How to configure Identity Provider Initiated (IdP-initiated) SSO from Multiple Identity Providers

Hello everyone

I am working on a project where I need to configure authentication from 2 identity providers (Okta and Entra ID) to 1 instance of Amazon QuickSight. From what I have read, I understand that this should be possible using Identity Provider Initiated (IdP-initiated) SSO?

Some background on our setup… We have a single AWS Organization and within this Organization we manage many customers infrastructure, which are hosted in many AWS Member Accounts.

I was under the impression that with IAM Identity Center (formerly AWS SSO) you could only federate with 1 external IdP, which we already have. So therefore we would not be able to federate with additional IdPs for the purposes of QuickSight?

To test for multiple IdPs, we are attempting to create Enterprise apps in 2 separate Entra IDs to federate with an IAM IdP at an AWS account level, this works for a single IdP, not sure whether this will work for Multiple IdPs…?

Are there any other options for multiple IdP federation that I am not aware of?

Many Thanks

Hi @Simon_Barnes - Thanks for the question. Welcome to the community.

There are 2 possible flows :

Identity Provider Initiated (IdP-initiated) SSO

User logs into the IDP Portal
QuickSight application is configured
User is redirected to QuickSight homepage when clicked .

Service Provider Initiated (SP-initiated) SSO

QuickSight can also be configured for SP-initiated sign-on in the Enterprise edition. This setup enables QuickSight to redirect the user to authenticate with the IdP first before granting access to the QuickSight resources.

If Identity Provider Initiated (IdP-initiated) SSO > You can have users from multiple IDP’s logging into 1 QuickSight account.

If Service Provider Initiated (SP-initiated) SSO > It is indirectly possible to configure multiple SSO provider via intermediate dummy application landing page. QuickSight SSO configuration can be pointing to this dummy application page. This dummy page can have redirection code-logic to point to correct IDPs. (E.g. this dummy application page will redirect to appropriate IDP, authenticate based on user-attributes like emailID/username and relay user back to QuickSight on successful login).

This blog walks through the steps to map three identity sources with identity center.