Amazon QuickSight Enterprise version can combine along with your current Microsoft Lively Listing (AD), offering federated entry utilizing Safety Assertion Markup Language (SAML) to dashboards. Utilizing current identities from Lively Listing eliminates the necessity to create and handle separate person identities in AWS Id Entry Administration (IAM). Federated customers assume an IAM function when entry is requested via an identification supplier (IdP) equivalent to Lively Listing Federation Service (AD FS) primarily based on AD group membership. Though, you may join AD to QuickSight utilizing AWS Listing Service, this weblog focuses on federated logon to QuickSight Dashboards.
With identification federation, your customers get one-click entry to Amazon QuickSight purposes utilizing their current identification credentials. You even have the safety advantage of identification authentication by your IdP. You possibly can management which customers have entry to QuickSight utilizing your current IdP. Consult with Utilizing identification federation and single sign-on (SSO) with Amazon QuickSight for extra info.
On this put up, we reveal how you need to use a company e mail handle as an authentication possibility for signing in to QuickSight. This put up assumes you’ve an current Microsoft Lively Listing Federation Companies (ADFS) configured in your setting.
Answer overview
Whereas connecting to QuickSight from an IdP, your customers provoke the sign-in course of from the IdP portal. After the customers are authenticated, they’re routinely signed in to QuickSight. After QuickSight checks that they’re approved, your customers can entry QuickSight.
The next diagram exhibits an authentication circulate between QuickSight and a third-party IdP. On this instance, the administrator has arrange a sign-in web page to entry QuickSight. When a person indicators in, the sign-in web page posts a request to a federation service that complies with SAML 2.0. The tip-user initiates authentication from the sign-in web page of the IdP. For extra details about the authentication circulate, see Initiating sign-on from the identification supplier (IdP).
The answer consists of the next high-level steps:
- Create an identification supplier.
- Create IAM insurance policies.
- Create IAM roles.
- Configure AD teams and customers.
- Create a relying social gathering belief.
- Configure declare guidelines.
- Configure QuickSight single sign-on (SSO).
- Configure the relay state URL for QuickStart.
Conditions
The next are the stipulations to construct the answer defined on this put up:
- An current or newly deployed AD FS setting.
- An AD person with permissions to handle AD FS and AD group membership.
- An IAM person with permissions to create IAM insurance policies and roles, and administer QuickSight.
- The metadata doc out of your IdP. To obtain it, check with Federation Metadata Explorer.
Create an identification supplier
So as to add your IdP, full the next steps:
- On the IAM console, select Id suppliers within the navigation pane.
- Select Add supplier.
- For Supplier kind¸ choose SAML.
- For Supplier title, enter a reputation (for instance,
QuickSight_Federation
). - For Metadata doc, add the metadata doc you downloaded as a prerequisite.
- Select Add supplier.
- Copy the ARN of this supplier to make use of in a later step.
Create IAM insurance policies
On this step, you create IAM insurance policies that enable customers to entry QuickSight solely after federating their identities. To offer entry to QuickSight and in addition the flexibility to create QuickSight admins, authors (normal customers), and readers, use the next coverage examples.
The next code is the creator coverage:
The next code is the reader coverage:
The next code is the admin coverage:
Create IAM roles
You possibly can configure e mail addresses on your customers to make use of when provisioning via your IdP to QuickSight. To do that, add the sts:TagSession
motion to the belief relationship for the IAM function that you simply use with AssumeRoleWithSAML
. Be sure the IAM function names begin with ADFS-.
- On the IAM console, select Roles within the navigation pane.
- Select Create new function.
- For Trusted entity kind, choose SAML 2.0 federation.
- Select the SAML IdP you created earlier.
- Choose Permit programmatic and AWS Administration Console entry.
- Select Subsequent.
- Select the admin coverage you created, then select Subsequent.
- For Identify, enter
ADFS-ACCOUNTID-QSAdmin
. - Select Create.
- On the Belief relationships tab, edit the belief relationships as follows so you may cross principal tags when customers assume the function (present your account ID and IdP):
- Repeat this course of for the function
ADFS-ACCOUNTID-QSAuthor
and fix the creator IAM coverage. - Repeat this course of for the function
ADFS-ACCOUNTID-QSReader
and fix the reader IAM coverage.
Configure AD teams and customers
Now it’s essential to create AD teams that decide the permissions to register to AWS. Create an AD safety group for every of the three roles you created earlier. Observe that the group title ought to comply with identical format as your IAM function names.
One strategy for creating the AD teams that uniquely establish the IAM function mapping is by choosing a typical group naming conference. For instance, your AD teams would begin with an identifier, for instance AWS-, which is able to distinguish your AWS teams from others throughout the group. Subsequent, embody the 12-digit AWS account quantity. Lastly, add the matching function title throughout the AWS account. It is best to do that for every function and corresponding AWS account you want to help with federated entry. The next screenshot exhibits an instance of the naming conference we use on this put up.
Later on this put up, we create a rule to choose up AD teams beginning with AWS-, the rule will take away AWS-ACCOUNTID- from AD teams title to match the respective IAM function, which is why we use this naming conference right here.
Customers in Lively Listing can subsequently be added to the teams, offering the flexibility to imagine entry to the corresponding roles in AWS. You possibly can add AD customers to the respective teams primarily based on your corporation permissions mannequin. Observe that every person should have an e mail handle configured in Lively Listing.
Create a relying social gathering belief
So as to add a relying social gathering belief, full the next steps:
- Open the AD FS Administration Console.
- Select (right-click) Relying Get together Trusts, then select Add Relying Get together Belief.
