SSO and custom namespaces

I’m working on setting up the access for my organization in QuickSight and had a question about how custom namespaces work. I read the article about namespaces on the documentation Supporting multitenancy with isolated namespaces - Amazon QuickSight and still had some questions.

We are using Okta as IdP for federated users into QuickSight.

We want to use custom namespaces in order to separate our users for security concerns. I am able to register users through the API successfully and log in through SSO (for the default namespace). So if I create the user in two separate namespaces (namespace1 and default), there are two different users in QuickSight, one in each namespace.

From the documentation I gather I can call generate-embed-url-for-registered-user in order to generate a link for the user in each respective namespace which contains the auth token.

Is it also possible to use 1 click embeddingfor this use case? Or would the user only be able to sign into the Default namespace. I don’t see a way of configuring which namespace to log into through the SSO/SAML configuration? So if the user was in two namespaces they would always end in Default. Or if the user only existed in a custom namespace they would not able able to log in through SSO and it would say non existent user?

From looking through other community posts it looks like you can only use API embedding with custom namespaces, just want to confirm since I haven’t seen that stated on the documentation.

Turns out a username (IAM role/email) combination is unique per account so a user can’t exist in a different namespace with the same username. Don’t need to solve this problem anymore.

3 Likes