Allow federation to Amazon QuickSight accounts with Ping One

Amazon QuickSight is a scalable, serverless, embeddable, machine studying (ML)-powered enterprise intelligence (BI) service constructed for the cloud that helps id federation in each Customary and Enterprise editions. Organizations are working in direction of centralizing their id and entry technique throughout all of their purposes, together with on-premises, third-party, and purposes on AWS. Many organizations use Ping One to manage and handle consumer authentication and authorization centrally. In case your group makes use of Ping One for cloud purposes, you may allow federation to your entire QuickSight accounts while not having to create and handle customers in QuickSight. This authorizes customers to entry QuickSight belongings—analyses, dashboards, folders, and datasets—via centrally managed Ping One.

On this submit, we undergo the steps to configure federated single sign-on (SSO) between a Ping One occasion and a QuickSight account. We display registering an SSO utility in Ping One, creating teams, and mapping to an AWS Id and Entry Administration (IAM) position that interprets to QuickSight consumer license varieties (admin, creator, and reader). These QuickSight roles symbolize three completely different personas supported in QuickSight. Directors can publish the QuickSight app in Ping One to allow customers to carry out SSO to QuickSight utilizing their Ping credentials.

Conditions

To finish this walkthrough, you have to have the next conditions:

A Ping One subscription
A number of QuickSight account subscriptions

Resolution overview

The walkthrough contains the next steps:

Create teams in Ping One for every of the QuickSight consumer license varieties.
Register an AWS utility in Ping One.
Add Ping One as your SAML id supplier (IdP) in AWS.
Configure an IAM coverage.
Configure an IAM position.
Configure your AWS utility in Ping One.
Take a look at the applying from Ping One.

Create teams in Ping One for every of the QuickSight roles

To create teams in Ping One, full the next steps:

Sign up to the Ping One portal utilizing an administrator account.
Beneath Identities, select Teams.
Select the plus signal so as to add a gaggle.
For Group Identify, enter QuickSightReaders.
Select Save.
Repeat these steps to create the teams QuickSightAdmins and QuickSightAuthors.

Register an AWS utility in Ping One

To configure the combination of an AWS utility in Ping One, it’s worthwhile to add AWS to your record of managed software program as a service (SaaS) apps.

Sign up to the Ping One portal utilizing an administrator account.
Beneath Connections, select Utility Catalog.
Within the search field, enter amazon internet companies.
Select Amazon Net Companies – AWS from the outcomes so as to add the applying.
For Identify, enter Amazon QuickSight.
Select Subsequent.
Beneath Map Attributes, there must be 4 attributes.
Delete the attribute associated to SessionDuration.
Select Username as the worth for all of the remaining attributes for now.
We replace these values in later steps.
Select Subsequent.
Within the Choose Teams part, add the QuickSightAdmins, QuickSightAuthors, and QuickSightReaders teams you created.
Select Save.
After the applying is created, select the applying once more and obtain the federation metadata XML.

You employ this within the subsequent step.

Add Ping One as your SAML IdP in AWS

To configure Ping One as your SAML IdP, full the next steps:

Open a brand new tab in your browser.
Sign up to the IAM console in your AWS account with admin permissions.
On the IAM console, beneath Entry Administration within the navigation pane, select Id suppliers.
Select Add supplier.
For Supplier identify, enter PingOne.
Select file to add the metadata doc you downloaded earlier.
Select Add supplier.
Within the banner message that seems, select View supplier.
Copy the IdP ARN to make use of in a later step.

Configure an IAM coverage

On this step, you create an IAM coverage to map three completely different roles with permissions in QuickSight.

Use the next steps to arrange QuickSightUserCreationPolicy. This coverage grants privileges in QuickSight to the federated consumer primarily based on the assigned teams in Ping One.

On the IAM console, select Insurance policies.
Select Create coverage.

On the JSON tab, change the prevailing textual content with the next code:

{
   "Model": "2012-10-17",
    "Assertion": [ 
         {  
            "Sid": "VisualEditor0", 
             "Effect": "Allow", 
             "Action": "quicksight:CreateAdmin", 
             "Resource": "*", 
             "Condition": { 
                 "StringEquals": { 
                     "aws:PrincipalTag/user-role": "QuickSightAdmins" 
 
                } 
             } 
         }, 
         { 
             "Sid": "VisualEditor1", 
             "Effect": "Allow", 
             "Action": "quicksight:CreateUser", 
             "Resource": "*", 
             "Condition": { 
                 "StringEquals": { 
                     "aws:PrincipalTag/user-role": "QuickSightAuthors" 
                 } 
             } 
         }, 
         { 
             "Sid": "VisualEditor2", 
             "Effect": "Allow", 
             "Action": "quicksight:CreateReader", 
             "Resource": "*", 
             "Condition": { 
                 "StringEquals": { 
                     "aws:PrincipalTag/user-role": "QuickSightReaders" 
                 } 
             } 
         } 
     ] 
 }

Select Evaluation coverage.
For Identify, enter QuickSightUserCreationPolicy.
Select Create coverage.

