Allow federation to Amazon QuickSight accounts with Ping One

Amazon QuickSight is a scalable, serverless, embeddable, machine studying (ML)-powered enterprise intelligence (BI) service constructed for the cloud that helps id federation in each Normal and Enterprise editions. Organizations are working in the direction of centralizing their id and entry technique throughout all of their functions, together with on-premises, third-party, and functions on AWS. Many organizations use Ping One to regulate and handle consumer authentication and authorization centrally. In case your group makes use of Ping One for cloud functions, you’ll be able to allow federation to your entire QuickSight accounts without having to create and handle customers in QuickSight. This authorizes customers to entry QuickSight property—analyses, dashboards, folders, and datasets—via centrally managed Ping One.

On this submit, we undergo the steps to configure federated single sign-on (SSO) between a Ping One occasion and a QuickSight account. We display registering an SSO software in Ping One, creating teams, and mapping to an AWS Identification and Entry Administration (IAM) position that interprets to QuickSight consumer license varieties (admin, writer, and reader). These QuickSight roles symbolize three completely different personas supported in QuickSight. Directors can publish the QuickSight app in Ping One to allow customers to carry out SSO to QuickSight utilizing their Ping credentials.

Conditions

To finish this walkthrough, it’s essential to have the next conditions:

• A Ping One subscription
• A number of QuickSight account subscriptions

Answer overview

The walkthrough consists of the next steps:

1. Create teams in Ping One for every of the QuickSight consumer license varieties.
2. Register an AWS software in Ping One.
3. Add Ping One as your SAML id supplier (IdP) in AWS.
4. Configure an IAM coverage.
5. Configure an IAM position.
6. Configure your AWS software in Ping One.
7. Check the appliance from Ping One.

Create teams in Ping One for every of the QuickSight roles

To create teams in Ping One, full the next steps:

1. Register to the Ping One portal utilizing an administrator account.
2. Below Identities, select Teams.
3. Select the plus signal so as to add a bunch.
   
4. For Group Identify, enter QuickSightReaders.
5. Select Save.
   
6. Repeat these steps to create the teams QuickSightAdmins and QuickSightAuthors.

Register an AWS software in Ping One

To configure the mixing of an AWS software in Ping One, you must add AWS to your listing of managed software program as a service (SaaS) apps.

1. Register to the Ping One portal utilizing an administrator account.
2. Below Connections, select Software Catalog.
3. Within the search field, enter amazon net companies.
4. Select Amazon Internet Providers – AWS from the outcomes so as to add the appliance. 
5. For Identify, enter Amazon QuickSight.
6. Select Subsequent.
   Below Map Attributes, there must be 4 attributes.
7. Delete the attribute associated to SessionDuration.
8. Select Username as the worth for all of the remaining attributes for now.
   We replace these values in later steps.
9. Select Subsequent.
   
10. Within the Choose Teams part, add the QuickSightAdmins, QuickSightAuthors, and QuickSightReaders teams you created.
11. Select Save.
    
12. After the appliance is created, select the appliance once more and obtain the federation metadata XML.

You employ this within the subsequent step.

Add Ping One as your SAML IdP in AWS

To configure Ping One as your SAML IdP, full the next steps:

1. Open a brand new tab in your browser.
2. Register to the IAM console in your AWS account with admin permissions.
3. On the IAM console, below Entry Administration within the navigation pane, select Identification suppliers.
4. Select Add supplier.
   
5. For Supplier identify, enter PingOne.
6. Select file to add the metadata doc you downloaded earlier.
7. Select Add supplier.
   
8. Within the banner message that seems, select View supplier.
9. Copy the IdP ARN to make use of in a later step.
   

Configure an IAM coverage

On this step, you create an IAM coverage to map three completely different roles with permissions in QuickSight.

Use the next steps to arrange QuickSightUserCreationPolicy. This coverage grants privileges in QuickSight to the federated consumer primarily based on the assigned teams in Ping One.

1. On the IAM console, select Insurance policies.
2. Select Create coverage.
3. On the JSON tab, exchange the prevailing textual content with the next code:

   {
      "Model": "2012-10-17",
       "Assertion": [ 
            {  
               "Sid": "VisualEditor0", 
                "Effect": "Allow", 
                "Action": "quicksight:CreateAdmin", 
                "Resource": "*", 
                "Condition": { 
                    "StringEquals": { 
                        "aws:PrincipalTag/user-role": "QuickSightAdmins" 
    
                   } 
                } 
            }, 
            { 
                "Sid": "VisualEditor1", 
                "Effect": "Allow", 
                "Action": "quicksight:CreateUser", 
                "Resource": "*", 
                "Condition": { 
                    "StringEquals": { 
                        "aws:PrincipalTag/user-role": "QuickSightAuthors" 
                    } 
                } 
            }, 
            { 
                "Sid": "VisualEditor2", 
                "Effect": "Allow", 
                "Action": "quicksight:CreateReader", 
                "Resource": "*", 
                "Condition": { 
                    "StringEquals": { 
                        "aws:PrincipalTag/user-role": "QuickSightReaders" 
                    } 
                } 
            } 
        ] 
    } 

4. Select Assessment coverage.
   
5. For Identify, enter QuickSightUserCreationPolicy.
   
6. Select Create coverage.

Configure an IAM position

Subsequent, create the position that Ping One customers assume when federating into QuickSight. Use the next steps to arrange the federated position:

1. On the IAM console, select Roles.
2. Select Create position.
3. For Trusted entity sort, choose SAML 2.0 federation.
4. For SAML 2.0-based supplier, select the supplier you created earlier (PingOne).
5. Choose Permit programmatic and AWS Administration Console entry.
6. For Attribute, select SAML:aud.
7. For Worth, enter https://signin.aws.amazon.com/saml.
8. Select Subsequent.
   
