Hi, we configured SSO for QuickSight and followed the instructions in this blog: https://aws.amazon.com/de/blogs/big-data/enable-federation-to-amazon-quicksight-with-automatic-provisioning-of-users-between-aws-iam-identity-center-and-microsoft-azure-ad/ However, in this article every user will be an admin, because https://aws.amazon.com/SAML/Attributes/Role will always be mapped to arn:aws:iam:: :role/QuickSight-Admin-Role - the role does not depend on the user group. ![Enter image description here](/media/postImages/original/IM8xZxakPnSvCrXgsmqDns_A) As described in the article, we created 3 IAM roles and Azure AD groups (Admin, Author, Reader). How can we assign IAM roles to the AD group? We already tried using claims in Azure AD, as described here: https://aws.amazon.com/de/blogs/big-data/enabling-amazon-quicksight-federation-with-azure-ad/

QuickSight SSO, how to assign IAM roles to Azure AD group?

Hi,

we configured SSO for QuickSight and followed the instructions in this blog: https://aws.amazon.com/de/blogs/big-data/enable-federation-to-amazon-quicksight-with-automatic-provisioning-of-users-between-aws-iam-identity-center-and-microsoft-azure-ad/ However, in this article every user will be an admin, because https://aws.amazon.com/SAML/Attributes/Role will always be mapped to arn:aws:iam:: <YourAWSAccount ID>:role/QuickSight-Admin-Role - the role does not depend on the user group. Enter image description here As described in the article, we created 3 IAM roles and Azure AD groups (Admin, Author, Reader). How can we assign IAM roles to the AD group? We already tried using claims in Azure AD, as described here: https://aws.amazon.com/de/blogs/big-data/enabling-amazon-quicksight-federation-with-azure-ad/

주제

보안, 신원 및 규정 준수 분석 관리 및 거버넌스

태그

보안, 신원 및 규정 준수 AWS 자격 증명 및 액세스 관리 아마존 QuickSight 관리 및 거버넌스 AWS IAM 자격 증명 센터

언어

English

fabian

질문됨 일 년 전289회 조회

1개 답변

최신
최다 투표
가장 많은 댓글

Hi,

In Azure AD you need to map the https://aws.amazon.com/SAML/Attributes/Role claim to group value by doing some condition claim transformation rule. Therefore user member of Group Author will have a role claim https://aws.amazon.com/SAML/Attributes/Role of value Author.

See https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

Jeff

Jeff Lombardo-AWS

답변함 일 년 전

전문가

iwasa

검토됨 일 년 전

iwasa 전문가
일 년 전
+1 for Jeff's opinion.
You need to specify the role to Assume to AWS when configuring SAML on Azure AD side.
fabian
일 년 전
Hi Jeff and isawa,

that is what we did in Azure AD. We created a claim named https://aws.amazon.com/SAML/Attributes/Role and used a claim condition to map the scoped group to the value arn:aws:iam:: <Our Account ID>:saml-provider/IAM_Identity_Center, arn:aws:iam:: <Our Account ID>:role/<Name of the role we created for ADMIN/AUTHOR/READER>. However, we still get the error message invalid SAML response. When viewing the SAML response we see that the claims we created are not part of it. Are you sure that this works with Identity Center? We got some response in the blog https://aws.amazon.com/de/blogs/big-data/enable-federation-to-amazon-quicksight-with-automatic-provisioning-of-users-between-aws-iam-identity-center-and-microsoft-azure-ad/: Thank you Fabian. You can have only 1 IAM role for an Identity Center application at the moment. You could additionally create Author/Reader role with the policies which is given in "Configure IAM Policies" section and tie it up with different QuickSight applications in IAM Identity Center. This way, you could control which "user/user group" should have Admin/Author/Reader role. Does this mean we have to create 3 applications?

QuickSight SSO, how to assign IAM roles to Azure AD group?

관련 콘텐츠