I tried to enable SSO for QuickSight, but when testing for the end-to-end experience in incognito mode, I got stuck at this screen, which kept loading forever.
What I did to get this SSO is
1. Prerequisite
- Having Quicksight ADMIN permissions
- AWS account ADMIN access on which Quicksight is hosted
- ANT groups for each tier of access needed to be provided (Reader, User/Writer, Admin)
2. Create Identity Provider (using the metadata from the Federate profile to create a provider in IAM), naming it federateQuickSight
3. Create three IAM polices that gives different tier of QuickSight permission (quicksight:CreateReader, quicksight:CreateUser, quicksight:CreateAdmin)
Example:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“quicksight:CreateReader”
],
“Resource”: [
“arn:aws:quicksight::myaccountid:user/${aws:userid}”
]
}
]
}
With replacing myaccountid with my true AWS account ID
4. Create 3 IAM roles (for three tiers of access) and select SAML 2.0 Federation as the trusted entity type and choose the Identity Provider created above, naming respectively AdminRole, AuthorRole, ReaderRole
5. Follow the Amazon Federate Onboarding
a. In Allowed Groups, allow three ANT groups created in the prerequisites (ANT Group 1, ANT Group 2, ANT Group 3)
b. Claims configuration are as followed
The first three claims are pre-populated, which I then added two additional claims.
o Claim 4:
- Name: https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email
- Claim type: FederateUserAttribute
- FederateUserAttribute: EMAIL
- Code: {
"customName": "https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email",
"federateAttribute": "EMAIL"
}
o Claim 5:
- Name: https://aws.amazon.com/SAML/Attributes/Role
- Claim Type: Group to Role/IdP ARN mapping
- GroupType: ANT
- Representation: LIST
- Code:
{
"customMapper": [
{
"customKey": "ANT Group 1",
"customValueList": [
"arn:aws:iam::myaccountID:role/AdminRole, arn:aws:iam::myaccountID:saml-provider/federateQuickSight"
]
},
{
"customKey": "ANT Group 2",
"customValueList": [
"arn:aws:iam:: myaccountID:role/ReaderRole, arn:aws:iam::myaccountID:saml-provider/federateQuickSight"
]
},
{
"customKey": "ANT Group 3",
"customValueList": [
"arn:aws:iam:: myaccountID:role/AuthorRole, arn:aws:iam::myaccountID:saml-provider/federateQuickSight"
]
}
],
"customName": "https://aws.amazon.com/SAML/Attributes/Role",
"customValue": "AD_GROUPS",
"attributeType": "LIST"
}
- Submitted, got auto approved and paste the link in SSO in QuickSight.
I’m unsure what went wrong, but seems like I passed through the SSO stage and then got stuck at the get-user-email screen. Thank you for your help.