sure the user profile has valid information under First name, Last name, and Email attribute.
    Make sure the user profile has valid information under First name, Last name, and Email attribute.
  7. Under Enterprise applications, choose All applications and select the application you created earlier.
  8. Under Manage, choose Users and groups.
    8. Under Manage, choose Users and groups.
  9. Choose Add user/group, and select the users you created earlier.
  10. Choose Assign.
    Choose Assign.
  11. Under Manage, choose Provisioning and Get started.
    11. Under Manage, choose Provisioning and Get started.
  12. Choose Provisioning Mode as Automatic.
  13. For Tenant URL, enter the SCIM endpoint.
  14. For Secret Token, enter the Access token.
  15. Choose Test Connection and Save.
    15. Choose Test Connection and Save.
  16. Under Provisioning, choose Start provisioning.
    16. Under Provisioning, choose Start provisioning.

Make sure the user profile has valid information under First name, Last name, and Email attribute. This is the key value for email sync with QuickSight.
Make sure the user profile has valid information under First name, Last name, and Email attribute. This is the key value for email sync with QuickSight.

On the IAM Identity Center console, under Users, you can now see all the users provisioned from Azure AD.
On the IAM Identity Center console, under Users, you can now see all the users provisioned from Azure AD.

Enable email syncing for federated users in QuickSight console

Complete the following steps to enable email syncing for federated users:

  1. Sign in as an admin user to the QuickSight console and choose Manage QuickSight from the user name menu.
    1. Sign in as an admin user to the QuickSight console and choose Manage QuickSight from the user name menu.
  2. Choose Single sign-on (SSO) in the navigation pane.
    2. Choose Single sign-on (SSO) in the navigation pane.
  3. Under Email Syncing for Federated Users, select ON.
    3. Under Email Syncing for Federated Users, select ON.

Create a QuickSight application in IAM Identity Center

Complete the following steps to create a custom SAML 2.0 application in IAM Identity Center.

  1. On the IAM Identity Center console, choose Applications in the navigation pane.
  2. Choose Add application.
    2Choose Add application.
  3. Under Preintegrated applications, search for and choose Amazon QuickSight.
  4. Choose Next.
    Choose Next.
  5. For Display name, enter a name, such as Amazon QuickSight.
  6. For Description, enter a description.
  7. Download the IAM Identity Center SAML metadata file to use later in this post.
  8. For Application start URL, leave as is.
  9. For Relay state, enter https://quicksight.aws.amazon.com.
  10. For Session duration, choose your session duration. The recommended value is 8 hours.
  11. For Application ACS URL, enter https://signin.aws.amazon.com/saml.
  12. For Application SAML audience, enter urn:amazon:webservices.
  13. Choose Submit
    After your settings are saved, your application configuration should look similar to the following screenshot.
    After your settings are saved, your application configuration should look similar to the following screenshot.

You can now assign your users to this application, so that the application appears in their IAM Identity Center portal after login.

  1. On the application page, under Assigned users, choose Assign Users.
    14. On the application page, under Assigned users, choose Assign Users.
  2. Select your users.
  3. Optionally, if you want to enable multiple users in your organization to use QuickSight, the fastest and easiest way is to use IAM Identity Center groups.
  4. Choose Assign Users.
    17. Choose Assign Users.

Add the IAM Identity Center application as a SAML IdP

Complete the following steps to configure IAM Identity Center as your SAML IdP:

  1. Open a new tab in your browser.
  2. Sign in to the IAM console in your AWS account with admin permissions.
  3. Choose Identity providers in the navigation pane.
  4. Choose Add provider.
  5. Select SAML for Provider type.
  6. For Provider name, enter IAM_Identity_Center.
  7. Choose Choose File to upload the metadata document you downloaded earlier from the Amazon QuickSight application.
  8. Choose Add Provider.
    8. Choose Add Provider
  9. On the summary page, record the value for the provider ARN (arn:aws:iam:::saml-provider/IAM_Identity_Center).

You will use this ARN while configuring claims rules later in this post.

Configure IAM policies

In this step, you create three IAM policies for different role permissions in QuickSight:

  • QuickSight-Federated-Admin
  • QuickSight-Federated-Author
  • QuickSight-Federated-Reader

Use the following steps to set up QuickSight-Federated-Admin policyThis policy grants admin privileges in QuickSight to the federated user:

  1. On the IAM console, choose Policies in the navigation pane
  2. Choose Create policy.
  3. Choose JSON and replace the existing text with the following code:

    {
    "Statement": [
        {
            "Action": [
                "quicksight:CreateAdmin"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:quicksight:::user/${aws:userid}"
            ]
        }
    ],
    "Version": "2012-10-17"
}

Ignore the “Missing ARN Region: Add a Region to the quicksight resource ARN” error and continue. Optionally, you could also add a specific AWS region in the ARN.

  1. Choose Review policy
  2. For Name enter QuickSight-Federated-Admin.
  3. Choose Create policy.
  4. Repeat these steps to create the QuickSight-Federated-Author policy using the following JSON code to grant author privileges in QuickSight to the federated user: 
    {
    "Statement": [
        {
            "Action": [
                "quicksight:CreateUser"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:quicksight:::user/${aws:userid}"
            ]
        }
    ],
    "Version": "2012-10-17"
}

Ignore the “Missing ARN Region: Add a Region to the quicksight resource ARN” error and continue. Optionally, you could also add a specific AWS region in the ARN.

  1. Repeat these steps to create the QuickSight-Federated-Reader policy using the following JSON code to grant reader privileges in QuickSight to the federated user: 
    {
    "Statement": [
        {
            "Action": [
                "quicksight:CreateReader"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:quicksight:::user/${aws:userid}"
            ]
        }
    ],
    "Version": "2012-10-17"
}

Ignore the “Missing ARN Region: Add a Region to the quicksight resource ARN” error and continue. Optionally, you could also add a specific AWS region in the ARN.

