Allow federation to Amazon QuickSight with automated provisioning of customers between AWS IAM Identification Heart and Microsoft Azure AD

Organizations are working in direction of centralizing their id and entry technique throughout all their functions, together with on-premises, third-party, and functions on AWS. Many organizations use id suppliers (IdPs) based mostly on OIDC or SAML-based protocols like Microsoft Azure Lively Listing (Azure AD) and handle consumer authentication together with authorization centrally. This authorizes customers to entry Amazon QuickSight assets-analyses, dashboards, folders, and datasets-through centrally managed Azure AD and AWS IAM Identification Heart (successor to AWS Single Signal-On).

IAM Identification Heart is an authentication course of that permits customers to signal into a number of functions with a single set of usernames and passwords. IAM Identification Heart makes it simple to centrally handle entry to a number of AWS accounts and enterprise functions. It gives your workforce with single sign-on (SSO) entry to all assigned accounts and functions from one place.

On this submit, we stroll you thru the steps required to configure federated SSO together with automated electronic mail sync between QuickSight and Azure AD through IAM Identification Heart. We additionally show methods System for Cross-domain Identification Administration (SCIM) retains your IAM Identification Heart identities in sync with identities out of your IdP.

Resolution overview

The next is the reference structure for configuring IAM Identification Heart with Azure AD for automated federation to QuickSight and the AWS Administration Console.

The next are the steps concerned to arrange federated SSO from Azure to QuickSight:

1. Configure Azure as an IdP in IAM Identification Heart.
2. Register an IAM Identification Heart utility in Azure AD.
3. Configure the applying in Azure AD.
4. Allow automated provisioning of customers and teams.
5. Allow electronic mail syncing for federated customers in QuickSight console.
6. Create a QuickSight utility in IAM Identification Heart.
7. Add the IAM Identification Heart utility as a SAML IdP.
8. Configure AWS Identification and Entry Administration (IAM) insurance policies and roles.
9. Configure attribute mappings in IAM Identification Heart.
10. Validate federation to QuickSight from IAM Identification Heart.

Stipulations

To finish this walkthrough, you could have the next conditions:

• An Azure AD subscription with Administrator permission.
• QuickSight account subscription with Administrator permission.
• IAM Administrator account.
• IAM Identification Heart Administrator account.

Configure Azure as IdP in IAM Identification Heart

To configure Azure as an IdP, full the next steps:

1. On the IAM Identification Heart console, select Allow.
   
2. Select Select your id supply.
   
3. Choose Exterior id supplier to handle all customers and teams.
4. Select Subsequent.
   
5. Within the Configure exterior id supplier part, obtain the service supplier metadata file.
6. Save the AWS entry portal sign-in URL, IAM Identification Heart Assertion Shopper Service (ACS) URL, and IAM Identification Heart issuer URL.
   These are used later on this submit.
   
7. Depart this tab open in your browser whereas continuing to the following steps.

Register an IAM Identification Heart utility in Azure AD

To register an IAM Identification Heart utility in Azure AD, full the next steps:

1. Check in to your Azure portal utilizing an administrator account.
2. Underneath Azure Companies, select Azure AD and below Handle, select Enterprise functions.
   
3. Select New utility.
4. Select Create your individual utility.
5. Enter a reputation for the applying.
6. Choose the choice Combine another utility you don’t discover within the gallery (Non-gallery).
7. Select Create.
   

Configure the applying in Azure AD

To configure your utility, full the next steps:

1. Underneath Enterprise functions, select All functions and choose the applying created within the earlier step.
2. Underneath Handle, select Single Signal-on.
3. Select SAML.
   
4. Select Single Signal-on to arrange SSO with SAML.
5. Select Add metadata file, and add the file you downloaded from IAM Identification Heart.
   
6. Select Edit to edit the Primary SAML Configuration part.
   

• For Identifier (Entity ID), enter the IAM Identification Heart issuer URL.
• For Reply URL (Assertion Shopper Service URL), enter the IAM Identification Heart ACS URL.

7. Underneath SAML Signing Certificates, select Obtain subsequent to Federation Metadata XML.
   

We use this XML doc in later steps when organising the SAML supplier in IAM and in IAM Identification Heart.

