Multiple SSO idp providers with custom namespaces

Q&A
1

We have different environments like dev,test, prod each with it’s own IDP/SSO provider. How can we configure these IDP providers.
We are planning to use namespaces but the I see only one SSO config.

Quicksight user self-provisioning using quicksight:RegisterUser
2

Hmm, I don’t know if that is possible. Have you taken a look at this?

3

Hi @rsinghal12 ,

You can configure a single IDP SSO in Quick Sight. If users are accessing Quick Sight using the following : https://quicksight.aws.amazon.com/ , they will re-directed to the SSO configured.

Accessing namespaces is possible only through federation , in this scenario pre-register the users in the namespaces required.
Using the Okta example ( Tutorial: Amazon QuickSight and IAM identity federation - Amazon QuickSight)

  1. Okta as IDP and the users are part of a namespace (eg : Customer1 ).

  2. Pre-register the users ( RegisterUser - Amazon QuickSight ) in the namespace (Customer1) .

  3. Example Register API executed with the output

    image (1)
    image (1)2080×536 124 KB

  4. From the Okta portal, when an user clicks on the Quick Sight application, the user will be taken to Quick Sight page for namespace(Customer1).

1 Like
4

Hi @Koushik_Muthanna

In order to have multiple IDP/SSO, only solution is to have multiple AWS accounts?

Thanks for the examples?

5

Hi @rsinghal12 ,

There are 2 possible flows :

Identity Provider Initiated (IdP-initiated) SSO

User logs into the IDP Portal
Quick Sight application is configured
User is redirected to Quick Sight homepage when clicked .

Service Provider Initiated (SP-initiated) SSO

Quick Sight can also be configured for SP-initiated sign-on in the Enterprise edition. This setup enables Quick Sight to redirect the user to authenticate with the IdP first before granting access to the Quick Sight resources.

If Identity Provider Initiated (IdP-initiated) SSO > You can have users from multiple IDP’s logging into 1 Quick Sight account.

If Service Provider Initiated (SP-initiated) SSO > You can configure only 1 IDP in the Quick Sight account.

Screenshot 2022-12-14 at 17.40.56
Screenshot 2022-12-14 at 17.40.561892×943 99.1 KB

1 Like
Best way to enable SSO for different domains?
6

Even in SP initiated flow, indirectly possible to configure multiple SSO provider via intermediate dummy application landing page. Quick Sight SSO configuration can be with this dummy application page. This dummy page has redirection code-logic to point to correct IDPs. (E.g. this dummy application page will redirect to appropriate IDP, authenticate based on user-attributes like emailID/username and relay user back to Quick Sight on successful login).

1 Like