Federate Amazon Quick Sight access with OneLogin

Learn Blogs
1

Amazon Quick Sight is a scalable, serverless, embeddable, machine learning (ML)-powered business intelligence (BI) service built for the cloud that supports identity federation in both Standard and Enterprise editions. Organizations are working toward centralizing their identity and access strategy across all their applications, including on-premises and third-party applications. Many organizations use OneLogin as their identity provider (IdP) to control and manage user authentication and authorization centrally. Quick Sight can integrate with OneLogin through the use of single sign-on (SSO) and SAML 2.0 authentication. With this integration, users can access Quick Sight using their existing OneLogin credentials, providing a seamless and secure authentication experience. In this post, we walk you through the steps to configure federated SSO to Quick Sight with OneLogin as your IdP.

This solution proposes directly integrating Quick Sight with OneLogin as your IdP if your organization hasn’t adopted AWS IAM Identity Center. However, if you are already using or planning to implement IAM Identity Center, it’s advisable to integrate OneLogin with IAM Identity Center instead.

With IAM Identity Center, you gain enhanced access management and a seamless user experience, including centralizing user and group management, quickly provisioning new users and teams with minimal effort, effortlessly scaling access as your organization grows, and cross-service identity sharing to use capabilities such as trusted identity propagation and consolidated billing across Amazon Q Business and Quick Sight.

Solution overview

The walkthrough includes the following steps:

  1. Establish the OneLogin application.
  2. Build a SAML provider in AWS.
  3. Create Quick Sight roles for OneLogin federated users.
  4. Configure the OneLogin application.
  5. Set up Quick Sight service provider-initiated SSO.
  6. Access Quick Sight using OneLogin SSO.

Prerequisites

To integrate Quick Sight with OneLogin, you need to have the following prerequisites in place:

  • OneLogin account – You must have an active OneLogin account and permissions to create and modify applications and users.
  • Quick Sight account – You need a Quick Sight account set up in your AWS environment. This account should have the required permissions to configure SAML IdPs.
  • IAM permissions – You should have the appropriate AWS Identity and Access Management (IAM) permissions in your AWS account to configure SAML IdPs for Quick Sight and to create IAM roles and policies. This typically involves having the necessary IAM policies attached to your user or role.

Before starting the integration process, it’s recommended to gather all the necessary information and make sure you have the required permissions and access to both Quick Sight and OneLogin environments. Additionally, it’s a good practice to test the integration in a non-production environment to verify its functionality and identify any potential issues or configuration adjustments needed before deploying to a production environment.

Establish the OneLogin application

In this section, you create the OneLogin application for your enterprise’s use of Quick Sight.

  1. Log in to your OneLogin admin dashboard and choose the Administration tab. If you don’t have an account, you can create a free OneLogin account using your business email.
    864×156 11.1 KB
  2. Choose Applications from the top menu.
    choose application
    choose application864×132 14.8 KB
  3. Choose Add App.
    936×168 12.5 KB
  4. On the Find Applications page, enter Amazon Web Services in the search bar and choose Amazon Web Services (AWS) RelayState.
    1320×192 20.1 KB
  5. Under Configuration, for Display Name, enter a name (for example, Amazon Quick Sight Administrator) and choose Save.
    576×254 18.6 KB
  6. In the navigation pane, choose Configuration.
  7. On the Application details page, for RelayState, enter https://quicksight.aws.amazon.com.
    576×350 17 KB
  8. Choose the SSO tab and download the OneLogin XML file by copying the value for Issuer URL and pasting it into a new web browser page.
    480×206 18.3 KB
  9. In this solution, you need to create a OneLogin application for each Quick Sight role (author, reader, and administrator). Repeat the preceding steps to create additional OneLogin applications for the author and reader roles.

Build a SAML provider in AWS

In this section, you create the AWS IdP that integrates with OneLogin.

  1. On the IAM console, choose Identity providers from the navigation pane.
  2. Choose Add provider.
    1457×250 59.7 KB
  3. Import the metadata document downloaded in earlier steps and choose Add provider.
    864×446 55.8 KB
  4. Go to the newly created IdP and make a note of the Amazon Resource Name (ARN) to use later.
    576×228 23.9 KB
  5. Because OneLogin doesn’t allow multiple roles for an AWS relay application, you need to create a SAML IdP for each Quick Sight profile. Create profiles for Quick Sight author and Quick Sight reader by repeating the previous steps and choosing the corresponding SAML metadata downloaded from OneLogin.

Create Quick Sight roles for OneLogin federated users

In this section, you create IAM SAML 2.0 federation roles. We demonstrate how to provision users in Quick Sight at initial sign-in to Quick Sight. You create privileges in IAM to roles that authenticated OneLogin users will be able to use.

You first create the policies needed and then create the corresponding roles for each Quick Sight user type (administrator, author, and reader).