8. Depart this tab open in your browser whereas transferring to the following steps.
9. Swap to the IAM Identification Heart tab to finish its setup.
10. Underneath Identification supplier metadata, select IdP SAML metadata and add the federation metadata XML file you downloaded.
    
11. Assessment and ensure the modifications.
    

Allow automated provisioning of customers and teams

IAM Identification Heart helps System for Cross-domain Identification Administration (SCIM) v2.0 normal. SCIM retains your IAM Identification Heart identities in sync with exterior IdPs. This consists of any provisioning, updates, and deprovisioning of customers between IdP and IAM Identification Heart. To allow SCIM, full the next steps:

1. On the IAM Identification Heart console, select Settings within the navigation pane.
2. Subsequent to Automated provisioning, select Allow.
   
3. Copy the SCIM endpoint and Entry token.
   
4. Swap to the Azure AD tab.
5. On the Default Listing Overview web page, below Handle, select Customers.
   
6. Select New consumer and Create new consumer(s).
   Make sure that the consumer profile has legitimate info below First title, Final title, and E mail attribute.
   
7. Underneath Enterprise functions, select All functions and choose the applying you created earlier.
8. Underneath Handle, select Customers and teams.
   
9. Select Add consumer/group, and choose the customers you created earlier.
10. Select Assign.
    
11. Underneath Handle, select Provisioning and Get began.
    
12. Select Provisioning Mode as Automated.
13. For Tenant URL, enter the SCIM endpoint.
14. For Secret Token, enter the Entry token.
15. Select Take a look at Connection and Save.
    
16. Underneath Provisioning, select Begin provisioning.
    

Make sure that the consumer profile has legitimate info below First title, Final title, and E mail attribute. That is the important thing worth for electronic mail sync with QuickSight.

On the IAM Identification Heart console, below Customers, now you can see all of the customers provisioned from Azure AD.

Allow electronic mail syncing for federated customers in QuickSight console

Full the next steps to allow electronic mail syncing for federated customers:

1. Check in as an admin consumer to the QuickSight console and select Handle QuickSight from the consumer title menu.
   
2. Select Single sign-on (SSO) within the navigation pane.
   
3. Underneath E mail Syncing for Federated Customers, choose ON.
   

Create a QuickSight utility in IAM Identification Heart

Full the next steps to create a customized SAML 2.0 utility in IAM Identification Heart.

1. On the IAM Identification Heart console, select Functions within the navigation pane.
2. Select Add utility.
   
3. Underneath Preintegrated functions, seek for and select Amazon QuickSight.
4. Select Subsequent.
   
5. For Show title, enter a reputation, resembling Amazon QuickSight.
6. For Description, enter an outline.
7. Obtain the IAM Identification Heart SAML metadata file to make use of later on this submit.
8. For Software begin URL, depart as is.
9. For Relay state, enter https://quicksight.aws.amazon.com.
10. For Session period, select your session period. The advisable worth is 8 hours.
11. For Software ACS URL, enter https://signin.aws.amazon.com/saml.
12. For Software SAML viewers, enter urn:amazon:webservices.
13. Select Submit
    After your settings are saved, your utility configuration ought to look just like the next screenshot.
    

Now you can assign your customers to this utility, in order that the applying seems of their IAM Identification Heart portal after login.

14. On the applying web page, below Assigned customers, select Assign Customers.
    
15. Choose your customers.
16. Optionally, if you wish to allow a number of customers in your group to make use of QuickSight, the quickest and easiest method is to make use of IAM Identification Heart teams.
17. Select Assign Customers.
    

Add the IAM Identification Heart utility as a SAML IdP

Full the next steps to configure IAM Identification Heart as your SAML IdP:

1. Open a brand new tab in your browser.
2. Check in to the IAM console in your AWS account with admin permissions.
3. Select Identification suppliers within the navigation pane.
4. Select Add supplier.
5. Choose SAML for Supplier sort.
6. For Supplier title, enter IAM_Identity_Center.
7. Select Select File to add the metadata doc you downloaded earlier from the Amazon QuickSight utility.
8. Select Add Supplier.
   
