In this article, I will take you through how to configure IdP and SP initiated SSO flows for QuickSight with ADFS.
Prerequisites
-
ADFS should be setup and reachable from external network.
If you don’t have ADFS setup at all, you can use the following QuickStart to setup a sample - Web Application Proxy with AD FS on AWS - Quick Start
If you have ADFS setup but don’t have proxy setup, you can still try out the IdP initiated flow from within your network where ADFS is accessible.
For SP initiated part, web application proxy must be configured to make ADFS externally accessible . -
Relying party trust must be configured for AWS console.
If you don’t have this setup, refer following blog for details - Configure as mentioned in AWS Federated Authentication with Active Directory Federation Services (AD FS) | AWS Security Blog -
In addition to the claim issuance policy rules configured for AWS console access, include one to pass user email to following outgoing claim type if you want to enable QuickSight email sync and directly use the passed in email instead of prompting user to enter the same. -
https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email
. Also, the trust relationship of the role should include["sts:AssumeRoleWithSAML","sts:TagSession"]
actions instead of just AssumeRoleWithSAML. -
Role configured in AWS console should have quicksight:CreateReader, quicksight:CreateUser or quicksight:CreateAdmin permission (depending on whether you want to allow user to come in as a reader, author or admin)
-
QuickSight instance, with authentication scheme that supports IAM federated identities, should be setup.
-
Admin rights to make changes to above entities.
IdP init flow
We can use three modes in idp init flow. Either go to base url for ADFS, use url with relying party trust coded in or use url with both relying party trust and QuickSight relay state url coded in.
-
Base url - From ADFS server, launch following url
https://<FQDN>/adfs/ls/idpinitiatedsignon
The page that comes up will give you the option to pick the site you sign into. Pick the one configured for AWS console, get into AWS console and launch QuickSight from services. -
Url with Relying party trust included as query string parameter.
On fresh browser instance, launch the following url.
https://<FQDN>/adfs/ls/idpinitiatedSignOn.aspx?RelayState=RPID%3Durn%253Aamazon%253Awebservices
Note that you are brought directly to the credential screen and then to aws console (bypassing the site/relying party selection screen); You can launch QuickSight from AWS console. -
Url with relying party trust and QuickSight url coded in.
On a fresh browser, launch the following url.
https://<FQDN>/adfs/ls/idpinitiatedSignOn.aspx?RelayState=RPID%3Durn%253Aamazon%253Awebservices%26RelayState%3Dhttps%253A%252F%252Fquicksight.aws.amazon.com
Note that you are brought directly to credential screen (bypassing site/relying party selection) and then directly to QuickSight (bypassing the aws console).
The second and third urls are long. So, while they can be bookmarked, it is inconvenient to remember/type in. We can setup easy to remember variants using url rewrite as shown below.
URL Rewrite
IIS, with url rewrite module, should be installed on your WAP server.
(url rewrite module can be downloaded from URL Rewrite : The Official Microsoft IIS Site )
We will need to create two rules. Steps are given below.
-
Select the default web site from left panel and double click URL Rewrite
-
Click Add rules from right panel
-
Choose blank rule option and click OK button.
-
We will create a rule that kicks in based on ‘QuickSight’ being part of the url and there being a ‘QuickSightRelayState=’ in the query string section. This is need for the SP init flow.
Configure as follows.
Name: Redirect1
Using: Wildcards
Pattern:*QuickSight*
Expand Conditions and click Add button
Continued…
Pattern: *QuickSightRelayState=*
Click OK button
Continued…
Action: Redirect
Redirect URL:
https://<FQDN>/adfs/ls/idpinitiatedSignOn.aspx?RelayState=RPID%3Durn%253Aamazon%253Awebservices%26RelayState%3D{C:2}
Append Query String: Unchecked
Redirect type: Found(302)
Click Apply from right panel
-
Click Back to rules.
-
Click Add rules again to add one more rule.
-
Choose blank rule option and click OK button.
-
We will create another rule that kicks in just based on ‘QuickSight’ being part of the url.
We are creating this as the second rule as we want this to kick in only if the url has QuickSight keyword but doesn’t have QuickSightRelayState= in query string section.
Configure as follows.
Name: Redirect2
Using: Wildcards
Pattern:*QuickSight*
Action: Redirect
Redirect URL:
https://<FQDN>/adfs/ls/idpinitiatedSignOn.aspx?RelayState=RPID%3Durn%253Aamazon%253Awebservices%26RelayState%3Dhttps%3A%2F%2Fus-east-1.quicksight.aws.amazon.com%2Fsn%2Fstart
Append Query String: Unchecked
Redirect type: Found(302)
Click Apply from right panel
-
Click Back to rules
-
Ensure that you are seeing both rules in the order as shown below.
Test short url for IdP init flow
Try launching following url - https://<FQDN>/QuickSight
This should now take you the ADFS sign in screen and thereafter to QuickSight (ie - the third flow we saw in IdP init flows section)
QuickSight SSO Configuration
-
Launch management panel and select single-sign-on from left panel.
Configure as follows
IdP URL:https://<FQDN>/QuickSight
IdP redirect URL parameter:QuickSightRelayState
Click Save button.
-
Test the flow by launching the test urls from browser.
-
Change the Status radio button to ON and click Turn on SSO in the confirmation pop up.
Test SP init flow
-
Launch a new browser instance and launch QuickSight - https://quicksight.aws.amazon.com
-
Enter the account name and click continue
-
You will be taken to ADFS sign in screen for authentication.
-
Once authenticated, you will be dropped back into QuickSight.
Now that you know have to configure these flows, try it out in your dev/test environment and see it in action.
Regards,
Arun Santhosh