Unable to GetFederationTokenRequest to login to Quick Sight

Q&A
, , , ,
1

We are searching for proper secure way to generate pre-signed URL for users to take them to the Quick Sight Home page

We tried using GetFederationTokenRequest:
here is the code piece which we used

StsClient stsClient = StsClient.builder()
        .region(Region.AP_SOUTH_1)
        .credentialsProvider(StaticCredentialsProvider.create(AwsBasicCredentials.create("ACCESS_KEY", "SECRET_KEY")))
        .build();

GetFederationTokenRequest federationTokenRequest = GetFederationTokenRequest.builder()
        .durationSeconds(1800)
        .name("JAVA-SDK-TEST-USER")
        .policy("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"quicksight:ListDashboards\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}")
        .tags(Tag.builder().key("PrincipalTag:Email").value("user@example.com").build())
        .build();

GetFederationTokenResponse federationTokenResponse = stsClient.getFederationToken(federationTokenRequest);
Credentials federatedCredentials = federationTokenResponse.credentials();
String sessionJson = String.format(
        "{\"%1$s\":\"%2$s\",\"%3$s\":\"%4$s\",\"%5$s\":\"%6$s\"}",
        "sessionId", federatedCredentials.accessKeyId(),
        "sessionKey", federatedCredentials.secretAccessKey(),
        "sessionToken", federatedCredentials.sessionToken());

String signInUrl = "https://signin.aws.amazon.com/federation";
String getSigninTokenUrl = signInUrl + "?Action=getSigninToken&DurationSeconds=43200&Session="
        + URLEncoder.encode(sessionJson, StandardCharsets.UTF_8);

URL url = new URL(getSigninTokenUrl);
URLConnection conn = url.openConnection();
BufferedReader bufferReader = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String returnContent = bufferReader.readLine();
log.info("Response received: {}", returnContent);
String signinToken = objectMapper.readTree(returnContent).get("SigninToken").asText();
String issuerURL = "https://app.domain.com/";  // Your issuer URL
String destinationURL = "https://ap-south-1.quicksight.aws.amazon.com/sn/start";  // Quick Sight Home URL
String loginURL = signInUrl + "?Action=login"
        + "&SigninToken=" + URLEncoder.encode(signinToken, StandardCharsets.UTF_8)
        + "&Issuer=" + URLEncoder.encode(issuerURL, StandardCharsets.UTF_8)
        + "&Destination=" + URLEncoder.encode(destinationURL, StandardCharsets.UTF_8);

log.info("Federated login URL for Quick Sight: {}", loginURL);

stsClient.close();

When we use the generated login url we are getting the following error

The AWS principal tag corresponding to "PrincipalTag:Email" in your SAML assertion or OIDC token is either an invalid email or not present. Please reach out to your Quick Sight account's admin to ensure that the email address for this AWS principal tag is correct.

Had someone faced a similar issue, or are we missing any steps?
Thanks
Sai

2

Hi @sai-teja

We can enable SSO directly at Quick Sight and it supports SAML federation , alternatively Quick Sight can be integrated with AWS IAM Identity center as well and it provides automated way to sync the users , Groups & Group Membership from IDP . Once SSO is enabled Quick Sight Supports both SP & IDP initiated session . Would you mind share whats the SSO provider your are using , we will be able to share the relevant blog information .

Thanks
Vinod

3

Hi @sai-teja,
It’s been awhile since we last heard from you; did you have any additional questions regarding your initial topic?

If we do not hear back within the next 3 business days, I’ll go ahead and close out this topic.

Thank you!

4

Hi @sai-teja,
Since we haven’t heard back, I’ll go ahead and close out this topic. However, if you have any additional questions, feel free to create a new post in the community and link this discussion for relevant information if needed.

Thank you!