Amazon QuickSight is cloud-native, scalable trade intelligence (BI) provider that helps id federation. AWS Identification and Get right of entry to Control (IAM) permits organizations to make use of the identities controlled of their endeavor id service (IdP) and federate unmarried sign-on (SSO) to QuickSight. As extra organizations are development centralized person id shops with all their packages, together with on-premises apps, third-party apps, and packages on AWS, they want a approach to automate person provisioning into those packages and stay their attributes in sync with their centralized person id retailer.
When architecting a person repository, some organizations make a decision to arrange their customers in teams or use attributes (similar to branch call), or a mixture of each. If your company makes use of Microsoft Azure Lively Listing (Azure AD) for centralized authentication and makes use of its person attributes to arrange the customers, you’ll be able to allow federation throughout all QuickSight accounts in addition to set up customers and their organization club in QuickSight the usage of occasions generated within the AWS platform. This permits gadget directors to centrally set up person permissions from Azure AD. Provisioning, updating, and de-provisioning customers and teams in QuickSight now not calls for control in two puts with this answer. This makes certain that customers and teams in QuickSight keep in keeping with knowledge in Azure AD via automated synchronization.
On this publish, we stroll you throughout the steps required to configure federated SSO between QuickSight and Azure AD by way of AWS IAM Identification Heart (Successor to AWS Unmarried Signal-On) the place automated provisioning is enabled for Azure AD. We additionally reveal automated person and organization club replace the usage of a Machine for Move-domain Identification Control (SCIM) occasion.
The next diagram illustrates the answer structure and person go with the flow.
On this publish, IAM Identification Heart supplies a central position to carry in combination management of customers and their get right of entry to to AWS accounts and cloud packages. Azure AD is the person repository and configured because the exterior IdP in IAM Identification Heart. On this answer, we reveal the usage of two person attributes (
jobTitle) in particular in Azure AD. IAM Identification Heart helps automated provisioning (synchronization) of person and organization knowledge from Azure AD into IAM Identification Heart the usage of the SCIM v2.0 protocol. With this protocol, the attributes from Azure AD are handed alongside to IAM Identification Heart, which inherits the outlined characteristic for the personâs profile in IAM Identification Heart. IAM Identification Heart additionally helps id federation with SAML (Safety Statement Markup Language) 2.0. This permits IAM Identification Heart to authenticate identities the usage of Azure AD. Customers can then SSO into packages that toughen SAML, together with QuickSight. The primary part of this publish specializes in how one can configure this finish to finish (see Signal-In Drift within the diagram).
Subsequent, person knowledge begins to get synchronized between Azure AD and IAM Identification Heart by way of SCIM protocol. You’ll automate making a person in QuickSight the usage of an AWS Lambda serve as brought on via the
CreateUser SCIM occasion originated from IAM Identification Heart, which used to be captured in Amazon EventBridge. In the similar Lambda serve as, you’ll be able to due to this fact replace the personâs club via including into the required organization (whose call is produced from two person attributes:
department-jobTitle, another way create the gang if it doesnât exist but, previous to including the club.
On this publish, this automation phase is overlooked as a result of it will be redundant with the content material mentioned within the following sections.
This publish explores and demonstrates an
UpdateUser SCIM occasion brought on via the person profile replace on Azure AD. The development is captured in EventBridge, which invokes a Lambda serve as to replace the gang club in QuickSight (see Replace Drift within the diagram). As a result of a given person is meant to belong to just one organization at a time on this instance, the serve as will change the personâs present organization club with the brand new one.
In Phase I, you place up SSO to QuickSight from Azure AD by way of IAM Identification Heart (the sign-in go with the flow):
- Configure Azure AD because the exterior IdP in IAM Identification Heart.
- Upload and configure an IAM Identification Heart utility in Azure AD.
- Entire configuration of IAM Identification Heart.
- Arrange SCIM automated provisioning on each Azure AD and IAM Identification Heart, and ensure in IAM Identification Heart.
- Upload and configure a QuickSight utility in IAM Identification Heart.
- Configure a SAML IdP and SAML 2.0 federation IAM position.
- Configure attributes within the QuickSight utility.
- Create a person, organization, and organization club manually by way of the AWS Command Line Interface (AWS CLI) or API.
- Test the configuration via logging in to QuickSight from the IAM Identification Heart portal.
In Phase II, you place up automation to modify organization club upon an SCIM occasion (the replace go with the flow):
- Perceive SCIM occasions and occasion patterns for EventBridge.
- Create characteristic mapping for the gang call.
- Create a Lambda serve as.
- Upload an EventBridge rule to cause the development.
- Test the configuration via converting the person characteristic worth at Azure AD.
For this walkthrough, you will have the next necessities:
- IAM Identification Heart. For directions, confer with Steps 1â2 within the AWS IAM Identification Heart Getting Began information.
- A QuickSight account subscription.
- Elementary working out of IAM and privileges required to create an IAM IdP, roles, and insurance policies.
- An Azure AD subscription. You wish to have no less than one person with the next attributes to be registered in Azure AD:
- userPrincipalName â Obligatory box for Azure AD person.
- displayName â Obligatory box for Azure AD person.
- Mail â Obligatory box for IAM Identification Heart to paintings with QuickSight.
- jobTitle â Used to allocate person to organization
- branch â Used to allocate person to organization.
- givenName â Non-compulsory box.
- surname â Non-compulsory box.
Phase I: Arrange SSO to QuickSight from Azure AD by way of IAM Identification Heart
This segment gifts the stairs to arrange the sign-in go with the flow.
Configure an exterior IdP as Azure AD in IAM Identification Heart
To configure your exterior IdP, whole the next steps:
- At the IAM Identification Heart console, select Settings.
- Make a selection Movements at the Identification supply tab, then select Exchange id supply.
- Make a selection Exterior id service, then select Subsequent.
The IdP metadata is displayed. Stay this browser tab open.
Upload and configure an IAM Identification Heart utility in Azure AD
To arrange your IAM Identification Heart utility, whole the next steps:
- Open a brand new browser tab.
- Log in to the Azure AD portal the usage of your Azure administrator credentials.
- Below Azure products and services, select Azure Lively Listing.
- Within the navigation pane, beneath Set up, select Endeavor packages, then select New utility.
- Within the Browse Azure AD Galley segment, seek for IAM Identification Heart, then select AWS IAM Identification Heart (successor to AWS Unmarried Signal-On).
- Input a reputation for the appliance (on this publish, we use
IIC-QuickSight) and select Create.
- Within the Set up segment, select Unmarried sign-on, then select SAML.
- Within the Assign customers and teams segment, select Assign customers and teams.
- Make a selection Upload person/organization and upload no less than one person.
- Make a choice Consumer as its position.
- Within the Arrange unmarried signal on segment, select Get began.
- Within the Elementary SAML Configuration segment, select Edit, and fill out following parameters and values:
- Identifier â The worth within the IAM Identification Heart issuer URL box.
- Answer URL â The worth within the IAM Identification Heart Statement Shopper Carrier (ACS) URL box.
- Signal on URL â Depart clean.
- Relay State â Depart clean.
- Logout URL â Depart clean.
- Make a selection Save.
The configuration will have to seem like the next screenshot.
- Within the SAML Certificate segment, obtain the Federation Metadata XML report and the Certificates (Uncooked) report.
Youâre all set with Azure AD SSO configuration at this second. In a while, youâll go back to this web page to configure computerized provisioning, so stay this browser tab open.
Entire configuration of IAM Identification Heart
Entire your IAM Identification Heart configuration with the next steps:
- Return to the browser tab for IAM Identification Heart console which you may have stored open in earlier step.
- For IdP SAML metadata beneath the Identification service metadata segment, select Make a selection report.
- Make a selection the up to now downloaded metadata report (
- For IdP certificates beneath the Identification service metadata segment, select Make a selection report.
- Make a selection the up to now downloaded certificates report (
- Make a selection Subsequent.
- Input ACCEPT, then select Exchange Identification service supply.
Arrange SCIM automated provisioning on each Azure AD and IAM Identification Heart
Your provisioning approach continues to be set as Guide (non-SCIM). On this step, we allow automated provisioning in order that IAM Identification Heart turns into acutely aware of the customers, which permits id federation to QuickSight.
- Within the Computerized provisioning segment, select Allow.
- Make a selection Get right of entry to token to turn your token.
- Return to the browser tab (Azure AD), which you stored open in Step 1.
- Within the Set up segment, select Endeavor packages.
- Make a selection
IIC-QuickSight, then select Provisioning.
- Make a selection Computerized in Provisioning Mode and input the next values:
- Tenant URL â The worth within the SCIM endpoint box.
- Secret Token â The worth within the Get right of entry to token box.
- Make a selection Take a look at Connection.
- After the take a look at connection is effectively whole, set Provisioning Standing to On.
- Make a selection Save.
- Make a selection Get started provisioning to begin automated provisioning the usage of the SCIM protocol.
When provisioning is whole, it’ll lead to propagating a number of customers from Azure AD to IAM Identification Heart. The next screenshot presentations the customers that have been provisioned in IAM Identification Heart.
Observe that upon this SCIM provisioning, the customers in QuickSight will have to be created the usage of the Lambda serve as brought on via the development originated from IAM Identification Heart. On this publish, we create a person and organization club by way of the AWS CLI (Step 8).
Upload and configure a QuickSight utility in IAM Identification Heart
On this step, we create a QuickSight utility in IAM Identification Heart. You additionally configure an IAM SAML service, position, and coverage for the appliance to paintings. Entire the next steps:
- At the IAM Identification Heart console, at the Programs web page, select Upload Utility.
- For Pre-integrated utility beneath Make a choice an utility, input
- Make a choice Amazon QuickSight, then select Subsequent.
- Input a reputation for Show call, similar to
- Make a selection Obtain beneath IAM Identification Heart SAML metadata report and reserve it on your laptop.
- Depart all different fields as they’re, and save the configuration.
- Open the appliance youâve simply created, then select Assign Customers.
The customers provisioned by way of SCIM previous will likely be indexed.
- Make a selection the entire customers to assign to the appliance.
Configure a SAML IdP and a SAML 2.0 federation IAM position
To arrange your IAM SAML IdP for IAM Identification Heart and IAM position, whole the next steps:
- At the IAM console, within the navigation pane, select Identification suppliers, then select Upload service.
- Make a selection SAML as Supplier kind, and input
Azure-IIC-QSas Supplier call.
- Below Metadata report, select Make a selection report and add the metadata report you downloaded previous.
- Make a selection Upload service to avoid wasting the configuration.
- Within the navigation pane, select Roles, then select Create position.
- For Relied on entity kind, make a selection SAML 2.0 federation.
- For Make a selection a SAML 2.0 service, make a selection the SAML service that you simply created, then select Permit programmatic and AWS Control Console get right of entry to.
- Make a selection Subsequent.
- At the Upload Permission web page, select Subsequent.
On this publish, we create QuickSight customers by way of an AWS CLI command, due to this fact weâre no longer growing any permission coverage. Alternatively, if the self-provisioning function in QuickSight is needed, the permission coverage for the
CreateAdmin movements (relying at the position of the QuickSight customers) is needed.
- At the Title, overview, and create web page, beneath Position main points, input
qs-reader-azurefor the position.
- Make a selection Create position.
- Observe the ARN of the position.
You employ the ARN to configure attributes on your IAM Identification Heart utility.
Configure attributes within the QuickSight utility
To affiliate the IAM SAML IdP and IAM position to the QuickSight utility in IAM Identification Heart, whole the next steps:
- At the IAM Identification Heart console, within the navigation pane, select Programs.
- Make a choice the
Amazon QuickSightutility, and at the Movements menu, select Edit characteristic mappings.
- Make a selection Upload new characteristic mapping.
- Configure the mappings within the following desk.
|Consumer characteristic within the utility||Maps to this string worth or person characteristic in IAM Identification Heart|
Observe the next values:
- Change <ACCOUNTID> along with your AWS account ID.
PrincipalTag:Electronic mailis for the e-mail syncing function for self-provisioning customers that wish to be enabled at the QuickSight admin web page. On this publish, donât allow this selection as a result of we sign up the person with an AWS CLI command.
- Make a selection Save adjustments.
Create a person, organization, and organization club with the AWS CLI
As described previous, customers and teams in QuickSight are being created manually on this answer. We create them by way of the next AWS CLI instructions.
Step one is to create a person in QuickSight specifying the IAM position created previous and e-mail deal with registered in Azure AD. The second one step is to create a bunch with the gang call as blended characteristic values from Azure AD for the person created in step one. The 1/3 step is so as to add the person into the gang created previous;
member-name signifies the person call created in QuickSight this is produced from
<IAM Position call>/<consultation call>. See the next code:
At this level, the end-to-end configuration of Azure AD, IAM Identification Heart, IAM, and QuickSight is whole.
Test the configuration via logging in to QuickSight from the IAM Identification Heart portal
Now youâre able to log in to QuickSight the usage of the IdP-initiated SSO go with the flow:
- Open a brand new non-public window on your browser.
- Log in to the IAM Identification Heart portal (
Youâre redirected to the Azure AD login instructed.
- Input your Azure AD credentials.
Youâre redirected again to the IAM Identification Heart portal.
- Within the IAM Identification Heart portal, select Amazon QuickSight.
Youâre routinely redirected for your QuickSight house.
Phase II: Automate organization club exchange upon SCIM occasions
On this segment, we configure the replace go with the flow.
Perceive the SCIM occasion and occasion development for EventBridge
When an Azure AD administrator makes any adjustments to the attributes at the specific person profile, the exchange will likely be synced with the person profile in IAM Identification Heart by way of SCIM protocol, and the task is recorded in an AWS CloudTrail occasion known as
sso-directory.amazonaws.com (IAM Identification Heart) as the development supply. In a similar fashion, the
CreateUser occasion is recorded when a person is created on Azure AD, and the
DisableUser occasion is for when a person is disabled.
The next screenshot at the Â Match historical past web page presentations two
CreateUser occasions: one is recorded via IAM Identification Heart, and the opposite one is via QuickSight. On this publish, we use the only from IAM Identification Heart.
To ensure that EventBridge so as to care for the go with the flow correctly, each and every occasion should specify the fields of an occasion that you need the development development to check. The next occasion development is an instance of the
UpdateUser occasion generated in IAM Identification Heart upon SCIM synchronization:
On this publish, we reveal an automated replace of organization club in QuickSight this is brought on via the
UpdateUser SCIM occasion.
Create characteristic mapping for the gang call
To ensure that the Lambda serve as to regulate organization club in QuickSight, it should download the 2 person attributes (
jobTitle). To make the method more effective, weâre combining two attributes in Azure AD (
jobTitle) into one characteristic in IAM Identification Heart (
identify), the usage of the characteristic mappings function in Azure AD. IAM Identification Heart then makes use of the
identify characteristic as a chosen organization call for this person.
- Log in to the Azure AD console, navigate to Endeavor Programs,
IIC-QuickSight, and Provisioning.
- Make a selection Edit characteristic mappings.
- Below Mappings, select Provision Azure Lively Listing Customers.
- Make a selection
jobTitlefrom the record of Azure Lively Listing Attributes.
- Exchange the next settings:
- Mapping Sort â
- Expression â
Sign up for("-", [department], [jobTitle])
- Goal characteristic â
- Mapping Sort â
- Make a selection Save.
- You’ll go away the provisioning web page.
The characteristic is routinely up to date in IAM Identification Heart. The up to date person profile seems like the next screenshots (Azure AD at the left, IAM Identification Heart at the proper).
Create a Lambda serve as
Now we create a Lambda serve as to replace QuickSight organization club upon the SCIM occasion. The core a part of the serve as is to acquire the personâs
identify characteristic worth in IAM Identification Heart in response to the brought on occasion knowledge, after which to be sure that the person exists in QuickSight. If the gang call doesnât exist but, it creates the gang in QuickSight after which provides the person into the gang. Entire the next steps:
- At the Lambda console, select Create serve as.
