I am working on a project where I need to configure authentication from 2 identity providers (Okta and Entra ID) to 1 instance of Amazon Quick Sight. From what I have read, I understand that this should be possible using Identity Provider Initiated (IdP-initiated) SSO?
Some background on our setup… We have a single AWS Organization and within this Organization we manage many customers infrastructure, which are hosted in many AWS Member Accounts.
I was under the impression that with IAM Identity Center (formerly AWS SSO) you could only federate with 1 external IdP, which we already have. So therefore we would not be able to federate with additional IdPs for the purposes of Quick Sight?
To test for multiple IdPs, we are attempting to create Enterprise apps in 2 separate Entra IDs to federate with an IAM IdP at an AWS account level, this works for a single IdP, not sure whether this will work for Multiple IdPs…?
Are there any other options for multiple IdP federation that I am not aware of?
Hi @Simon_Barnes - Thanks for the question. Welcome to the community.
There are 2 possible flows :
Identity Provider Initiated (IdP-initiated) SSO
User logs into the IDP Portal
Quick Sight application is configured
User is redirected to Quick Sight homepage when clicked .
Service Provider Initiated (SP-initiated) SSO
Quick Sight can also be configured for SP-initiated sign-on in the Enterprise edition. This setup enables Quick Sight to redirect the user to authenticate with the IdP first before granting access to the Quick Sight resources.
If Identity Provider Initiated (IdP-initiated) SSO > You can have users from multiple IDP’s logging into 1 Quick Sight account.
If Service Provider Initiated (SP-initiated) SSO > It is indirectly possible to configure multiple SSO provider via intermediate dummy application landing page. Quick Sight SSO configuration can be pointing to this dummy application page. This dummy page can have redirection code-logic to point to correct IDPs. (E.g. this dummy application page will redirect to appropriate IDP, authenticate based on user-attributes like emailID/username and relay user back to Quick Sight on successful login).
