Multiple SSO idp providers with custom namespaces

rsinghal12 · December 13, 2022, 7:43pm

We have different environments like dev,test, prod each with it’s own IDP/SSO provider. How can we configure these IDP providers.
We are planning to use namespaces but the I see only one SSO config.

Max · December 13, 2022, 9:55pm

Hmm, I don’t know if that is possible. Have you taken a look at this?

Koushik_Muthanna · December 14, 2022, 9:12am

Hi @rsinghal12 ,

You can configure a single IDP SSO in QuickSight. If users are accessing QuickSight using the following : https://quicksight.aws.amazon.com/ , they will re-directed to the SSO configured.

Accessing namespaces is possible only through federation , in this scenario pre-register the users in the namespaces required.
Using the Okta example ( Tutorial: Accessing Amazon QuickSight using Okta SSO - Amazon QuickSight)

Okta as IDP and the users are part of a namespace (eg : Customer1 ).
Pre-register the users ( RegisterUser - Amazon QuickSight ) in the namespace (Customer1) .
Example Register API executed with the output

image (1)2080×536 124 KB
From the Okta portal, when an user clicks on the QuickSight application, the user will be taken to QuickSight page for namespace(Customer1).

rsinghal12 · December 14, 2022, 1:38pm

Hi @Koushik_Muthanna

In order to have multiple IDP/SSO, only solution is to have multiple AWS accounts?

Thanks for the examples?

Koushik_Muthanna · December 14, 2022, 4:39pm

Hi @rsinghal12 ,

There are 2 possible flows :

Identity Provider Initiated (IdP-initiated) SSO

User logs into the IDP Portal
QuickSight application is configured
User is redirected to QuickSight homepage when clicked .

Service Provider Initiated (SP-initiated) SSO

QuickSight can also be configured for SP-initiated sign-on in the Enterprise edition. This setup enables QuickSight to redirect the user to authenticate with the IdP first before granting access to the QuickSight resources.

If Identity Provider Initiated (IdP-initiated) SSO > You can have users from multiple IDP’s logging into 1 QuickSight account.

If Service Provider Initiated (SP-initiated) SSO > You can configure only 1 IDP in the QuickSight account.

AnwarAli · April 28, 2023, 6:37pm

Even in SP initiated flow, indirectly possible to configure multiple SSO provider via intermediate dummy application landing page. QuickSight SSO configuration can be with this dummy application page. This dummy page has redirection code-logic to point to correct IDPs. (E.g. this dummy application page will redirect to appropriate IDP, authenticate based on user-attributes like emailID/username and relay user back to QuickSight on successful login).