QuickSight SSO with ADFS

In this article, I will take you through how to configure IdP and SP initiated SSO flows for QuickSight with ADFS.

Prerequisites

• ADFS should be setup and reachable from external network.
  If you don’t have ADFS setup at all, you can use the following QuickStart to setup a sample - Web Application Proxy with AD FS on AWS - Quick Start
  If you have ADFS setup but don’t have proxy setup, you can still try out the IdP initiated flow from within your network where ADFS is accessible.
  For SP initiated part, web application proxy must be configured to make ADFS externally accessible .

• Relying party trust must be configured for AWS console.
  If you don’t have this setup, refer following blog for details - Configure as mentioned in AWS Federated Authentication with Active Directory Federation Services (AD FS) | AWS Security Blog

• In addition to the claim issuance policy rules configured for AWS console access, include one to pass user email to following outgoing claim type if you want to enable QuickSight email sync and directly use the passed in email instead of prompting user to enter the same. - https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email. Also, the trust relationship of the role should include ["sts:AssumeRoleWithSAML","sts:TagSession"] actions instead of just AssumeRoleWithSAML.

• Role configured in AWS console should have quicksight:CreateReader, quicksight:CreateUser or quicksight:CreateAdmin permission (depending on whether you want to allow user to come in as a reader, author or admin)

• QuickSight instance, with authentication scheme that supports IAM federated identities, should be setup.

• Admin rights to make changes to above entities.

IdP init flow
We can use three modes in idp init flow. Either go to base url for ADFS, use url with relying party trust coded in or use url with both relying party trust and QuickSight relay state url coded in.

1. Base url - From ADFS server, launch following url
   https://<FQDN>/adfs/ls/idpinitiatedsignon
   The page that comes up will give you the option to pick the site you sign into. Pick the one configured for AWS console, get into AWS console and launch QuickSight from services.

2. Url with Relying party trust included as query string parameter.
   On fresh browser instance, launch the following url.
   https://<FQDN>/adfs/ls/idpinitiatedSignOn.aspx?RelayState=RPID%3Durn%253Aamazon%253Awebservices
   Note that you are brought directly to the credential screen and then to aws console (bypassing the site/relying party selection screen); You can launch QuickSight from AWS console.

3. Url with relying party trust and QuickSight url coded in.
   On a fresh browser, launch the following url.
   https://<FQDN>/adfs/ls/idpinitiatedSignOn.aspx?RelayState=RPID%3Durn%253Aamazon%253Awebservices%26RelayState%3Dhttps%253A%252F%252Fquicksight.aws.amazon.com
   Note that you are brought directly to credential screen (bypassing site/relying party selection) and then directly to QuickSight (bypassing the aws console).
   

   

   image1440×900 130 KB
   
   
   

   image1440×902 128 KB

The second and third urls are long. So, while they can be bookmarked, it is inconvenient to remember/type in. We can setup easy to remember variants using url rewrite as shown below.

URL Rewrite
IIS, with url rewrite module, should be installed on your WAP server.
(url rewrite module can be downloaded from URL Rewrite : The Official Microsoft IIS Site )
We will need to create two rules. Steps are given below.

1. Select the default web site from left panel and double click URL Rewrite
   

   

   image1440×900 214 KB

2. Click Add rules from right panel
   

   

   image1440×900 197 KB

3. Choose blank rule option and click OK button.
   

   

   image1440×900 217 KB

4. We will create a rule that kicks in based on ‘QuickSight’ being part of the url and there being a ‘QuickSightRelayState=’ in the query string section. This is need for the SP init flow.
   Configure as follows.
   Name: Redirect1
   Using: Wildcards
   Pattern: *QuickSight*
   Expand Conditions and click Add button
   Continued…
   

   

   image1440×900 173 KB

Pattern: *QuickSightRelayState=*
Click OK button
Continued…

image1440×900 182 KB

Action: Redirect
Redirect URL:
https://<FQDN>/adfs/ls/idpinitiatedSignOn.aspx?RelayState=RPID%3Durn%253Aamazon%253Awebservices%26RelayState%3D{C:2}
Append Query String: Unchecked
Redirect type: Found(302)
Click Apply from right panel

image1440×900 188 KB

5. Click Back to rules.
   

   

   image1440×900 182 KB

6. Click Add rules again to add one more rule.
   

   

   image1440×900 186 KB

7. Choose blank rule option and click OK button.
   

   

   image1440×900 226 KB

8. We will create another rule that kicks in just based on ‘QuickSight’ being part of the url.
   We are creating this as the second rule as we want this to kick in only if the url has QuickSight keyword but doesn’t have QuickSightRelayState= in query string section.
   Configure as follows.
   Name: Redirect2
   Using: Wildcards
   Pattern: *QuickSight*
   Action: Redirect
   Redirect URL:
   https://<FQDN>/adfs/ls/idpinitiatedSignOn.aspx?RelayState=RPID%3Durn%253Aamazon%253Awebservices%26RelayState%3Dhttps%3A%2F%2Fus-east-1.quicksight.aws.amazon.com%2Fsn%2Fstart
   Append Query String: Unchecked
   Redirect type: Found(302)
   Click Apply from right panel
   

   

   image1440×900 161 KB

9. Click Back to rules
   

   

   image1440×900 164 KB

10. Ensure that you are seeing both rules in the order as shown below.
    

    

    image1440×900 188 KB

Test short url for IdP init flow
Try launching following url - https://<FQDN>/QuickSight
This should now take you the ADFS sign in screen and thereafter to QuickSight (ie - the third flow we saw in IdP init flows section)

QuickSight SSO Configuration

1. Launch management panel and select single-sign-on from left panel.
   Configure as follows
   IdP URL: https://<FQDN>/QuickSight
   IdP redirect URL parameter: QuickSightRelayState
   Click Save button.
   

