How to authenticate users into AWS Quick Sight Q via embedded URL using third-party IdP (Auth0)?

Q&A
, , ,
1

Question:

I’m working on integrating a third-party Identity Provider (IdP) with AWS Quick Sight Q. The IdP is already configured for SSO through Auth0. My goal is to share Quick Sight Q embedding URLs with users and have them authenticated via our existing IdP setup.

Currently, I have the following components in place:

  • Auth0 handling authentication and acting as the intermediary IdP
  • Third-party IdP already integrated into Auth0
  • Users authenticated successfully into our apps via Auth0
  • AWS Quick Sight Q enabled and accessible internally

Now I want to understand:

What are all the possible ways to authenticate users into Quick Sight Q when they access the embedding URL (e.g., embedded search bar)?

Specifics I’m looking for:

  • Any code or no-code approaches available
  • Integration steps or examples for SAML/OpenID Connect, federated roles, or direct embedding
  • How to provision users (if needed) before generating embedding URLs
  • Best practices to ensure a seamless, secure authentication experience

Any guidance, best practices, or working examples would be hugely appreciated

2

@Francis_Joel ,

The workshop on user-based embedding would answer your questions

The concept should ideally help you develop a solution for your requirements.

Kind regards,
Koushik

3

From what I understand, Quick Sight supports multiple authentication strategies for registered users, such as:

  • Using Quick Sight as the identity provider (managing users directly),
  • IAM federation via SAML with an external IdP (e.g., Auth0, Okta),
  • IAM Identity Center (formerly AWS SSO).

Given these options, what would be the best approach for authentication in terms of security, scalability, and minimizing administrative overhead?

Also, I came across the RegisterUser API operation. My question is:

  • If I use SSO via IAM Identity Center or a SAML-based IdP, can I avoid calling RegisterUser, since those users are federated or automatically provisioned?
  • Do these SSO methods support automatic user provisioning upon first login?
  • How do trust policies play a role in this, especially when using an external IdP like Auth0?

I’d appreciate any guidance on how to choose the most appropriate method for embedding Quick Sight in customer apps with registered users.

4

Hi @Francis_Joel

Quick Sight is the IdP, you call RegisterUser (or use AWS CLI/API) to create each user.

SAML-based federation (external IdP, e.g., Auth0, Okta), you configure a SAML identity provider in IAM, create a trust-policy IAM role for Quick Sight, and point Quick Sight’s SSO settings at your IdP’s metadata or login URL.

Please refer the below Quick Sight documentations and community post this might be helpful for you.

1 Like