AWS Business Intelligence Blog

Federate Amazon QuickSight access with Okta

Note: As of August 2023, Amazon QuickSight is now an AWS IAM Identity Center enabled application. This capability allows administrators who subscribe to QuickSight to use IAM Identity Center to enable their users to log in with Okta and other external identity providers. For more information, see Simplify business intelligence identity management with Amazon QuickSight and IAM Identity Center (AWS blog post) and Configure your Amazon QuickSight account with IAM Identity Center in the QuickSight documentation. We recommend that you use this new integration. This blog post is provided as a reference for existing account configurations.


March 2024 – This post was reviewed and update to include new features for syncing users and groups from Okta.

Amazon QuickSight is cloud-powered, serverless, and embeddable business intelligence service that makes it easy to deliver insights to everyone in your organization. As a fully managed service, QuickSight lets you easily create and publish interactive dashboards that can then be accessed from any device and embedded into your applications, portals, and websites.

QuickSight supports identity federation through Security Assertion Markup Language 2.0 (SAML 2.0) in both Standard and Enterprise editions. With federation, you can manage users using your enterprise identity provider (IdP) and pass them to QuickSight at login. Such IdPs include Microsoft Active Directory Federation Services, Ping One Federation Server, and Okta.

This post provides step-by-step guidance to configure federated single sign-on (SSO) between QuickSight and Okta. We also demonstrate ways to assign QuickSight roles based on Okta membership. Administrators can publish QuickSight applications in the Okta Portal, enabling users to SSO to QuickSight using their Okta credentials.

Creating an Okta application

The following steps guide you through the process of creating an Okta application.

  1. Sign in to your Okta admin dashboard.

If you don’t have an account, you can create a free Okta Developer Edition account.

  1. Choose Applications from left menu and then choose Browse App Catalog.

  2. Search for and choose AWS Account Federation.
  3. Choose Add Integration.

  4. For Application label, enter Amazon QuickSight, then choose Next.
  5. For Sign-On Options, select SAML 2.0, for Default Relay State, enter https://quicksight.aws.amazon.com and then and choose Identity Provider metadata (right-click) and choose Save Link As.
  6. Save the XML file to disk.
  7. Choose Done.

Creating a SAML provider in AWS

To create your SAML provider, complete the following steps:

  1. In a new window, sign in to the AWS Management Console.
  2. Search for AWS Identity and Access Management (IAM) and choose IAM from list
  3. Choose Identity provider from left menu list and click Add provider.
  4. For Provider type, select SAML.
  5. For Provider name, enter Okta.
  6. For Metadata document, upload the XML file you downloaded earlier.
  7. Choose Add provider.
  8. Open the IdP that you just created and make note of the ARN.

Creating QuickSight roles for federated users

This section describes the steps for creating IAM SAML 2.0 federation roles. Although Okta is used for SSO, you can provision users in QuickSight in two different ways:

  • Grant the federation role permission to create new QuickSight users when a user visits for the first time.
  • Pre-provision QuickSight users using the API and add users to the appropriate groups. This can be automated using Sync users and groups from Okta using Amazon QuickSight
  • The following steps demonstrate how to create a federation role with permission to create new QuickSight users.

Create IAM Policies

Note: To automate sync of user, groups, and group membership using Sync users and groups from Okta using Amazon QuickSight, create polices with exact names as listed in the following steps.

  1. From AWS console, search and choose IAM (Identity and Access Management) to open it.
  2. From left menu, choose Policies under Access management.
  3. Choose Create Policy from the top left of the page.
  4. Under Specify permissions, choose JSON and replace sample policy template with the below code:
    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Sid": "VisualEditor0",
    			"Effect": "Allow",
    			"Action": "quicksight:CreateAdmin",
    			"Resource": "*"
    		}
    	]
    }
  5. Click Next.

This policy is to create Admin users and will be attached to the role in the following steps.