   

   image1920×1080 190 KB

2. Test the flow by launching the test urls from browser.

3. Change the Status radio button to ON and click Turn on SSO in the confirmation pop up.

image1920×1080 188 KB

image1920×1080 193 KB

Test SP init flow

1. Launch a new browser instance and launch QuickSight - https://quicksight.aws.amazon.com

2. Enter the account name and click continue
   

   

   image1920×1014 59.1 KB

3. You will be taken to ADFS sign in screen for authentication.
   

   

   image1920×1014 118 KB

4. Once authenticated, you will be dropped back into QuickSight.
   

   

   image1920×1014 82.5 KB

Now that you know have to configure these flows, try it out in your dev/test environment and see it in action.

Regards,
Arun Santhosh

Hi Arun,
This is a great doc. I have something similar setup using keycloak but I am finding that when a user hits the log out button from within Quicksight they are just taken back to the QuickSight logon page and not back to the Idp logon page. When a user logs out how can I force a redirect back to my Idp?

Octo

Hi Octo,

What you describe above is the expected behavior and here’s why.

When a user signs off from QuickSight, the intent might be just to exit from that account or to then login to another QuickSight account.
So, we present a QuickSight login screen with the QuickSight account name prefilled with the name of the account which user currently logged out from (See screen shot below). If the user wishes to login to same account, they can just click the NEXT button and will then be taken to their IdP login screen. If user wants to connect to a different QuickSight account and changes the account name, we route to the auth flow as configured in that account.

Hope this clears it up for you.

Regards,
Arun

image1668×804 191 KB

@ArunSanthosh - further to what @defioctopus asked, are there any plans to support custom domains for QuickSight so that SSO authentication can be fully transparent to federated users? (i.e. they do not need to know or remember the directory alias for an particular QuickSight account)

(I expand on the challenges with QuickSight dashboard URLs and SSO login in this question but received no replies:

Share "direct" dashboard URLs which fully handle SSO authentication when required - #2)

Hi @reporting - As Jesse mentioned in his response to other thread, we do have custom domain as a feature request in our queue. Please have your AWS account manager/solution architect file a customer influence against this PFR - Internal Link. If you don’t have an AWS contact, message me your org and use case details (Click my username above for message option) and I will submit the customer influence entry on your behalf.

Also, in the meanwhile, you can direct users to use the Copy link option in dashboard share screen rather than copying url from address bar. This option gives you the deep link with the account included.

image1619×181 18.8 KB

Regards,
Arun

If you prefer to use AWS services only, you can use S3 together with CloudFront to redirect your initial SAML requests from Quicksight to ADFS, too.

Step 1: Create S3 Bucket for Redirection
You can create the S3 Bucket and CloudFront Distribution in any AWS Account. It does not need to be your Quicksight account. S3 Bucket can remain empty.

Step 2- Disable Block Public Access

Step 3- Add Bucket Policy
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “PublicReadGetObject”,
“Effect”: “Allow”,
“Principal”: “",
“Action”: “s3:GetObject”,
“Resource”: "arn:aws:s3:::yourbucket/”
}
]
}

Note that you need to adjust the bucket name in the policy

Step 4 - Test Redirection in your browser by opening the HTTP Bucket Website endpoint in your browser

Step 5 - Add CloudFront to allow HTTPS
S3 website endpoint allows http only. But Quicksight requires https endpoint, therefore we are adding CloudFront. Select your S3 Bucket as Origin

And set Viewer Policy to HTTPS only. In my tests I disabled caching. So every request is forward to S3. Given that it is a static redirection, it should be safe to enable caching.

Step 6 - Test HTTPS redirection
When deployment is completed, open your CloudFront’S Distribution Domain name e.g. d1knlzarh6p00b.cloudfront.net in your browser. You should be redirected to your ADFS Server now.

If you receive an 403 access denied error, check permissions on your S3 bucket. One way to verify that public access is allowed is to disable redirection and upload an index.html file. Verify that you can open this page. Note that changing redirection settings is not applied immediately. It takes some time until disabling redirection is in effect.

Step 7 - In Quicksight, provide the „shortened“ URL for your ADFS server now

You can achieve a similar result also by using an external URL rewriting service e.g. bit.ly. Setup a redirection e.g. from https://bitl.y/your_adfs to https:///adfs/ls/idpinitiatedSignOn.aspx?RelayState=RPID%3Durn%253Aamazon%253Awebservices%26RelayState%3Dhttps%253A%252F%252Fquicksight.aws.amazon.com.

The ADFS url can be a local URL, depending how your users access ADFS:

image904×526 65.7 KB