9. On the abstract web page, report the worth for the supplier ARN (arn:aws:iam::<AccountID>:saml-provider/IAM_Identity_Center).

You’ll use this ARN whereas configuring claims guidelines later on this submit.

Configure IAM insurance policies

On this step, you create three IAM insurance policies for various function permissions in QuickSight:

• QuickSight-Federated-Admin
• QuickSight-Federated-Writer
• QuickSight-Federated-Reader

Use the next steps to arrange QuickSight-Federated-Admin coverage. This coverage grants admin privileges in QuickSight to the federated consumer:

1. On the IAM console, select Insurance policies within the navigation pane
2. Select Create coverage.
3. Select JSON and substitute the present textual content with the next code:
   

   {
       "Assertion": [
           {
               "Action": [
                   "quicksight:CreateAdmin"
               ],
               "Impact": "Permit",
               "Useful resource": [
                   "arn:aws:quicksight::<yourAWSAccountID>:user/${aws:userid}"
               ]
           }
       ],
       "Model": "2012-10-17"
   }

Ignore the “Lacking ARN Area: Add a Area to the quicksight useful resource ARN” error and proceed. Optionally, you would additionally add a selected AWS area within the ARN.

4. Select Assessment coverage
5. For Title enter QuickSight-Federated-Admin.
6. Select Create coverage.
7. Repeat these steps to create the QuickSight-Federated-Writer coverage utilizing the next JSON code to grant creator privileges in QuickSight to the federated consumer:

   {
       "Assertion": [
           {
               "Action": [
                   "quicksight:CreateUser"
               ],
               "Impact": "Permit",
               "Useful resource": [
                   "arn:aws:quicksight::<yourAWSAccountID>:user/${aws:userid}"
               ]
           }
       ],
       "Model": "2012-10-17"
   }

Ignore the “Lacking ARN Area: Add a Area to the quicksight useful resource ARN” error and proceed. Optionally, you would additionally add a selected AWS area within the ARN.

8. Repeat these steps to create the QuickSight-Federated-Reader coverage utilizing the next JSON code to grant reader privileges in QuickSight to the federated consumer:

   {
       "Assertion": [
           {
               "Action": [
                   "quicksight:CreateReader"
               ],
               "Impact": "Permit",
               "Useful resource": [
                   "arn:aws:quicksight::<yourAWSAccountID>:user/${aws:userid}"
               ]
           }
       ],
       "Model": "2012-10-17"
   }

Ignore the “Lacking ARN Area: Add a Area to the quicksight useful resource ARN” error and proceed. Optionally, you would additionally add a selected AWS area within the ARN.

Configure IAM roles

Subsequent, create roles that your Azure AD and IAM Identification Heart customers assume when federating into QuickSight. The next steps arrange the admin function:

1. On the IAM console, select Roles within the navigation pane.
2. Select Create function.
3. For Choose sort of trusted entity, select SAML 2.0 federation.
4. For SAML supplier, select the supplier you created earlier (IAM_Identity_Center).
5. Choose Permit programmatic and AWS Administration Console entry.
6. For Attribute, be sure that SAML:aud is chosen.
7. For Worth, be sure that https://signin.aws.amazon.com/saml is chosen.
8. Select Subsequent.
   
9. Select the QuickSight-Federated-Admin IAM coverage you created earlier.
10. Select Subsequent: Tags.
11. Select Subsequent: Assessment.
12. For Position title, enter QuickSight-Admin-Position.
13. For Position description, enter an outline.
    
14. Select Create function.
15. On the IAM console, within the navigation pane, select Roles.
16. Select the QuickSight-Admin-Position function you created to open the function’s properties.
17. File the function ARN to make use of later.
18. On the Belief relationships tab, select Edit belief coverage.
    