  1. On the Review and Create step, enter the name QuickSightOktaCreateAdminPolicy and click Create policy.

Repeat steps 1 to 6 in this section, to create policies for Author and Reader personas using the following JSONs codes:

QuickSightOktaCreateAuthorPolicy:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "quicksight:CreateUser",
			"Resource": "*"
		}
	]
}

QuickSightOktaCreateReaderPolicy:

 {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "quicksight:CreateReader",
			"Resource": "*"
		}
}

Create IAM Roles

Note: To automate sync of user, groups, and group membership, create IAM roles using the following steps, with the exact names as listed below.

  1. From AWS console, search and choose IAM (Identity and Access Management) to open it.
  2. From the left menu select Roles under Access management, and choose Create Role from the top left.
  3. Select SAML 2.0 federation as Trusted entity type.
  4. Select Okta (Identity provider configured) as SAML 2.0-based provider.
  5. Select Allow programmatic and AWS Management Console access.

Complete all the required fields as show in the image below and click Next.

  1. Next, add permissions.
  2. Search the permissions list for QuickSightOktaCreateAdminPolicy and choose it.
  3. Click Next.

  1. On the Name, review and create page, enter Role name QuickSightOktaAdminRole and choose Create role.
  2. Repeat steps 1 to 9 above to create Author and Reader roles using the following role names:
    • For Author : QuickSightOktaAuthorRole
    • For Reader : QuickSightOktaReaderRole

Creating an AWS access key for Okta

To create an access key for Okta, follow these steps in this Tutorial: Amazon QuickSight and IAM identity federation.

Configuring the Okta application

To configure your Okta application, complete the following steps:

  1. Return to Okta and your Application Dashboard
  2. Choose the Okta application Amazon QuickSight you created earlier.
  3. On the Sign On tab, choose Edit.
  4. Under Advanced Sign-on settings, enter Identity Provider ARN, the ARN of the IdP you created earlier.
  5. Choose Save.
  6. On the Provisioning tab, choose Integration.
  7. Click Configure API Integration
  8. Choose Edit.
  9. Select Enable API Integration.
  10. For Access key and Secret key, enter the keys from the CSV file you downloaded earlier.
  11. Choose Test API Credentials.
  12. Choose Save.
  13. On the navigation pane, choose To App.
  14. Choose Edit.
  15. For Create Users, select Enable.
  16. Choose Save.
  17. On the Assignments tab, on the Assign menu, choose Assign to People to grant federated access to specific users.

You can also use filters to sort on the user or group.

  1. Search for users to assign.
  2. Choose Assign.
  3. On the Roles menu, choose SAML User Roles to grant to users.
  4. Choose Save and Go Back.
  5. Choose Done.

Test Identity Provider Initiated (IdP-initiated) SSO

  1. To use IdP-initiated SSO, log in to your Okta Applications Dashboard
  2. If you’re using the admin account to log in, choose My Apps to access the application.
  3. You should see the new application you created earlier, with the Okta application label Amazon QuickSight.
  4. Choose the application icon to launch QuickSight.

You can now manage your users and groups using Okta as your IdP and federate access to QuickSight.

To configure automated email Sync for federated SSO users from Okta, refer to Configure an automated email sync for federated SSO users to access Amazon QuickSight.

Service Provider Initiated (SP-initiated) SSO

QuickSight can also be configured for SP-initiated sign-on in the Enterprise edition. This setup enables QuickSight to redirect the user to authenticate with the IdP first before granting access to the QuickSight resources. For QuickSight-initiated SSO to work with Okta, perform the following steps:

  1. Open the QuickSight portal as an administrator.
  2. Choose Manage QuickSight.
  3. Choose Single sign-on (SSO).
  4. In the Configuration section, for IdP URL, enter the Okta application’s SSO URL.

This can be found by opening the metadata XML file that you downloaded when creating your Okta application. The URL is the value of the Location attribute in the md:SingleSignOnService element and ends with /sso/saml.