Configure an IAM position

Subsequent, create the position that Ping One customers assume when federating into QuickSight. Use the next steps to arrange the federated position:

On the IAM console, select Roles.
Select Create position.
For Trusted entity kind, choose SAML 2.0 federation.
For SAML 2.0-based supplier, select the supplier you created earlier (PingOne).
Choose Enable programmatic and AWS Administration Console entry.
For Attribute, select SAML:aud.
For Worth, enter https://signin.aws.amazon.com/saml.
Select Subsequent.
Beneath Permissions insurance policies, choose the QuickSightUserCreationPolicy IAM coverage you created within the earlier step.
Select Subsequent.
For Function identify, enter QSPingOneFederationRole.
Select Create position.
On the IAM console, within the navigation pane, select Roles.
Select the QSPingOneFederationRole position you created to open the position’s properties.
Copy the position ARN to make use of in later steps.
On the Belief relationships tab, beneath Trusted entities, confirm that the IdP you created is listed.
Beneath Situation within the coverage code, confirm that SAML:aud with a worth of https://signin.aws.amazon.com/saml is current.
Select Edit belief coverage so as to add a further situation.

Beneath Situation, add the next code:

"StringLike": {
"aws:RequestTag/user-role": "*"
}

Beneath Motion, add the next code:
Select Replace coverage to avoid wasting adjustments.

Configure an AWS utility in Ping One

To configure your AWS utility, full the next steps:

Sign up to the Ping One portal utilizing a Ping One administrator account.
Beneath Connections, select Utility.
Select the Amazon QuickSight utility you created earlier.
On the Profile tab, select Allow Superior Configuration.
Select Allow within the pop-up window.
On the Configuration tab, select the pencil icon to edit the configuration.
Beneath SIGNING KEY, choose Signal Assertion & Response.
Beneath SLO BINDING, for Assertion Validity Period In Seconds, enter a period, comparable to 900.
For Goal Utility URL, enter https://quicksight.aws.amazon.com/.
Select Save.
On the Attribute Mappings tab, you now add or replace the attributes as within the following desk.

Attribute Identify	Worth
`saml_subject`	Username
`https://aws.amazon.com/SAML/Attributes/RoleSessionName`	Username
`https://aws.amazon.com/SAML/Attributes/Function`	‘arn:aws:iam::xxxxxxxxxx:position/QSPingOneFederationRole, arn:aws:iam::xxxxxxxxxx:saml-provider/PingOne’
`https://aws.amazon.com/SAML/Attributes/PrincipalTag:user-role`	consumer.memberOfGroupNames[0]

Enter https://aws.amazon.com/SAML/Attributes/PrincipalTag:user-role for the attribute identify and use the corresponding worth from the desk for the expression.
Select Save.

When you have a couple of QuickSight consumer position (for this submit, QuickSightAdmins, QuicksightAuthors, and QuickSightReaders), you may add all the suitable position names as follows:

#information.containsAny(consumer.memberOfGroupNames,{'QuickSightAdmins'})? 'QuickSightAdmins' : 

#information.containsAny(consumer.memberOfGroupNames,{'QuickSightAuthorss'}) ? 'QuickSightAuthors' : 

#information.containsAny(consumer.memberOfGroupNames,{'QuickSightReaders'}) ?'QuickSightReaders' : null

To edit the position attribute, select the gear icon subsequent to the position.
Populate the corresponding expression from the desk and select Save.

The format of the expression is the position ARN (copied within the position creation step) adopted by the IdP ARN (copied within the IdP creation step) separated by a comma.

Take a look at the applying

On this part, you check your Ping One SSO configuration by utilizing a Microsoft utility.

Within the Ping One portal, beneath Identities, select Teams.
Select a gaggle and select Add Customers Individually.
From the record of customers, add the suitable customers to the group by selecting the plus signal.
Select Save.
To check the connectivity, beneath Atmosphere, select Properties, then copy the URL beneath APPLICATION PORTAL URL.
Browse to the URL in a non-public searching window.
Enter your consumer credentials and select Signal On.
Upon a profitable sign-in, you’re redirected to the All Functions web page with a brand new utility referred to as Amazon QuickSight.
Select the Amazon QuickSight utility to be redirected to the QuickSight console.

Notice within the following screenshot that the consumer identify on the prime of the web page exhibits because the Ping One federated consumer.

Abstract

This submit offered step-by-step directions to configure federated SSO between Ping One and the QuickSight console. We additionally mentioned methods to create insurance policies and roles in IAM and map teams in Ping One to IAM roles for safe entry to the QuickSight console.

For added discussions and assist getting solutions to your questions, take a look at the QuickSight Neighborhood.

Concerning the authors

Srikanth Baheti is a Specialised World Broad Sr. Resolution Architect for Amazon QuickSight. He began his profession as a advisor and labored for a number of personal and authorities organizations. Later he labored for PerkinElmer Well being and Sciences & eResearch Expertise Inc, the place he was liable for designing and creating excessive site visitors internet purposes, extremely scalable and maintainable information pipelines for reporting platforms utilizing AWS companies and Serverless computing.

Raji Sivasubramaniam is a Sr. Options Architect at AWS, specializing in Analytics. Raji is specialised in architecting end-to-end Enterprise Information Administration, Enterprise Intelligence and Analytics options for Fortune 500 and Fortune 100 corporations throughout the globe. She has in-depth expertise in built-in healthcare information and analytics with broad number of healthcare datasets together with managed market, doctor concentrating on and affected person analytics.

Raj Jayaraman is a Senior Specialist Options Architect for Amazon QuickSight. Raj focuses on serving to clients develop pattern dashboards, embed analytics and undertake BI design patterns and finest practices.