Quick Sight authentication based on OpenIdConnect

My end goal is that my users click on Quicksight app from my private identity provider(IDP). the IDP is compatible with Open Id Connect standards.

For that, i did create an identity provider in AWS IAM, which has a trustrelationship with the client_id of the application in my IDP.

I do already pre register my Quicksight users with the OIDC parameters, ( custom_oidc, oidc_url and external-login-id which is the sub claim from the jwt token)

Here’s an example :

aws quicksight register-user --aws-account-id 111222333 --namespace my-non-default-namespace
–email ``identity-user@amazon.com`` --user-role AUTHOR --identity-type IAM
–iam-arn arn:aws:iam::111222333:role/CustomIdentityQuickSightRoleForAllClients
–session-name unique-email
–external-login-federation-provider-type CUSTOM_OIDC
–custom-federation-provider-url my-private-idp-link
–external-login-id 12345678-1234-1234-abc1-a1b1234567
–region eu-west-1

After that, i have created an API gatway ( which is integrated to a lambda function ) in order to to start the OIDC flow where i’ll end up having a JWT token from my IDP. I’m exchanging my id_token with IAM credentials using STS service. I then build an url with the AWS credentials to Quicksight using this peace of code :

signin_token=$(curl -s “ https: // signin. aws .amazon .com / federation “
–data-urlencode “Action=getSigninToken”
–data-urlencode “Session=$(jq -c -n --arg a “$AWS_ACCESS_KEY_ID” --arg b “$AWS_SECRET_ACCESS_KEY” --arg c “$AWS_SESSION_TOKEN” ‘{sessionId:$a,sessionKey:$b,sessionToken:$c}’)”
| jq -r ‘.SigninToken’)

login_url=$(python - <<‘PY’ “ https: // signin. aws. amazon. com/ federation “

#I added spaces in the url in order not to be changed to a beautified format
import urllib.parse
print(urllib.parse.quote(“https://eu-west-3.quicksight.aws.amazon.com/”))
PY
)

url=“https://signin.aws.amazon.com/federation?Action=login&Issuer=example&Destination=$login_url&SigninToken=$signin_token”
echo “$url”

When testing this, I do end up with a Quicksight page asking me for email.

Is this normal behavior ? How can i connect to my quicksight interface in that namespace without specifying an email because i believe that it’ll create a new user instead of the already pre registred one!

Hi @ilyasse,

Hope everything is well. I wonder if this behavior could be occurring because of how Quick handles session authentication. I would definitely recommend checking that the session name in your AWS CLI command matches with the one in STS. If that is already the case, please feel free to let me know and we can look into other possible reasons!

Thank you!

hello @WLS-Luis ,

I hope you’re doing well.

if i understand correctly the session_name of the quicksight registred user should match with the STS call right ?

Hi @ilyasse,

Yes it should!

Hi, @ilyasse , We hope this solution worked for you. Let us know if this is resolved. And if it is, please help the community by marking this answer as a “Solution" (check box under the reply)