Quicksight login with Cognito?


I have been trying to find information about how to use Cognito user pool to manage users and use Cognito for logging into Quicksight. I managed to find an AWS workshop where such thing is implemented for Embed Dashboards, but this is not what I was looking for. Instead, I would like to let users log into Quicksight with Cognito.

Has anyone managed to get this working? There are some scattered information available but nothing I can follow. Do I need to enable SSO in Quicksight and point it to Cognito? Can’t figure this out, there are examples for other services (like Auth0) but not for Cognito. What to put into those SSO idp urls?
Or is this possible at all with Cognito? Do I need to use Auth0 instead?

If I create app for quicksight in Cognito there are those redirect, etc. URLs needed. Can’t figure out what to put into those either.

Also, create-user API seems to have some Cognito related attributes in it and some stuff about it asked here: Cognito users cannot access Quicksight

I guess I also need WebIdentity role for the Cognito pool?

So confusing…

Hi Ptka,

When using open id connect identity sources like Cognito, you will need a custom intermediate page to configure the SSO flow.

This intermediate page should do the following

  1. Check if the user is authenticated and if not, send the user to Cognito user pool’s sign in url with the intermediate page’s url provided as redirect url. (So that user returns to it after authentication)
  2. Register user in QuickSight if not already registered. Be sure to include the additional parameters - ExternalLoginFederationProviderType, CustomFederationProviderUrl, ExternalLoginId - while registering users into QuickSight to keep access secure.
  3. Assume the federated role (using STS / Cognito Identity APIs).
  4. Use the above role credentials and make a request to AWS federation end point to get a sign-in token.
  5. Use the token to generate a QuickSight console url.
  6. Have browser redirected to the above url.
    (Process steps 2-5 on server side for added safety)

Sample code for the federation end point requests is available at Enabling custom identity broker access to the AWS console - AWS Identity and Access Management

Arun Santhosh

Thanks. Hopefully this is useful to someone else too.