19. For the coverage particulars, enter the next JSON:

    {
        "Model": "2012-10-17",
         "Assertion": [
     {
        "Effect": "Allow",
        "Principal": {
    "Federated": "arn:aws:iam::<yourAWSAccountID>:saml-provider/IAM_Identity_Center"
                            },
                "Action": "sts:AssumeRoleWithSAML",
                "Condition": {
                    "StringEquals": {
                        "SAML:aud": "https://signin.aws.amazon.com/saml"	
               }
                }
            },
            {	
                		"Effect": "Allow",
                		"Principal": {
                    	 "Federated":"arn:aws:iam::<yourAWSAccountID>:saml-provider/IAM_Identity_Center"
                				},
                		  "Action": "sts:TagSession",
                   "Condition": {
                    	  "StringLike": {
                       "aws:RequestTag/Email": "*"
               }
                }
            }
        ]
    }

20. Select Replace Coverage.
21. Repeat these steps to create the roles QuickSight-Writer-Position and QuickSight-Reader-Position. Connect the QuickSight-Federated-Writer and QuickSight-Federated-Reader insurance policies to their respectively roles.

Configure attribute mappings in IAM Identification Heart

The ultimate step is to configure the attribute mappings in IAM Identification Heart. The attributes you map right here change into a part of the SAML assertion that’s despatched to the QuickSight utility. You may select which consumer attributes in your utility map to corresponding consumer attributes in your related listing. For extra info, discuss with Attribute mappings.

1. On IAM Identification Heart console, select Functions within the navigation pane.
   
2. Choose the Amazon QuickSight utility you created earlier.
   
3. On the Actions menu, select Edit attribute mappings.
4. Configure the next mappings:

Consumer attribute within the utility	Maps to this string worth or consumer attribute in IAM Identification Heart	Format
Topic	${consumer:electronic mail}	emailAddress
https://aws.amazon.com/SAML/Attributes/Position	arn:aws:iam:: <YourAWSAccount ID>:saml-provider/IAM_Identity_Center, arn:aws:iam:: <YourAWSAccount ID>:function/QuickSight-Admin-Position	unspecified
https://aws.amazon.com/SAML/Attributes/RoleSessionName	${consumer:electronic mail}	unspecified
https://aws.amazon.com/SAML/Attributes/PrincipalTag:E mail	${consumer:electronic mail}	url

5. Select Save modifications.
   

Validate federation to QuickSight from IAM Identification Heart

On the IAM Identification Heart console, be aware down the consumer portal URL obtainable on the Settings web page. We recommend you sign off of your AWS account first, or open an incognito browser window. Navigate to the consumer portal URL, check in with the credentials of an AD consumer, and select your QuickSight utility.

You’re robotically redirected to the QuickSight console.

Abstract

This submit offered step-by-step directions to configure federated SSO with Azure AD as IdP via IAM Identification Heart. We additionally mentioned how SCIM retains your IAM Identification Heart identities in sync with identities out of your IdP. This consists of any provisioning, updating, and deprovisioning of customers between your IdP and IAM Identification Heart.

In case you have any questions or suggestions, please depart a remark.

For added discussions and assist getting solutions to your questions, try the QuickSight Neighborhood.

---

In regards to the creator

Aditya Ravikumar is a Options Architect at Amazon Net Companies. He’s based mostly in Seattle, USA. Aditya’s core pursuits embody software program improvement, databases, knowledge analytics and machine studying. He works with AWS prospects/companions to offer steerage and technical help to rework their enterprise via progressive use of cloud applied sciences.

Srikanth Baheti is a Specialised World Extensive Sr. Resolution Architect for Amazon QuickSight. He began his profession as a guide and labored for a number of personal and authorities organizations. Later he labored for PerkinElmer Well being and Sciences & eResearch Expertise Inc, the place he was accountable for designing and growing excessive visitors internet functions, extremely scalable and maintainable knowledge pipelines for reporting platforms utilizing AWS companies and Serverless computing.

Raji Sivasubramaniam is a Sr. Options Architect at AWS, specializing in Analytics. Raji is specialised in architecting end-to-end Enterprise Information Administration, Enterprise Intelligence and Analytics options for Fortune 500 and Fortune 100 corporations throughout the globe. She has in-depth expertise in built-in healthcare knowledge and analytics with huge number of healthcare datasets together with managed market, doctor focusing on and affected person analytics.