En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

QuickSight SSO, how to assign IAM roles to Azure AD group?

0

Hi,

we configured SSO for QuickSight and followed the instructions in this blog: https://aws.amazon.com/de/blogs/big-data/enable-federation-to-amazon-quicksight-with-automatic-provisioning-of-users-between-aws-iam-identity-center-and-microsoft-azure-ad/ However, in this article every user will be an admin, because https://aws.amazon.com/SAML/Attributes/Role will always be mapped to arn:aws:iam:: <YourAWSAccount ID>:role/QuickSight-Admin-Role - the role does not depend on the user group. Enter image description here As described in the article, we created 3 IAM roles and Azure AD groups (Admin, Author, Reader). How can we assign IAM roles to the AD group? We already tried using claims in Azure AD, as described here: https://aws.amazon.com/de/blogs/big-data/enabling-amazon-quicksight-federation-with-azure-ad/

Sujets
Sécurité, identité et conformitéAnalytiqueGestion et gouvernance
Balises
Sécurité, identité et conformitéGestion des identités et des accès AWSAmazon QuickSightGestion et gouvernanceCentre d’identité IAM AWS
Langue
English
fabian
demandé il y a un an289 vues
1 réponse
1

Hi,

In Azure AD you need to map the https://aws.amazon.com/SAML/Attributes/Role claim to group value by doing some condition claim transformation rule. Therefore user member of Group Author will have a role claim https://aws.amazon.com/SAML/Attributes/Role of value Author.

See https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

Jeff

AWS
Jeff Lombardo-AWS
répondu il y a un an
profile picture
EXPERT
iwasa
vérifié il y a un an
  • iwasa EXPERT
    il y a un an

    +1 for Jeff's opinion.
    You need to specify the role to Assume to AWS when configuring SAML on Azure AD side.

  • fabian
    il y a un an

    Hi Jeff and isawa,

    that is what we did in Azure AD. We created a claim named https://aws.amazon.com/SAML/Attributes/Role and used a claim condition to map the scoped group to the value arn:aws:iam:: <Our Account ID>:saml-provider/IAM_Identity_Center, arn:aws:iam:: <Our Account ID>:role/<Name of the role we created for ADMIN/AUTHOR/READER>. However, we still get the error message invalid SAML response. When viewing the SAML response we see that the claims we created are not part of it. Are you sure that this works with Identity Center? We got some response in the blog https://aws.amazon.com/de/blogs/big-data/enable-federation-to-amazon-quicksight-with-automatic-provisioning-of-users-between-aws-iam-identity-center-and-microsoft-azure-ad/: Thank you Fabian. You can have only 1 IAM role for an Identity Center application at the moment. You could additionally create Author/Reader role with the policies which is given in "Configure IAM Policies" section and tie it up with different QuickSight applications in IAM Identity Center. This way, you could control which "user/user group" should have Admin/Author/Reader role. Does this mean we have to create 3 applications?

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents