Set up customers and organization memberships on Amazon QuickSight the usage of SCIM occasions generated in IAM Identification Heart with Azure AD

Amazon QuickSight is cloud-native, scalable trade intelligence (BI) provider that helps id federation. AWS Identification and Get right of entry to Control (IAM) permits organizations to make use of the identities controlled of their endeavor id service (IdP) and federate unmarried sign-on (SSO) to QuickSight. As extra organizations are development centralized person id shops with all their packages, together with on-premises apps, third-party apps, and packages on AWS, they want a approach to automate person provisioning into those packages and stay their attributes in sync with their centralized person id retailer.

When architecting a person repository, some organizations make a decision to arrange their customers in teams or use attributes (similar to branch call), or a mixture of each. If your company makes use of Microsoft Azure Lively Listing (Azure AD) for centralized authentication and makes use of its person attributes to arrange the customers, you’ll be able to allow federation throughout all QuickSight accounts in addition to set up customers and their organization club in QuickSight the usage of occasions generated within the AWS platform. This permits gadget directors to centrally set up person permissions from Azure AD. Provisioning, updating, and de-provisioning customers and teams in QuickSight now not calls for control in two puts with this answer. This makes certain that customers and teams in QuickSight keep in keeping with knowledge in Azure AD via automated synchronization.

On this publish, we stroll you throughout the steps required to configure federated SSO between QuickSight and Azure AD by way of AWS IAM Identification Heart (Successor to AWS Unmarried Signal-On) the place automated provisioning is enabled for Azure AD. We additionally reveal automated person and organization club replace the usage of a Machine for Move-domain Identification Control (SCIM) occasion.

Resolution review

The next diagram illustrates the answer structure and person go with the flow.

On this publish, IAM Identification Heart supplies a central position to carry in combination management of customers and their get right of entry to to AWS accounts and cloud packages. Azure AD is the person repository and configured because the exterior IdP in IAM Identification Heart. On this answer, we reveal the usage of two person attributes (branch, jobTitle) in particular in Azure AD. IAM Identification Heart helps automated provisioning (synchronization) of person and organization knowledge from Azure AD into IAM Identification Heart the usage of the SCIM v2.0 protocol. With this protocol, the attributes from Azure AD are handed alongside to IAM Identification Heart, which inherits the outlined characteristic for the person’s profile in IAM Identification Heart. IAM Identification Heart additionally helps id federation with SAML (Safety Statement Markup Language) 2.0. This permits IAM Identification Heart to authenticate identities the usage of Azure AD. Customers can then SSO into packages that toughen SAML, together with QuickSight. The primary part of this publish specializes in how one can configure this finish to finish (see Signal-In Drift within the diagram).

Subsequent, person knowledge begins to get synchronized between Azure AD and IAM Identification Heart by way of SCIM protocol. You’ll automate making a person in QuickSight the usage of an AWS Lambda serve as brought on via the CreateUser SCIM occasion originated from IAM Identification Heart, which used to be captured in Amazon EventBridge. In the similar Lambda serve as, you’ll be able to due to this fact replace the person’s club via including into the required organization (whose call is produced from two person attributes: department-jobTitle, another way create the gang if it doesn’t exist but, previous to including the club.

On this publish, this automation phase is overlooked as a result of it will be redundant with the content material mentioned within the following sections.

This publish explores and demonstrates an UpdateUser SCIM occasion brought on via the person profile replace on Azure AD. The development is captured in EventBridge, which invokes a Lambda serve as to replace the gang club in QuickSight (see Replace Drift within the diagram). As a result of a given person is meant to belong to just one organization at a time on this instance, the serve as will change the person’s present organization club with the brand new one.