- Select Claims conscious, then select Begin.
- Choose Import information concerning the relying social gathering printed on-line or on a neighborhood community.
- For Federation metadata handle, enter
https://signin.aws.amazon.com/static/saml-metadata.xml
. - Select Subsequent.
- Enter a descriptive show title, for instance Amazon QuickSight Federation, then select Subsequent.
- Select your entry management coverage (for this put up, Allow everybody), then select Subsequent.
- Within the Able to Add Belief part, select Subsequent.
- Depart the defaults, then select Shut.
Configure declare guidelines
On this part, you create declare guidelines that establish accounts, set LDAP attributes, get the AD teams, and match them to the roles created earlier. Full the next steps to create the declare guidelines for NameId, RoleSessionName, Get AD Teams, Roles, and (optionally) Session Length:
- Choose the relying social gathering belief you simply created, then select Edit Declare Issuance Coverage.
- Add a rule referred to as
NameId
with the next parameters:- For Declare rule template, select Remodel an Incoming Declare.
- For Declare rule title, enter NameId
- For Incoming declare kind, select Home windows account title.
- For Outgoing declare kind, select Identify ID.
- For Outgoing title ID format, select Persistent Identifier.
- Choose Go via all declare values.
- Select End.
- Add a rule referred to as
RoleSessionName
with the next parameters:- For Declare rule template, select Ship LDAP Attributes as Claims.
- For Declare rule title, enter
RoleSessionName
. - For Attribute retailer, select Lively Listing.
- For LDAP Attribute, select E-Mail-Addresses.
- For Outgoing declare kind, enter
https://aws.amazon.com/SAML/Attributes/RoleSessionName
. - Add one other E-Mail-Addresses LDAP attribute and for Outgoing declare kind, enter
https://aws.amazon.com/SAML/Attributes/PrincipalTag:Electronic mail
. - Select OK.
- Add a rule referred to as
Get AD Teams
with the next parameters:- For Declare rule template, select Ship Claims Utilizing a Customized Rule.
- For Declare rule title, enter Get AD Teams
- For Customized Rule, enter the next code:
- Select OK.
- Add a rule referred to as
Roles
with the next parameters:- For Declare rule template, select Ship Claims Utilizing a Customized Rule.
- For Declare rule title, enter Roles
- For Customized Rule, enter the next code (present your account ID and IdP):
- Select End.
Optionally, you may create a rule referred to as Session Length
. This configuration determines how lengthy a session is open and lively earlier than customers are required to reauthenticate. The worth is in seconds. For this put up, we configure the rule for 8 hours.
- Add a rule referred to as
Session Length
with the next parameters:- For Declare rule template, select Ship Claims Utilizing a Customized Rule.
- For Declare rule title, enter
Session Length
. - For Customized Rule, enter the next code:
- Select End.
It is best to be capable to see these 5 declare guidelines, as proven within the following screenshot.
- Select OK.
- Run the next instructions in PowerShell in your AD FS server:
- Cease and begin the AD FS service from PowerShell:
Configure E-mail Syncing
With QuickSight Enterprise version built-in with an IdP, you may limit new customers from utilizing private e mail addresses. This implies customers can solely log in to QuickSight with their on-premises configured e mail addresses. This strategy permits customers to bypass manually coming into an e mail handle. It additionally ensures that customers can’t use an e mail handle which may differ from the e-mail handle configured in Lively Listing.
QuickSight makes use of the preconfigured e mail addresses handed via the IdP when provisioning new customers to your account. For instance, you may make it in order that solely corporate-assigned e mail addresses are used when customers are provisioned to your QuickSight account via your IdP. While you configure e mail syncing for federated customers in QuickSight, customers who log in to your QuickSight account for the primary time have preassigned e mail addresses. These are used to register their accounts.
To configure E-mail syncing for federated customers in QuickSight, full the next steps:
- Log in to your QuickSight dashboard with a QuickSight administrator account.
- Select the profile icon.
- On the drop-down menu, select on Handle QuickSight.
- Within the navigation pane, select Single sign-on (SSO).
- For Electronic mail Syncing for Federated Customers, choose ON, then select Allow within the pop-up window.
- Select Save.
Configure the relay state URL for QuickStart
To configure the relay state URL, full the next steps (revise the enter info as wanted to match your setting’s configuration):
- Use the ADFS RelayState Generator to generate your URL.
- For IDP URL String, enter
https://ADFSServerEndpoint/adfs/ls/idpinitiatedsignon.aspx
. - For Relying Get together Identifier, enter
urn:amazon:webservices
orhttps://signin.aws.amazon.com/saml
. - For Relay State/Goal App, enter your authenticated customers to entry. On this case, it’s
https://quicksight.aws.amazon.com
. - Select Generate URL.
- Copy the URL and cargo it in your browser.
You need to be introduced with a login to your IdP touchdown web page.
Be sure the person logging in has an e mail handle attribute configured in Lively Listing. A profitable login ought to redirect you to the QuickSight dashboard after authentication. In the event you’re not redirected to the QuickSight dashboard web page, be sure you ran the instructions listed earlier after you configured your declare guidelines.
Abstract
On this put up, we demonstrated tips on how to configure federated identities to a QuickSight dashboard and make sure that customers can solely register with preconfigured e mail handle in your current Lively Listing.
We’d love to listen to from you. Tell us what you suppose within the feedback part.
Concerning the Writer
Adeleke Coker is a World Options Architect with AWS. He helps clients globally speed up workload deployments and migrations at scale to AWS. In his spare time, he enjoys studying, studying, gaming and watching sport occasions.