9. Below Permissions insurance policies, choose the QuickSightUserCreationPolicy IAM coverage you created within the earlier step.
10. Select Subsequent.
    
11. For Function identify, enter QSPingOneFederationRole.
    
12. Select Create position.
13. On the IAM console, within the navigation pane, select Roles.
14. Select the QSPingOneFederationRole position you created to open the position’s properties.
15. Copy the position ARN to make use of in later steps.
16. On the Belief relationships tab, below Trusted entities, confirm that the IdP you created is listed.
17. Below Situation within the coverage code, confirm that SAML:aud with a price of https://signin.aws.amazon.com/saml is current.
18. Select Edit belief coverage so as to add a further situation.
    
19. Below Situation, add the next code:

    "StringLike": {
    "aws:RequestTag/user-role": "*"
    }

20. Below Motion, add the next code:

    

21. Select Replace coverage to save lots of modifications.

Configure an AWS software in Ping One

To configure your AWS software, full the next steps:

1. Register to the Ping One portal utilizing a Ping One administrator account.
2. Below Connections, select Software.
3. Select the Amazon QuickSight software you created earlier.
4. On the Profile tab, select Allow Superior Configuration. 
5. Select Allow within the pop-up window.
   
6. On the Configuration tab, select the pencil icon to edit the configuration.
   
7. Below SIGNING KEY, choose Signal Assertion & Response.
   
8. Below SLO BINDING, for Assertion Validity Length In Seconds, enter a period, equivalent to 900.
9. For Goal Software URL, enter https://quicksight.aws.amazon.com/.
10. Select Save.
    On the Attribute Mappings tab, you now add or replace the attributes as within the following desk.

Attribute Identify	Worth
saml_subject	Username
https://aws.amazon.com/SAML/Attributes/RoleSessionName	Username
https://aws.amazon.com/SAML/Attributes/Function	‘arn:aws:iam::xxxxxxxxxx:position/QSPingOneFederationRole, arn:aws:iam::xxxxxxxxxx:saml-provider/PingOne’
https://aws.amazon.com/SAML/Attributes/PrincipalTag:user-role	consumer.memberOfGroupNames[0]

11. Enter https://aws.amazon.com/SAML/Attributes/PrincipalTag:user-role for the attribute identify and use the corresponding worth from the desk for the expression.
12. Select Save.
13. In case you have multiple QuickSight consumer position (for this submit, QuickSightAdmins, QuicksightAuthors, and QuickSightReaders), you’ll be able to add all the suitable position names as follows:

    #knowledge.containsAny(consumer.memberOfGroupNames,{'QuickSightAdmins'})? 'QuickSightAdmins' : 
    
    #knowledge.containsAny(consumer.memberOfGroupNames,{'QuickSightAuthorss'}) ? 'QuickSightAuthors' : 
    
    #knowledge.containsAny(consumer.memberOfGroupNames,{'QuickSightReaders'}) ?'QuickSightReaders' : null

14. To edit the position attribute, select the gear icon subsequent to the position.
15. Populate the corresponding expression from the desk and select Save.

The format of the expression is the position ARN (copied within the position creation step) adopted by the IdP ARN (copied within the IdP creation step) separated by a comma.

Check the appliance

On this part, you check your Ping One SSO configuration by utilizing a Microsoft software.

1. Within the Ping One portal, below Identities, select Teams.
2. Select a bunch and select Add Customers Individually.
3. From the listing of customers, add the suitable customers to the group by selecting the plus signal.
4. Select Save.
5. To check the connectivity, below Surroundings, select Properties, then copy the URL below APPLICATION PORTAL URL.
6. Browse to the URL in a personal shopping window.
7. Enter your consumer credentials and select Signal On.
   Upon a profitable sign-in, you’re redirected to the All Purposes web page with a brand new software known as Amazon QuickSight.
8. Select the Amazon QuickSight software to be redirected to the QuickSight console.

Observe within the following screenshot that the consumer identify on the prime of the web page exhibits because the Ping One federated consumer.

Abstract

This submit supplied step-by-step directions to configure federated SSO between Ping One and the QuickSight console. We additionally mentioned create insurance policies and roles in IAM and map teams in Ping One to IAM roles for safe entry to the QuickSight console.

For extra discussions and assist getting solutions to your questions, try the QuickSight Group.

---

In regards to the authors

Srikanth Baheti is a Specialised World Large Sr. Answer Architect for Amazon QuickSight. He began his profession as a guide and labored for a number of personal and authorities organizations. Later he labored for PerkinElmer Well being and Sciences & eResearch Expertise Inc, the place he was accountable for designing and creating excessive site visitors net functions, extremely scalable and maintainable knowledge pipelines for reporting platforms utilizing AWS companies and Serverless computing.

Raji Sivasubramaniam is a Sr. Options Architect at AWS, specializing in Analytics. Raji is specialised in architecting end-to-end Enterprise Information Administration, Enterprise Intelligence and Analytics options for Fortune 500 and Fortune 100 corporations throughout the globe. She has in-depth expertise in built-in healthcare knowledge and analytics with huge number of healthcare datasets together with managed market, doctor concentrating on and affected person analytics.

Raj Jayaraman is a Senior Specialist Options Architect for Amazon QuickSight. Raj focuses on serving to prospects develop pattern dashboards, embed analytics and undertake BI design patterns and finest practices.