In Phase I, you place up SSO to QuickSight from Azure AD by way of IAM Identification Heart (the sign-in go with the flow):

1. Configure Azure AD because the exterior IdP in IAM Identification Heart.
2. Upload and configure an IAM Identification Heart utility in Azure AD.
3. Entire configuration of IAM Identification Heart.
4. Arrange SCIM automated provisioning on each Azure AD and IAM Identification Heart, and ensure in IAM Identification Heart.
5. Upload and configure a QuickSight utility in IAM Identification Heart.
6. Configure a SAML IdP and SAML 2.0 federation IAM position.
7. Configure attributes within the QuickSight utility.
8. Create a person, organization, and organization club manually by way of the AWS Command Line Interface (AWS CLI) or API.
9. Test the configuration via logging in to QuickSight from the IAM Identification Heart portal.

In Phase II, you place up automation to modify organization club upon an SCIM occasion (the replace go with the flow):

1. Perceive SCIM occasions and occasion patterns for EventBridge.
2. Create characteristic mapping for the gang call.
3. Create a Lambda serve as.
4. Upload an EventBridge rule to cause the development.
5. Test the configuration via converting the person characteristic worth at Azure AD.

Necessities

For this walkthrough, you will have the next necessities:

• IAM Identification Heart. For directions, confer with Steps 1–2 within the AWS IAM Identification Heart Getting Began information.
• A QuickSight account subscription.
• Elementary working out of IAM and privileges required to create an IAM IdP, roles, and insurance policies.
• An Azure AD subscription. You wish to have no less than one person with the next attributes to be registered in Azure AD:
  • userPrincipalName – Obligatory box for Azure AD person.
  • displayName – Obligatory box for Azure AD person.
  • Mail – Obligatory box for IAM Identification Heart to paintings with QuickSight.
  • jobTitle – Used to allocate person to organization
  • branch – Used to allocate person to organization.
  • givenName – Non-compulsory box.
  • surname – Non-compulsory box.

Phase I: Arrange SSO to QuickSight from Azure AD by way of IAM Identification Heart

This segment gifts the stairs to arrange the sign-in go with the flow.

Configure an exterior IdP as Azure AD in IAM Identification Heart

To configure your exterior IdP, whole the next steps:

1. At the IAM Identification Heart console, select Settings.
2. Make a selection Movements at the Identification supply tab, then select Exchange id supply.
3. Make a selection Exterior id service, then select Subsequent.

The IdP metadata is displayed. Stay this browser tab open.

Upload and configure an IAM Identification Heart utility in Azure AD

To arrange your IAM Identification Heart utility, whole the next steps:

1. Open a brand new browser tab.
2. Log in to the Azure AD portal the usage of your Azure administrator credentials.
3. Below Azure products and services, select Azure Lively Listing.
4. Within the navigation pane, beneath Set up, select Endeavor packages, then select New utility.
5. Within the Browse Azure AD Galley segment, seek for IAM Identification Heart, then select AWS IAM Identification Heart (successor to AWS Unmarried Signal-On).
   
6. Input a reputation for the appliance (on this publish, we use IIC-QuickSight) and select Create.
7. Within the Set up segment, select Unmarried sign-on, then select SAML.
8. Within the Assign customers and teams segment, select Assign customers and teams.
9. Make a selection Upload person/organization and upload no less than one person.
10. Make a choice Consumer as its position.
11. Within the Arrange unmarried signal on segment, select Get began.
12. Within the Elementary SAML Configuration segment, select Edit, and fill out following parameters and values:
13. Identifier – The worth within the IAM Identification Heart issuer URL box.
14. Answer URL – The worth within the IAM Identification Heart Statement Shopper Carrier (ACS) URL box.
15. Signal on URL – Depart clean.
16. Relay State – Depart clean.
17. Logout URL – Depart clean.
18. Make a selection Save.

The configuration will have to seem like the next screenshot.

19. Within the SAML Certificate segment, obtain the Federation Metadata XML report and the Certificates (Uncooked) report.
    

You’re all set with Azure AD SSO configuration at this second. In a while, you’ll go back to this web page to configure computerized provisioning, so stay this browser tab open.

Entire configuration of IAM Identification Heart

Entire your IAM Identification Heart configuration with the next steps:

1. Return to the browser tab for IAM Identification Heart console which you may have stored open in earlier step.
2. For IdP SAML metadata beneath the Identification service metadata segment, select Make a selection report.
3. Make a selection the up to now downloaded metadata report (IIC-QuickSight.xml).
4. For IdP certificates beneath the Identification service metadata segment, select Make a selection report.
5. Make a selection the up to now downloaded certificates report (IIC-QuickSight.cer).
6. Make a selection Subsequent.
7. Input ACCEPT, then select Exchange Identification service supply.

Arrange SCIM automated provisioning on each Azure AD and IAM Identification Heart

Your provisioning approach continues to be set as Guide (non-SCIM). On this step, we allow automated provisioning in order that IAM Identification Heart turns into acutely aware of the customers, which permits id federation to QuickSight.

1. Within the Computerized provisioning segment, select Allow.
   
2. Make a selection Get right of entry to token to turn your token.
   
3. Return to the browser tab (Azure AD), which you stored open in Step 1.
4. Within the Set up segment, select Endeavor packages.
5. Make a selection IIC-QuickSight, then select Provisioning.
6. Make a selection Computerized in Provisioning Mode and input the next values:
7. Tenant URL – The worth within the SCIM endpoint box.
8. Secret Token – The worth within the Get right of entry to token box.
9. Make a selection Take a look at Connection.
10. After the take a look at connection is effectively whole, set Provisioning Standing to On.
    
11. Make a selection Save.
12. Make a selection Get started provisioning to begin automated provisioning the usage of the SCIM protocol.

When provisioning is whole, it’ll lead to propagating a number of customers from Azure AD to IAM Identification Heart. The next screenshot presentations the customers that have been provisioned in IAM Identification Heart.

Observe that upon this SCIM provisioning, the customers in QuickSight will have to be created the usage of the Lambda serve as brought on via the development originated from IAM Identification Heart. On this publish, we create a person and organization club by way of the AWS CLI (Step 8).

Upload and configure a QuickSight utility in IAM Identification Heart

On this step, we create a QuickSight utility in IAM Identification Heart. You additionally configure an IAM SAML service, position, and coverage for the appliance to paintings. Entire the next steps:

1. At the IAM Identification Heart console, at the Programs web page, select Upload Utility.
2. For Pre-integrated utility beneath Make a choice an utility, input quicksight.
3. Make a choice Amazon QuickSight, then select Subsequent.
4. Input a reputation for Show call, similar to Amazon QuickSight.
5. Make a selection Obtain beneath IAM Identification Heart SAML metadata report and reserve it on your laptop.
6. Depart all different fields as they’re, and save the configuration.
7. Open the appliance you’ve simply created, then select Assign Customers.

The customers provisioned by way of SCIM previous will likely be indexed.

8. Make a selection the entire customers to assign to the appliance.

Configure a SAML IdP and a SAML 2.0 federation IAM position

To arrange your IAM SAML IdP for IAM Identification Heart and IAM position, whole the next steps:

1. At the IAM console, within the navigation pane, select Identification suppliers, then select Upload service.
2. Make a selection SAML as Supplier kind, and input Azure-IIC-QS as Supplier call.
3. Below Metadata report, select Make a selection report and add the metadata report you downloaded previous.
4. Make a selection Upload service to avoid wasting the configuration.
5. Within the navigation pane, select Roles, then select Create position.
6. For Relied on entity kind, make a selection SAML 2.0 federation.
7. For Make a selection a SAML 2.0 service, make a selection the SAML service that you simply created, then select Permit programmatic and AWS Control Console get right of entry to.
8. Make a selection Subsequent.
9. At the Upload Permission web page, select Subsequent.