Create IAM policies

Complete the following steps to create your IAM policies:

  1. On the IAM console, under Access management in the navigation pane, choose Policies.
  2. Choose Create policy.
    1320×302 90 KB
  3. Under Specify permissions, choose JSON and replace the sample policy template with the following code and choose Next. This policy is to create admin users and will be attached to the role in the following steps. 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "quicksight:CreateAdmin",
            "Resource": "*"
        }
    ]
}

    1320×855 103 KB

  4. On the Review and create page, enter the name Quick SightOneLoginCreateAdminPolicy and choose Create policy.
    1320×880 151 KB
  5. Repeat the previous steps to create policies for author and reader personas using the following JSON code:
    • Quick SightOneLoginCreateAuthorPolicy: 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "quicksight:CreateUser",
            "Resource": "*"
        }
    ]
}
    • Quick SightOneLoginCreateReaderPolicy: 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "quicksight:CreateReader",
            "Resource": "*"
        }
    ]
}

Create IAM roles

To automate synchronization of users, groups, and group memberships, create author, reader, and administrator IAM roles.

  1. On the IAM console, under Access management in the navigation pane, choose Roles.
  2. Choose Create role.
    1320×244 62.2 KB
  3. For Trusted entity type, select SAML 2.0 federation.
  4. In the SAML 2.0 Federation section, for SAML 2.0-based provider, choose the OneLoginQuick SightAdministrator IdP created earlier, and for Access to be allowed, select Allow programmatic and AWS Management Console access.
  5. Choose Next.
    1320×925 110 KB
  6. Add the permissions created for the Quick Sight administrator profile by searching for and selecting Quick SightOneLoginCreateAdminPolicy, then choose Next
    1320×635 135 KB
  7. Under Name, review, and create, enter Quick SightOneLoginAdminRole for Role name, and choose Create role.
    1320×1127 133 KB
  8. Go to the role you just created (Quick SightOneLoginAdminRole) and make a note of the ARN of the role (for example: arn:aws:iam::555555555555:role/Quick SightOneLoginAdminRole).
    1320×287 43.6 KB
  9. Because OneLogin doesn’t allow multiple roles per AWS relay application, you need to create additional SAML roles for each Quick Sight profile. Create Quick Sight author and Quick Sight reader profiles by repeating the previous steps and selecting the corresponding policies Quick SightOneLoginCreateAuthorPolicy and Quick SightOneLoginCreateReaderPolicy created in the previous section.

Configure the OneLogin application

In this section, you go back to OneLogin to update the applications (Amazon Quick Sight Administrator, Amazon Quick Sight Author, and Amazon Quick Sight Reader) created with the corresponding IAM roles from the previous section.

  1. Log in to OneLogin and access your application dashboard.
  2. Choose the administrator OneLogin application previously created (Amazon Quick Sight Administrator).
    1320×394 43 KB
  3. Choose Parameters from the navigation pane and update the credential as follows:
    • For Amazon Username, enter Email.
      1320×415 44.6 KB
    • For Role, choose Macro
      • For Value and enter the Quick SightOneLoginAdminRole ARN and the IdP ARN for OneLoginQuick SightAdministrator separated by a comma. For example: arn:aws:iam::555555555555:role/Quick SightOneLoginAdminRole,arn:aws:iam::123456789012:saml-provider/OneLoginQuick SightAdministrator.
      • For Flags, check the Include in SAML assertion
        400×370 10.7 KB
    • For RoleSessionName, enter Email.
  4. Choose Save.
    1320×415 44.6 KB
  5. Add users to the application on OneLogin by going to the Users tab on OneLogin.
    546×196 16.5 KB
  6. Choose the user that requires access to the application.
    624×148 7.23 KB
  7. Choose Applications in the navigation pane.
    412×244 17.2 KB
  8. Choose the plus sign to add an application.
    624×120 6.9 KB
  9. Assign the Amazon Quick Sight Admin application to your user.
    384×208 12.3 KB
  10. Choose Continue.

Set up Quick Sight service provider-initiated SSO

In this section, you set up the service provider-initiated federation with Quick Sight Enterprise edition.

