Enable Quicksight with Identity Center

Using Microsoft Entra as External IdP

In BJS region, QS does not support SAML Authentication Method (refer Appendix chapter). If you try to integration with existing SSO, for example Microsoft Entra ID, you need enable Amazon IAM Identity Center (short for AWS-SSO) with SAML support to carry out (saml-2.0)

Walkthrough

• One Microsoft Entra tenant, at least Microsoft Entra ID P1 license (link)
• Enable AWS-SSO account instance in this lab
  • If your account joined AWS Organizations, you could choose enable AWS-SSO with organization instance (link)
  • refer this blog for AWS-SSO deployment pattern (link)
• Using SAML IdP for AWS-SSO, integration with existing Microsoft Entra tenant
  • Following this link
  • Complete Step 1, and
    • New a Microsoft 365 Group for Quicksight and assign user to this group
    • assign group to SSO application in Microsoft Entra directly (P1 license needed)
    • verify sign in URL: (account portal & app portal)
    • Dont forgot firstName and lastName. If missing these properties will cause SCIM sync failure
  • Complete Step 2.2 (Other steps is only for AWS-SSO organization instance)
  • Complete Step 3 and Step 4
• Enable Quicksight
  
• assign group to reader/author/admin role in Quicksight
• create vpc connection
• create redshift vpc endpoint
• Quicksight will use this role: aws-quicksight-service-role-v0 to access aws resources
• Open Quicksight

Another sample - use Okta as IdP for AWS-SSO to login Quicksight

In this sample, use Okta as IdP for AWS-SSO. Just like our lab using Microsoft Entra ID instead of. Put sign-in process here for your reference.

• blog: Simplify business intelligence identity management with Amazon QuickSight and AWS IAM Identity Center (link)
• QuickSight service provider (SP) initiated sign-in
  
• External IdP initiated sign-in
  

Using Identity Center local directory

Using AWS-SSO local directory as identity source. This mode works both in global region and BJS region. No AWS Organizations needed.

Walkthrough

• create user abcdeabcdeab in identity center (length need 12+)
• create group with any name
• enable Quicksight in account level with user name and group name
  • default Quicksight role works (role policy & trust)

Appendix

• Supported Authentication Method for Quicksight in global region (link)
  • Use IAM federated identities & QuickSight-managed users
  • Use AWS IAM Identity Center
  • Use IAM federated identities only
  • Use Active Directory
• Supported Authentication Method for Quicksight in China region (until Jun 2024)
  • Use Amazon IAM Identity Center
  • Use Active Directory
• Other refer
  • https://docs.amazonaws.cn/aws/latest/userguide/iam-identity-center.html
  • https://learn.microsoft.com/en-us/entra/identity/saas-apps/aws-single-sign-on-tutorial