Provisioning & Invite SSO users


We’d like to share dashboards with SSO users.

1/ Can we invite a SSO user from “Manage users” page so that he knows that he can access Quicksight?
2/ Is there a way to create the SSO user in Quicksight before he logs in to Quicksight the first time? or it’s always Just In Time Self Provisioning?

In fact we’d like to do the following workflow:

  • create a user (that will use SSO to login)
  • add him to a specific group
  • send an invitation to him

Is it possible?

Hi @spahlala ,

You can pre-provision/ pre-create users in QuickSight using API/CLI commands. However, SSO users cannot be created using the QuickSight console.

When setting up SSO, you users would assume an IAM role, along with a session name. This combination becomes the Quicksight username when they navigate to QuickSight.

For example:
IAM Role: ProdQSAccess, Session Name: raj - would result in a QuickSight user ‘ProdQSAccess/raj’ when the user accesses QuickSight after federation/SSO. You can create this user before they login using the RegisterUser API.

The RegisterUserAPI accepts ‘IamArn’ parameter, which you can pass as ‘ProdQSAccess’ and ‘SessionName’ parameter as ‘raj’, which would create the QuickSight user ‘ProdQSAccess/raj’ (based on the above example).

Once the user is created, you can programmatically add them to a specific group. Please note that RegisterUser API/CLI does not automatically send an invitation email to that user. It returns an invitation URL that you can email them manually or programmatically (possibly using AWS SES service).