On this publish, we create QuickSight customers by way of an AWS CLI command, due to this fact we’re no longer growing any permission coverage. Alternatively, if the self-provisioning function in QuickSight is needed, the permission coverage for the CreateReader, CreateUser, and CreateAdmin movements (relying at the position of the QuickSight customers) is needed.

10. At the Title, overview, and create web page, beneath Position main points, input qs-reader-azure for the position.
11. Make a selection Create position.
12. Observe the ARN of the position.

You employ the ARN to configure attributes on your IAM Identification Heart utility.

Configure attributes within the QuickSight utility

To affiliate the IAM SAML IdP and IAM position to the QuickSight utility in IAM Identification Heart, whole the next steps:

1. At the IAM Identification Heart console, within the navigation pane, select Programs.
2. Make a choice the Amazon QuickSight utility, and at the Movements menu, select Edit characteristic mappings.
3. Make a selection Upload new characteristic mapping.
4. Configure the mappings within the following desk.

Observe the next values:

• Change <ACCOUNTID> along with your AWS account ID.
• PrincipalTag:Electronic mail is for the e-mail syncing function for self-provisioning customers that wish to be enabled at the QuickSight admin web page. On this publish, don’t allow this selection as a result of we sign up the person with an AWS CLI command.

5. Make a selection Save adjustments.

Create a person, organization, and organization club with the AWS CLI

As described previous, customers and teams in QuickSight are being created manually on this answer. We create them by way of the next AWS CLI instructions.

Step one is to create a person in QuickSight specifying the IAM position created previous and e-mail deal with registered in Azure AD. The second one step is to create a bunch with the gang call as blended characteristic values from Azure AD for the person created in step one. The 1/3 step is so as to add the person into the gang created previous; member-name signifies the person call created in QuickSight this is produced from <IAM Position call>/<consultation call>. See the next code:

aws quicksight register-user 
--aws-account-id <ACCOUNTID> --namespace default 
--identity-type IAM --email <e-mail registered in Azure AD> 
--user-role READER --iam-arn arn:aws:iam::<ACCOUNTID>:position/qs-reader-azure 
--session-name <e-mail registered in Azure AD>

 aws quicksight create-group 
--aws-account-id <ACCOUNTID> --namespace default 
--group-name Advertising and marketing-Specialist

 aws quicksight create-group-membership 
--aws-account-id <ACCOUNTID> --namespace default 
--member-name qs-reader-azure/<e-mail registered in Azure AD> 
–-group-name Advertising and marketing-Specialist

At this level, the end-to-end configuration of Azure AD, IAM Identification Heart, IAM, and QuickSight is whole.

Test the configuration via logging in to QuickSight from the IAM Identification Heart portal

Now you’re able to log in to QuickSight the usage of the IdP-initiated SSO go with the flow:

1. Open a brand new non-public window on your browser.
2. Log in to the IAM Identification Heart portal (https://d-xxxxxxxxxx.awsapps.com/get started).

You’re redirected to the Azure AD login instructed.

3. Input your Azure AD credentials.

You’re redirected again to the IAM Identification Heart portal.

4. Within the IAM Identification Heart portal, select Amazon QuickSight.

You’re routinely redirected for your QuickSight house.

Phase II: Automate organization club exchange upon SCIM occasions

On this segment, we configure the replace go with the flow.

Perceive the SCIM occasion and occasion development for EventBridge

When an Azure AD administrator makes any adjustments to the attributes at the specific person profile, the exchange will likely be synced with the person profile in IAM Identification Heart by way of SCIM protocol, and the task is recorded in an AWS CloudTrail occasion known as UpdateUser via sso-directory.amazonaws.com (IAM Identification Heart) as the development supply. In a similar fashion, the CreateUser occasion is recorded when a person is created on Azure AD, and the DisableUser occasion is for when a person is disabled.

