Unable to GetFederationTokenRequest to login to QuickSight

We are searching for proper secure way to generate pre-signed URL for users to take them to the QuickSight Home page

We tried using GetFederationTokenRequest:
here is the code piece which we used

StsClient stsClient = StsClient.builder()
        .region(Region.AP_SOUTH_1)
        .credentialsProvider(StaticCredentialsProvider.create(AwsBasicCredentials.create("ACCESS_KEY", "SECRET_KEY")))
        .build();

GetFederationTokenRequest federationTokenRequest = GetFederationTokenRequest.builder()
        .durationSeconds(1800)
        .name("JAVA-SDK-TEST-USER")
        .policy("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"quicksight:ListDashboards\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}")
        .tags(Tag.builder().key("PrincipalTag:Email").value("user@example.com").build())
        .build();

GetFederationTokenResponse federationTokenResponse = stsClient.getFederationToken(federationTokenRequest);
Credentials federatedCredentials = federationTokenResponse.credentials();
String sessionJson = String.format(
        "{\"%1$s\":\"%2$s\",\"%3$s\":\"%4$s\",\"%5$s\":\"%6$s\"}",
        "sessionId", federatedCredentials.accessKeyId(),
        "sessionKey", federatedCredentials.secretAccessKey(),
        "sessionToken", federatedCredentials.sessionToken());

String signInUrl = "https://signin.aws.amazon.com/federation";
String getSigninTokenUrl = signInUrl + "?Action=getSigninToken&DurationSeconds=43200&Session="
        + URLEncoder.encode(sessionJson, StandardCharsets.UTF_8);

URL url = new URL(getSigninTokenUrl);
URLConnection conn = url.openConnection();
BufferedReader bufferReader = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String returnContent = bufferReader.readLine();
log.info("Response received: {}", returnContent);
String signinToken = objectMapper.readTree(returnContent).get("SigninToken").asText();
String issuerURL = "https://app.domain.com/";  // Your issuer URL
String destinationURL = "https://ap-south-1.quicksight.aws.amazon.com/sn/start";  // QuickSight Home URL
String loginURL = signInUrl + "?Action=login"
        + "&SigninToken=" + URLEncoder.encode(signinToken, StandardCharsets.UTF_8)
        + "&Issuer=" + URLEncoder.encode(issuerURL, StandardCharsets.UTF_8)
        + "&Destination=" + URLEncoder.encode(destinationURL, StandardCharsets.UTF_8);

log.info("Federated login URL for QuickSight: {}", loginURL);

stsClient.close();

When we use the generated login url we are getting the following error

The AWS principal tag corresponding to "PrincipalTag:Email" in your SAML assertion or OIDC token is either an invalid email or not present. Please reach out to your QuickSight account's admin to ensure that the email address for this AWS principal tag is correct.

Had someone faced a similar issue, or are we missing any steps?
Thanks
Sai

Hi @sai-teja

We can enable SSO directly at QuickSight and it supports SAML federation , alternatively QuickSight can be integrated with AWS IAM Identity center as well and it provides automated way to sync the users , Groups & Group Membership from IDP . Once SSO is enabled QuickSight Supports both SP & IDP initiated session . Would you mind share whats the SSO provider your are using , we will be able to share the relevant blog information .

Thanks
Vinod

1 Like

Hi @sai-teja,
It’s been awhile since we last heard from you; did you have any additional questions regarding your initial topic?

If we do not hear back within the next 3 business days, I’ll go ahead and close out this topic.

Thank you!

Hi @sai-teja,
Since we haven’t heard back, I’ll go ahead and close out this topic. However, if you have any additional questions, feel free to create a new post in the community and link this discussion for relevant information if needed.

Thank you!