  1. For IdP redirect URL parameter, enter RelayState.
  2. Copy the custom URL provided under Test the end-to-end experience.
  3. Choose Save.

Now you can test the end-to-end experience for signing into QuickSight.

  1. 8. Enter the custom URL you just copied into a new browser window.
  2. Enter your QuickSight account name.
  3. Choose Continue.

You’re redirected to authenticate with Okta.

  1. Enter the credentials for your Okta user.

You’re now logged in to the QuickSight portal.

Automatically sync Users & Groups from Okta with Amazon QuickSight

Use Sync users and groups from Okta using Amazon QuickSight to automatically sync users, groups and their memberships from Okta to QuickSight.

Deep linking dashboards

You can share QuickSight dashboards using the Okta application’s SSO URL so that users can be federated directly to specific dashboards.

To deep link to a specific QuickSight dashboard with SSO, first locate the Okta application’s SSO URL. This can be found by opening the metadata XML file that you downloaded when you created your Okta application. The URL is the value of the Location attribute in the md:SingleSignOnService element and ends with /sso/saml.

After you have the Okta application’s SSO URL, append ?RelayState= to the end of the URL followed by the URL to your QuickSight dashboard. For example, your deep link URL might look as follows: https://my-test-org.okta.com/app/amazon_aws/abcdefg12345XYZ678/sso/saml?RelayState=https://us-east-1.quicksight.aws.amazon.com/sn/dashboards/11111111-abcd-1234-efghi-111111111111

By deep linking dashboards, you can provide users a way to use SSO and directly access specific dashboards.

Summary

This post provided a step-by-step guide for configuring Okta as your IdP, and using IAM roles to enable SSO to QuickSight. It also showed how users and groups can be managed using the QuickSight API.

Although this post demonstrated the integration of IAM and Okta, you can replicate this solution using your choice of SAML 2.0 IdPs. For other supported federation options, see Using Identity Federation and Single Sign-on (SSO) with QuickSight.

If you have any questions or feedback, leave a comment. For additional discussion and help getting answers to your questions, check out the QuickSight Community.Join the QuickSight Community to ask, answer, and learn with others and explore additional resources.


About the Authors

Manish ChughManish Chugh is a Sr. Solutions Architect at AWS based in San Francisco, CA. He has worked with organizations ranging from large enterprises to early stage startups. He is responsible for helping customers architect scalable, secure, and cost-effective workloads on AWS. In his free time, he enjoys hiking East Bay trails, road biking, and watching (and playing) cricket.

Loc TrinhLoc Trinh is a solutions architect at Amazon Web Services.

Naresh Gautam is a senior solutions architect at Amazon Web Services.

Ashok Dasineni is a Solutions Architect for Amazon QuickSight. Before joining AWS, Ashok worked with clients and organizations in Banking and financial domain, focusing on fraud research and prevention. He designed and implemented innovative solutions to improve business process, reduce cost and increase revenue, enabling companies around the world to achieve their highest potential through data.

Srikanth Baheti is a Specialized World Wide Principal Solution Architect for Amazon QuickSight. He started his career as a consultant and worked for multiple private and government organizations. Later he worked for PerkinElmer Health and Sciences & eResearch Technology Inc, where he was responsible for designing and developing high traffic web applications, highly scalable and maintainable data pipelines for reporting platforms using AWS services and Serverless computing.

Raji Sivasubramaniam is a Principal Solutions Architect at AWS, focusing on Analytics and AIML. Raji is specialized in architecting end-to-end Enterprise Data Management, Business Intelligence and AIML solutions for Fortune 500 and Fortune 100 companies across the globe. She has in-depth experience in integrated healthcare data and analytics with wide variety of healthcare datasets including managed market, physician targeting and patient analytics.


Audit History

Last reviewed and updated in March 2024 by Ashok Dasineni | Solutions Architect