The next screenshot at the  Match historical past web page presentations two CreateUser occasions: one is recorded via IAM Identification Heart, and the opposite one is via QuickSight. On this publish, we use the only from IAM Identification Heart.

To ensure that EventBridge so as to care for the go with the flow correctly, each and every occasion should specify the fields of an occasion that you need the development development to check. The next occasion development is an instance of the UpdateUser occasion generated in IAM Identification Heart upon SCIM synchronization:

{
  "supply": ["aws.sso-directory"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "element": {
    "eventSource": ["sso-directory.amazonaws.com"],
    "eventName": ["UpdateUser"]
  }
}

On this publish, we reveal an automated replace of organization club in QuickSight this is brought on via the UpdateUser SCIM occasion.

Create characteristic mapping for the gang call

To ensure that the Lambda serve as to regulate organization club in QuickSight, it should download the 2 person attributes (branch and jobTitle). To make the method more effective, we’re combining two attributes in Azure AD (branch, jobTitle) into one characteristic in IAM Identification Heart (identify), the usage of the characteristic mappings function in Azure AD. IAM Identification Heart then makes use of the identify characteristic as a chosen organization call for this person.

1. Log in to the Azure AD console, navigate to Endeavor Programs, IIC-QuickSight, and Provisioning.
2. Make a selection Edit characteristic mappings.
3. Below Mappings, select Provision Azure Lively Listing Customers.
   
4. Make a selection jobTitle from the record of Azure Lively Listing Attributes.
5. Exchange the next settings:
   1. Mapping Sort – Expression
   2. Expression – Sign up for("-", [department], [jobTitle])
   3. Goal characteristic – identify
      
6. Make a selection Save.
7. You’ll go away the provisioning web page.

The characteristic is routinely up to date in IAM Identification Heart. The up to date person profile seems like the next screenshots (Azure AD at the left, IAM Identification Heart at the proper).

Create a Lambda serve as

Now we create a Lambda serve as to replace QuickSight organization club upon the SCIM occasion. The core a part of the serve as is to acquire the person’s identify characteristic worth in IAM Identification Heart in response to the brought on occasion knowledge, after which to be sure that the person exists in QuickSight. If the gang call doesn’t exist but, it creates the gang in QuickSight after which provides the person into the gang. Entire the next steps:

1. At the Lambda console, select Create serve as.
2. For Title, input UpdateQuickSightUserUponSCIMEvent.
3. For Runtime, select Python 3.9.
4. For Time Out, set to fifteen seconds.
5. For Permissions, create and fasten an IAM position that incorporates the next permissions (the depended on entity (primary) will have to be lambda.amazonaws.com):

   {
       "Model": "2012-10-17",
       "Commentary": [
           {
               "Sid": "MinimalPrivForScimQsBlog",
               "Effect": "Allow",
               "Action": [
                   "identitystore:DescribeUser",
                   "quicksight:RegisterUser",
                   "quicksight:DescribeUser",
                   "quicksight:CreateGroup",
                   "quicksight:DeleteGroup",
                   "quicksight:DescribeGroup",
                   "quicksight:ListUserGroups",
                   "quicksight:CreateGroupMembership",
                   "quicksight:DeleteGroupMembership",
                   "quicksight:DescribeGroupMembership",
                   "logs:CreateLogGroup",
                   "logs:CreateLogStream",
                   "logs:PutLogEvents"
               ],
               "Useful resource": "*"
           }
       ]
   }

6. Write Python code the usage of the Boto3 SDK for IdentityStore and QuickSight. The next is all of the pattern Python code:

import sys
import boto3
import json
import logging
from time import strftime
from datetime import datetime

