With custom namespace, how can a user log in Quick Sight and author visuals?

I have been using a hybrid login with the default namespace.
General users are accessing Quick Sight visuals via embedded analytics as IAM users (all readers). Some handsful authors use direct Quick Sight login user/pass. - All good so far.

Recently, I just created a custom namespace(xx). And created a user on that namespace with group and custom permission. I see a shared dataset/analysis/ dashboard from the default namespace. So, all good.

When I create a user with a custom namespace in CLI, I get an invitation url but it doesn’t work.

aws quicksight register-user --namespace xx --identity-type QUICKSIGHT --user-role AUTHOR --region $sourceRegion --custom-permissions-name xxPermission --email=xx@gmail.com --user-name xx@gmail.com --aws-account-id $sourceAccountId

Then, I found this sentence from the online doc saying ‘direct Quick Sight user/pass login’ won’t work with a custom namespace.

• Custom namespaces—those that are not the default namespace—are only accessible to IAM Federated Single-Sign-On users. (Supporting multitenancy with isolated namespaces - Amazon QuickSight)

Then, why does the above CLI output a non-working URL?

Let me assume that’s what it is. Then, how can I achieve what I want?

For user A in namespace XX, how can he/she create/update the analysis and publish it?
Does he have to use embedded authoring and do it from the App side, not from Quick Sight directly?

Currently, I am not using SSO with Quick Sight. User won’t come to Quick Sight directly from Okta. They will access it only from embedded dashboards. Do I need to make SSO enable for this?

Can you try the following
( Workshop Studio )

Federated users, IAM users and Quick Sight managed users can all be created in secondary namespaces. However, only Federated and IAM users in secondary namespace will be able to access Quick Sight console directly. You can user Quick Sight managed users with secondary namespaces if your use case requires only embedded access. Both dashboard and session/author embedding is possible with Quick Sight managed users in secondary namespaces.

The Quick Sight managed user which you created in the secondary namespace is still valid.
Go ahead and test generating a console based experience ( generate-embed-url-for-registered-user — AWS CLI 2.31.8 Command Reference ) ( Search for “Quick SightConsole” )

If the above works, then you handle secondary namespaces as part of your application code. Based on the user who is accessing the application, the embedding url will also require the userarn and this can be the user in a custom namespace.

Kind regards,
Koushik

The workshop was very helpful.
In summary, with a custom namespace, users can author visuals using

1. embedded authoring experience
2. in the Quick Sight console directly

For the #2 option, I need to create a user from IAM first.
Then, from QS CLI, I register this user with the ‘IAM’ identity-type.

aws quicksight register-user --aws-account-id $sourceAccountId --namespace $namespace --identity-type IAM --iam-arn arn:aws:iam::$sourceAccountId:user/$userName --user-role AUTHOR --email xxx@xx.com --region $sourceRegion --custom-permissions-name snoPermission

For a user to access QS for authoring, the user still opens the Quick Sight login page (https://quicksight.aws.amazon.com/). Then enter the correct account name.
The screen will be redirected to the IAM login page. Type in the IAM user’s username and password.
The screen will redirect to the Quick Sight console.