Configure IAM roles

Next, create roles that your Azure AD and IAM Identity Center users assume when federating into QuickSight. The following steps set up the admin role:

  1. On the IAM console, choose Roles in the navigation pane.
  2. Choose Create role.
  3. For Select type of trusted entity, choose SAML 2.0 federation.
  4. For SAML provider, choose the provider you created earlier (IAM_Identity_Center).
  5. Select Allow programmatic and AWS Management Console access.
  6. For Attribute, make sure SAML:aud is selected.
  7. For Value, make sure https://signin.aws.amazon.com/saml is selected.
  8. Choose Next.
    Choose Next.
  9. Choose the QuickSight-Federated-Admin IAM policy you created earlier.
  10. Choose Next: Tags.
  11. Choose Next: Review.
  12. For Role name, enter QuickSight-Admin-Role.
  13. For Role description, enter a description.
    13. For Role description, enter a description.
  14. Choose Create role.
  15. On the IAM console, in the navigation pane, choose Roles.
  16. Choose the QuickSight-Admin-Role role you created to open the role’s properties.
  17. Record the role ARN to use later.
  18. On the Trust relationships tab, choose Edit trust policy.
    18. On the Trust relationships tab, choose Edit trust policy.
  19. For the policy details, enter the following JSON: 
    {
    "Version": "2012-10-17",
     "Statement": [
 {
    "Effect": "Allow",
    "Principal": {
"Federated": "arn:aws:iam:::saml-provider/IAM_Identity_Center"
                        },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"	
           }
            }
        },
        {	
            		"Effect": "Allow",
            		"Principal": {
                	 "Federated":"arn:aws:iam:::saml-provider/IAM_Identity_Center"
            				},
            		  "Action": "sts:TagSession",
               "Condition": {
                	  "StringLike": {
                   "aws:RequestTag/Email": "*"
           }
            }
        }
    ]
}
  20. Choose Update Policy.
  21. Repeat these steps to create the roles QuickSight-Author-Role and QuickSight-Reader-Role. Attach the QuickSight-Federated-Author and QuickSight-Federated-Reader policies to their respectively roles.

Configure attribute mappings in IAM Identity Center

The final step is to configure the attribute mappings in IAM Identity Center. The attributes you map here become part of the SAML assertion that is sent to the QuickSight application. You can choose which user attributes in your application map to corresponding user attributes in your connected directory. For more information, refer to Attribute mappings.

  1. On IAM Identity Center console, choose Applications in the navigation pane.
    1. On IAM Identity Center console, choose Applications in the navigation pane.
  2. Select the Amazon QuickSight application you created earlier.
    2. Select the Amazon QuickSight application you created earlier.
  3. On the Actions menu, choose Edit attribute mappings.
  4. Configure the following mappings:
User attribute in the application Maps to this string value or user attribute in IAM Identity Center Format
Subject ${user:email} emailAddress
https://aws.amazon.com/SAML/Attributes/Role arn:aws:iam:: :saml-provider/IAM_Identity_Center, arn:aws:iam:: :role/QuickSight-Admin-Role unspecified
https://aws.amazon.com/SAML/Attributes/RoleSessionName ${user:email} unspecified
https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email ${user:email} url
  1. Choose Save changes.
    Choose Save changes

Validate federation to QuickSight from IAM Identity Center

On the IAM Identity Center console, note down the user portal URL available on the Settings page. We suggest you log out of your AWS account first, or open an incognito browser window. Navigate to the user portal URL, sign in with the credentials of an AD user, and choose your QuickSight application.

On the IAM Identity Center console, note down the user portal URL available on the Settings page.

Navigate to the user portal URL, sign in with the credentials of an AD user, and choose your QuickSight application.

You’re automatically redirected to the QuickSight console.

You’re automatically redirected to the QuickSight console.

You’re automatically redirected to the QuickSight console.

Summary

This post provided step-by-step instructions to configure federated SSO with Azure AD as IdP through IAM Identity Center. We also discussed how SCIM keeps your IAM Identity Center identities in sync with identities from your IdP. This includes any provisioning, updating, and deprovisioning of users between your IdP and IAM Identity Center.

If you have any questions or feedback, please leave a comment.

For additional discussions and help getting answers to your questions, check out the QuickSight Community.

About the author

Aditya Ravikumar is a Solutions Architect at Amazon Web Services. He is based in Seattle, USA. Aditya’s core interests include software development, databases, data analytics and machine learning. He works with AWS customers/partners to provide guidance and technical assistance to transform their business through innovative use of cloud technologies.

Srikanth Baheti is a Specialized World Wide Sr. Solution Architect for Amazon QuickSight. He started his career as a consultant and worked for multiple private and government organizations. Later he worked for PerkinElmer Health and Sciences & eResearch Technology Inc, where he was responsible for designing and developing high traffic web applications, highly scalable and maintainable data pipelines for reporting platforms using AWS services and Serverless computing.

Raji Sivasubramaniam is a Sr. Solutions Architect at AWS, focusing on Analytics. Raji is specialized in architecting end-to-end Enterprise Data Management, Business Intelligence and Analytics solutions for Fortune 500 and Fortune 100 companies across the globe. She has in-depth experience in integrated healthcare data and analytics with wide variety of healthcare datasets including managed market, physician targeting and patient analytics.

This is a companion discussion topic for the original entry at https://aws.amazon.com/blogs/big-data/enable-federation-to-amazon-quicksight-with-automatic-provisioning-of-users-between-aws-iam-identity-center-and-microsoft-azure-ad/