# Set logging
logger = logging.getLogger()
logger.setLevel(logging.INFO)

def lambda_handler(occasion, context):
  '''
  Alter QuickSight organization club upon SCIM occasion from IAM Identification Heart originated from Azure AD.
  It really works on this method:
    Azure AD -> SCIM -> Identification Heart -> CloudTrail -> EventBridge -> Lambda -> QuickSight
  Observe that it is a simple pattern to turn how one can replace QuickSight organization club upon sure SCIM occasion.
  For instance, it assumes that 1:1 user-to-group assigmnent, just one (blended) SAML characteristic, and many others. 
  For manufacturing, take buyer necessities into consideration and expand your personal code.
  '''

  # Surroundings variables (hard-coded. get dynamically for manufacturing code)
  qs_namespace_name="default"
  qs_iam_role="qs-reader-azure"

  # Download account ID and area
  account_id = boto3.shopper('sts').get_caller_identity()['Account']
  area = boto3.consultation.Consultation().region_name

  # Setup purchasers
  qs = boto3.shopper('quicksight')
  iic = boto3.shopper('identitystore')

  # Test boto3 model
  logger.debug(f"## Your boto3 model: {boto3.__version__}")

  # Get person data from occasion knowledge
  event_json = json.dumps(occasion)
  logger.debug(f"## Match: {event_json}")
  iic_store_id = occasion['detail']['requestParameters']['identityStoreId']
  iic_user_id = occasion['detail']['requestParameters']['userId']  # For UpdateUser occasion, userId is supplied via requestParameters
  logger.data("## Getting person data from Identification Retailer.")
  check out:
    res_iic_describe_user = iic.describe_user(
      IdentityStoreId = iic_store_id,
      UserId = iic_user_id
    )
  apart from Exception as e:
    logger.error("## Operation failed because of unknown error. Exiting.")
    logger.error(e)
    sys.go out()
  else:
    logger.data(f"## Consumer data retrieval succeeded.")
    azure_user_attribute_title = res_iic_describe_user['Title']
    azure_user_attribute_userprincipalname = res_iic_describe_user['UserName']
    qs_user_name = qs_iam_role + "/" + azure_user_attribute_userprincipalname
    logger.data(f"#### Identification Heart person call: {azure_user_attribute_userprincipalname}")
    logger.data(f"#### QuickSight organization call desired: {azure_user_attribute_title}")
    logger.debug(f"#### res_iic_describe_user: {json.dumps(res_iic_describe_user)}, which is {kind(res_iic_describe_user)}")

  # Go out if person isn't provide since this serve as is meant to be known as via UpdateUser occasion
  check out:
    # Get QuickSight person call
    res_qs_describe_user = qs.describe_user(
      UserName = qs_user_name,
      AwsAccountId = account_id,
      Namespace = qs_namespace_name
    )
  apart from qs.exceptions.ResourceNotFoundException as e:
    logger.error(f"## Consumer {qs_user_name} isn't present in QuickSight.")
    logger.error(f"## Be certain the QuickSight person has been created upfront. Exiting.")
    logger.error(e)
    sys.go out()
  apart from Exception as e:
    logger.error("## Operation failed because of unknown error. Exiting.")
    logger.error(e)
    sys.go out()
  else:
    logger.data(f"## Consumer {qs_user_name} is located in QuickSight.")

