QuickSight SSO Issue

I tried to enable SSO for QuickSight, but when testing for the end-to-end experience in incognito mode, I got stuck at this screen, which kept loading forever.

What I did to get this SSO is
1. Prerequisite

  • Having Quicksight ADMIN permissions
  • AWS account ADMIN access on which Quicksight is hosted
  • ANT groups for each tier of access needed to be provided (Reader, User/Writer, Admin)
    2. Create Identity Provider (using the metadata from the Federate profile to create a provider in IAM), naming it federateQuickSight
    3. Create three IAM polices that gives different tier of QuickSight permission (quicksight:CreateReader, quicksight:CreateUser, quicksight:CreateAdmin)
    Example:
    {
    “Version”: “2012-10-17”,
    “Statement”: [
    {
    “Effect”: “Allow”,
    “Action”: [
    “quicksight:CreateReader”
    ],
    “Resource”: [
    “arn:aws:quicksight::myaccountid:user/${aws:userid}”
    ]
    }
    ]
    }
    With replacing myaccountid with my true AWS account ID

4. Create 3 IAM roles (for three tiers of access) and select SAML 2.0 Federation as the trusted entity type and choose the Identity Provider created above, naming respectively AdminRole, AuthorRole, ReaderRole
5. Follow the Amazon Federate Onboarding
a. In Allowed Groups, allow three ANT groups created in the prerequisites (ANT Group 1, ANT Group 2, ANT Group 3)
b. Claims configuration are as followed
The first three claims are pre-populated, which I then added two additional claims.
o Claim 4:

  "customName": "https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email",
  "federateAttribute": "EMAIL"
}

o Claim 5:

{
  "customMapper": [
    {
      "customKey": "ANT Group 1",
      "customValueList": [
        "arn:aws:iam::myaccountID:role/AdminRole, arn:aws:iam::myaccountID:saml-provider/federateQuickSight"
      ]
    },
    {
      "customKey": "ANT Group 2",
      "customValueList": [
        "arn:aws:iam:: myaccountID:role/ReaderRole, arn:aws:iam::myaccountID:saml-provider/federateQuickSight"
      ]
    },
    {
      "customKey": "ANT Group 3",
      "customValueList": [
        "arn:aws:iam:: myaccountID:role/AuthorRole, arn:aws:iam::myaccountID:saml-provider/federateQuickSight"
      ]
    }
  ],
  "customName": "https://aws.amazon.com/SAML/Attributes/Role",
  "customValue": "AD_GROUPS",
  "attributeType": "LIST"
}
  1. Submitted, got auto approved and paste the link in SSO in QuickSight.

I’m unsure what went wrong, but seems like I passed through the SSO stage and then got stuck at the get-user-email screen. Thank you for your help.

Hi @lilith - To investigate this issue, it will be good to submit a ticket to AWS customer support so that they can validate e2e via screenshare and troubleshoot the issue. To raise the request, please follow the link - Creating support cases and case management - AWS Support

Regards - Sanjeeb