  1. Sign in to the Quick Sight console and choose Manage Quick Sight.
    296×316 20.5 KB
  2. In the navigation pane, choose Single sign-on (SSO).
    187×500 20.2 KB
  3. To turn on the service provider-initiated SSO, select On under Status.
  4. Under Configuration, enter in the following parameters:
    • For IdP URL, enter https://.onelogin.com/trust/saml2/http-redirect/sso/?RelayState=https%3A%2F%2Fquicksight.aws.amazon.com%2Fsn%2Fstart.
      • For sub_domain, log in to your OneLogin portal page, copy the URL, and access the portion before .onelogin.com/portal For example: https://mycompany.onelogin.com/portal.
      • For app_id, log in to your OneLogin portal page, go to the list of applications, choose your Quick Sight application, and copy the URL on the application page. For example: https://mycompany.onelogin.com/apps/3512905/edit.
      • A complete example is: https://mycompany.onelogin.com/trust/saml2/http-redirect/sso/3512905?RelayState=https%3A%2F%2Fquicksight.aws.amazon.com%2Fsn%2Fstart.
    • For IdP redirect URL parameter, enter RelayState.
  5. To test the integration, choose Copy under Test starting with your IdP and Test the end-to-end experience and paste the URLs into a browser window that isn’t signed in to Quick Sight.
    936×608 82.7 KB
  6. After you have tested and verified the SSO functionality, choose Save.
    936×236 39.2 KB

Access Quick Sight using OneLogin SSO

In this section, you access Quick Sight using the OneLogin applications and SSO.

  1. Log in to your organization’s OneLogin page, for example, https://.onelogin.com/portal

    400×434 15.5 KB
  2. There are two options to access Quick Sight:
    • For the first option, enter the Quick Sight login page – https://us-east-1.quicksight.aws.amazon.com/sn/auth/signin?enable-sso=1.
    • For the second option, go to your OneLogin application page and choose the Quick Sight application created previously.
      660×391 15.1 KB
  3. Enter the OneLogin user’s email address to access Quick Sight.
  4. Choose Continue.
    1320×378 40.8 KB

Alternate solution

This post shows you how to integrate OneLogin as your IdP using IAM roles to enable SSO to Quick Sight. This solution creates three OneLogin applications, one for each Quick Sight role that you want to assign to users. You then assign users to the corresponding OneLogin application. There’s an alternative solution if you want to create a single OneLogin application. This alternative solution follows the same process with a few changes. To have a single OneLogin application to manage, you need to add the ARN for the desired Quick Sight role and the ARN for the SAML provider for each user in OneLogin.

Make the following changes for the alternate solution:

  1. Create a single OneLogin application instead of three.
  2. For the OneLogin user profile, create a custom field named Role, in this field, enter the Quick Sight role ARN for the user, then a comma, then the SAML provider ARN. For example: arn:aws:iam::555555555555:role/, arn:aws:iam:: 555555555555:saml-provider/.
  3. In the application parameters, add a field named Role as before with a value of Role, which pulls the role from the user’s metadata.

Clean up

When done, clean up the resources created to avoid future charges.

  1. Delete your Quick Sight subscription.
  2. Delete the following IAM policies:
    • Quick SightOneLoginCreateAdminPolicy
    • Quick SightOneLoginCreateAuthorPolicy
    • Quick SightOneLoginCreateReaderPolicy
  3. Delete the following IAM roles:
    • Quick SightOneLoginAdminRole
    • Quick SightOneLoginAuthorRole
    • Quick SightOneLoginReaderRole
  4. Remove OneLogin as an IdP in IAM.
  5. Delete the Quick Sight applications in OneLogin.

Conclusion

By integrating Quick Sight with OneLogin, organizations can benefit from the following:

  • Centralized identity management through OneLogin for applications, including Quick Sight
  • Improved security posture by inheriting strong authentication policies from OneLogin
  • Better user experience with single sign-on instead of separate Quick Sight credentials
  • Reduced IT operational overhead by eliminating separate Quick Sight user provisioning

Federated access to Quick Sight with OneLogin as the IdP enables organizations to securely scale their business analytics while streamlining access management and improving the user experience.

If you have questions or feedback, leave a comment. For additional discussion and help getting answers to your questions, visit the Quick Sight Community.

About the Authors

100×133 5.36 KB
Sean Bjurstrom is a Technical Account Manager in ISV accounts at Amazon Web Services, where he specializes in analytics technologies and draws on his background in consulting to support customers on their analytics and cloud journeys. Sean is passionate about helping businesses harness the power of data to drive innovation and growth. Outside of work, he enjoys running and has participated in several marathons.

100×133 4.64 KB
Seun Akinyosoye is a Sr. Technical Account Manager supporting public sector customers at Amazon Web Services. Seun has a background in analytics and data engineering, which he uses to help customers achieve their outcomes and goals. Outside of work, Seun enjoys spending time with his family, reading, traveling, and supporting his favorite sports teams.

100×133 5.41 KB
Anupa Bhattacharyya is an Enterprise Support Lead in CIENG at Amazon Web Services, where she guides Enterprise customers through their cloud journey. With over 15 years of experience in data and analytics, she excels in defining strategic initiatives for enterprise customers. Outside of work, she enjoys painting, traveling, family time, and savoring new cuisines.

This is a companion discussion topic for the original entry at https://aws.amazon.com/blogs/business-intelligence/federate-amazon-quicksight-access-with-onelogin/