  # Take away present club except it is the desired one
  qs_new_group = azure_user_attribute_title  # Set "Name" SAML characteristic as the required QuickSight organization call
  in_desired_group = False  # Set this flag True when the person is already a member of the required organization
  logger.data(f"## Beginning organization club elimination.")
  check out:
    res_qs_list_user_groups = qs.list_user_groups(
      UserName = qs_user_name,
      AwsAccountId = account_id,
      Namespace = qs_namespace_name
    )
  apart from Exception as e:
    logger.error("## Operation failed because of unknown error. Exiting.")
    logger.error(e)
    sys.go out()
  else:
    # Skip if the array is empty (person isn't member of any teams)
    if no longer res_qs_list_user_groups['GroupList']:
      logger.data(f"## Consumer {qs_user_name} isn't a member of any QuickSight organization. Skipping elimination.")
    else:
      for grp in res_qs_list_user_groups['GroupList']:
        qs_current_group = grp['GroupName']
        # Retain club if the brand new and present organization names fit
        if qs_current_group == qs_new_group:
          logger.data(f"## The person {qs_user_name} already belong to the required organization. Skipping elimination.")
          in_desired_group = True
        else:
          # Take away all pointless memberships
          logger.data(f"## Doing away with person {qs_user_name} from present organization {qs_current_group}.")
          check out:
            res_qs_delete_group_membership = qs.delete_group_membership(
              MemberName = qs_user_name,
              GroupName = qs_current_group,
              AwsAccountId = account_id,
              Namespace = qs_namespace_name
            )
          apart from Exception as e:
            logger.error(f"## Operation failed because of unknown error. Exiting.")
            logger.error(e)
            sys.go out()
          else:
            logger.data(f"## The person {qs_user_name} has got rid of from {qs_current_group}.")

  # Create organization club in response to IIC characteristic "Name"
  logger.data(f"## Beginning organization club task.")
  if in_desired_group is True:
      logger.data(f"## The person already belongs to the required one. Skipping task.")
  else:
    check out:
      logger.data(f"## Checking if the required organization exists.")
      res_qs_describe_group = qs.describe_group(
        GroupName = qs_new_group,
        AwsAccountId = account_id,
        Namespace = qs_namespace_name
      )
    apart from qs.exceptions.ResourceNotFoundException as e:
      # Create a QuickSight organization if no longer provide
      logger.data(f"## Crew {qs_new_group} isn't provide. Growing.")
      these days = datetime.now()
      res_qs_create_group = qs.create_group(
        GroupName = qs_new_group,
        Description = 'Routinely created at ' + these days.strftime('%Y.%m.%d %H:%M:%S'),
        AwsAccountId = account_id,
        Namespace = qs_namespace_name
      )
    apart from Exception as e:
      logger.error(f"## Operation failed because of unknown error. Exiting.")
      logger.error(e)
      sys.go out()
    else:
      logger.data(f"## Crew {qs_new_group} is located in QuickSight.")

    # Upload the person to the required organization
    logger.data("## Enhancing organization club in response to its newest attributes.")
    logger.data(f"#### QuickSight person call: {qs_user_name}")
    logger.data(f"#### QuickSight organization call: {qs_new_group}")
    check out: 
      res_qs_create_group_membership = qs.create_group_membership(
        MemberName = qs_user_name,
        GroupName = qs_new_group,
        AwsAccountId = account_id,
        Namespace = qs_namespace_name
    )
    apart from Exception as e:
      logger.error("## Operation failed because of unknown error. Exiting.")
      logger.error(e)
    else:
      logger.data("## Crew club amendment succeeded.")
      qs_group_member_name = res_qs_create_group_membership['GroupMember']['MemberName']
      qs_group_member_arn = res_qs_create_group_membership['GroupMember']['Arn']
      logger.debug("## QuickSight organization data:")
      logger.debug(f"#### qs_user_name: {qs_user_name}")
      logger.debug(f"#### qs_group_name: {qs_new_group}")
      logger.debug(f"#### qs_group_member_name: {qs_group_member_name}")
      logger.debug(f"#### qs_group_member_arn: {qs_group_member_arn}")
      logger.debug("## IIC data:")
      logger.debug(f"#### IIC person call: {azure_user_attribute_userprincipalname}")
      logger.debug(f"#### IIC person identity: {iic_user_id}")
      logger.debug(f"#### Name: {azure_user_attribute_title}")
      logger.data(f"## Consumer {qs_user_name} has been effectively added to the gang {qs_new_group} in {qs_namespace_name} namespace.")
  