- For Title, input
- For Runtime, select Python 3.9.
- For Time Out, set to fifteen seconds.
- For Permissions, create and fasten an IAM position that incorporates the next permissions (the depended on entity (primary) will have to be
- Write Python code the usage of the Boto3 SDK for IdentityStore and QuickSight. The next is all of the pattern Python code:
Observe that this Lambda serve as calls for Boto3 1.24.64 or later. If the Boto3 incorporated within the Lambda runtime is older than this, use a Lambda layer to make use of the most recent model of Boto3. For extra main points, confer with How do I unravel âunknown providerâ, âparameter validation failedâ, and âobject has no characteristicâ mistakes from a Python (Boto 3) Lambda serve as.
Upload an EventBridge rule to cause the development
To create an EventBridge rule to invoke the up to now created Lambda serve as, whole the next steps:
- At the EventBridge console, create a brand new rule.
- For Title, input
- For Match development, input the next code:
- For Objectives, select the Lambda serve as you created (
- Allow the rule of thumb.
Test the configuration via converting a person characteristic worth at Azure AD
Letâs adjust a personâs characteristic at Azure AD, after which take a look at if the brand new organization is created and that the person is added into the brand new one.
- Return to the Azure AD console.
- From Set up, click on Customers.
- Make a selection one of the crucial customers you up to now used to log in to QuickSight from the IAM Identification Heart portal.
- Make a selection Edit houses, then edit the values for Activity identify and Division.
- Save the configuration.
- From Set up, select Endeavor utility, your utility call, and Provisioning.
- Make a selection Prevent provisioning after which Get started provisioning in collection.
In Azure AD, the SCIM provisioning period is fastened to 40 mins. To get fast effects, we manually forestall and get started the provisioning.
- Navigate to the QuickSight console.
- At the drop-down person call menu, select Set up QuickSight.
- Make a selection Set up teams.
Now you will have to to find that the brand new organization is created and the person is assigned to this organization.
Whilst youâre completed with the answer, blank up your atmosphere to reduce value affect. It’s possible you’ll need to delete the next sources:
- Lambda serve as
- Lambda layer
- IAM position for the Lambda serve as
- CloudWatch log organization for the Lambda serve as
- EventBridge rule
- QuickSight account
- Observe : There can handiest be one QuickSight account in step with AWS account. So your QuickSight account would possibly already be utilized by different customers on your group. Delete the QuickSight account provided that you explicitly set it as much as practice this weblog and are completely certain that it’s not being utilized by another customers.
- IAM Identification Heart example
- IAM ID Supplier configuration for Azure AD
- Azure AD example
This publish supplied step by step directions to configure IAM Identification Heart SCIM provisioning and SAML 2.0 federation from Azure AD for centralized control of QuickSight customers. We additionally demonstrated computerized organization club updates in QuickSight in response to person attributes in Azure AD, via the usage of SCIM occasions generated in IAM Identification Heart and putting in place automation with EventBridge and Lambda.
With this event-driven technique to provision customers and teams in QuickSight, gadget directors will have complete flexibility in the place the quite a lot of alternative ways of person control may well be anticipated relying at the group. It additionally guarantees the consistency of customers and teams between QuickSight and Azure AD every time a person accesses QuickSight.
We’re having a look ahead to listening to any questions or comments.
Concerning the authors
Takeshi Nakatani is a Major Bigdata Marketing consultant on Skilled Products and services workforce in Tokyo. He has 25 years of revel in in IT business, expertised in architecting knowledge infrastructure. On his days off, he is usually a rock drummer or a motorcyclyst.
Wakana Vilquin-Sakashita is Specialist Resolution Architect for Amazon QuickSight. She works intently with shoppers to lend a hand making sense of the knowledge via visualization. In the past Wakana labored for S&P WorldÂ aiding shoppers to get right of entry to knowledge, insights and researches related for his or her trade.