  # go back reaction
  go back {
    "namespaceName": qs_namespace_name,
    "userName": qs_user_name,
    "groupName": qs_new_group
  }

Observe that this Lambda serve as calls for Boto3 1.24.64 or later. If the Boto3 incorporated within the Lambda runtime is older than this, use a Lambda layer to make use of the most recent model of Boto3. For extra main points, confer with How do I unravel “unknown provider”, “parameter validation failed”, and “object has no characteristic” mistakes from a Python (Boto 3) Lambda serve as.

Upload an EventBridge rule to cause the development

To create an EventBridge rule to invoke the up to now created Lambda serve as, whole the next steps:

1. At the EventBridge console, create a brand new rule.
2. For Title, input updateQuickSightUponSCIMEvent.
3. For Match development, input the next code:

   {
     "supply": ["aws.sso-directory"],
     "detail-type": ["AWS API Call via CloudTrail"],
     "element": {
       "eventSource": ["sso-directory.amazonaws.com"],
       "eventName": ["UpdateUser"]
     }
   }

4. For Objectives, select the Lambda serve as you created (UpdateQuickSightUserUponSCIMEvent).
5. Allow the rule of thumb.

Test the configuration via converting a person characteristic worth at Azure AD

Let’s adjust a person’s characteristic at Azure AD, after which take a look at if the brand new organization is created and that the person is added into the brand new one.

1. Return to the Azure AD console.
2. From Set up, click on Customers.
3. Make a selection one of the crucial customers you up to now used to log in to QuickSight from the IAM Identification Heart portal.
4. Make a selection Edit houses, then edit the values for Activity identify and Division.
   
5. Save the configuration.
6. From Set up, select Endeavor utility, your utility call, and Provisioning.
7. Make a selection Prevent provisioning after which Get started provisioning in collection.

In Azure AD, the SCIM provisioning period is fastened to 40 mins. To get fast effects, we manually forestall and get started the provisioning.

8. Navigate to the QuickSight console.
9. At the drop-down person call menu, select Set up QuickSight.
10. Make a selection Set up teams.

Now you will have to to find that the brand new organization is created and the person is assigned to this organization.

Blank up

Whilst you’re completed with the answer, blank up your atmosphere to reduce value affect. It’s possible you’ll need to delete the next sources:

• Lambda serve as
• Lambda layer
• IAM position for the Lambda serve as
• CloudWatch log organization for the Lambda serve as
• EventBridge rule
• QuickSight account
  • Observe : There can handiest be one QuickSight account in step with AWS account. So your QuickSight account would possibly already be utilized by different customers on your group. Delete the QuickSight account provided that you explicitly set it as much as practice this weblog and are completely certain that it’s not being utilized by another customers.
• IAM Identification Heart example
• IAM ID Supplier configuration for Azure AD
• Azure AD example

Abstract

This publish supplied step by step directions to configure IAM Identification Heart SCIM provisioning and SAML 2.0 federation from Azure AD for centralized control of QuickSight customers. We additionally demonstrated computerized organization club updates in QuickSight in response to person attributes in Azure AD, via the usage of SCIM occasions generated in IAM Identification Heart and putting in place automation with EventBridge and Lambda.

With this event-driven technique to provision customers and teams in QuickSight, gadget directors will have complete flexibility in the place the quite a lot of alternative ways of person control may well be anticipated relying at the group. It additionally guarantees the consistency of customers and teams between QuickSight and Azure AD every time a person accesses QuickSight.

We’re having a look ahead to listening to any questions or comments.

Concerning the authors

Takeshi Nakatani is a Major Bigdata Marketing consultant on Skilled Products and services workforce in Tokyo. He has 25 years of revel in in IT business, expertised in architecting knowledge infrastructure. On his days off, he is usually a rock drummer or a motorcyclyst.

Wakana Vilquin-Sakashita is Specialist Resolution Architect for Amazon QuickSight. She works intently with shoppers to lend a hand making sense of the knowledge via visualization. In the past Wakana labored for S&P World  aiding shoppers to get right of entry to knowledge, insights and researches related for his or her trade.