Cognito User access to Embedded Quicksight dashboard

A straightforward integration is currently not available between Quicksight and Cognito. Let us discuss the possible two approaches for your requirement :

Approach 1:

The following resources would get created in the setup of integration between Quicksight and Cognito:

• Amazon CloudFront distribution
• S3 static website
• Amazon Cognito user pool
• Amazon Cognito identity pool
• IAM role for authenticated users
• API Gateway API
• Lambda function

I would kindly request you to refer to the following link for using QuickSight federated SSO with Amazon Cognito user pools : [+] https://noise.getoto.net/2017/10/06/use-amazon-quicksight-federated-single-sign-on-with-amazon-cognito-user-pools/

Generally, the architecture in the above link uses an ID token generated by Amazon Cognito to call API Gateway and Lambda to obtain a sign-in token for Amazon QuickSight from AWS Sign-In Federation. With this token, the app redirects access to Amazon QuickSight.

A web app hosted on Amazon S3 integrates with Amazon Cognito User Pools to authenticate users. It uses Amazon Cognito Federated Identities to authorize access to Amazon QuickSight on behalf of the authenticated user, with temporary AWS credentials and appropriate permissions.

And you can also use the below Github link for a simple JavaScript frontend and SAM template to spin up a serverless backend, federating Amazon Cognito User Pools users to QuickSight :

[+] https://github.com/aws-samples/aws-cognito-quicksight-auth

Approach 2 : 
 The use case you are trying to achieve will require usage of both Cognito user pool and identity pool. The user flow will look as below.

1. The user gets authenticated by Cognito User pool with SAML based IdP associated with your Active Directory.
2. The User is provided with the id, access and refresh token.
3. The User uses the ID token issued by user pool to get the identity ID for the user using the GetId API call.
4. Now the identity ID and ID token can be used to get AWS credentials using the GetCredentialsForIdentity API call.
5. User uses the AWS credentials to access QuickSight.

To achieve the above flow the following steps needs to be performed -

SETTING UP THE USER POOL -

• Create a user pool in Cognito using the management console - https://console.aws.amazon.com/cognito/home . Please refer [1] for detailed steps.

• Integrate the user pool with the SAML IdP(AWS SSO, ADFS, Okta, which ever you are using) which is associated with your Active Directory. Please refer [2][3] for how to setup a SAML IdP in user pool.

• Configure a User Pool App Client [4] and configure a User Pool Domain[5].

• Change app client settings in Amazon Cognito user pool-

  • Under Enabled identity providers, select the check box for the SAML IdP you configured. For example, ADFS.
  • For Callback URL(s), enter a URL where you want your users to be redirected after logging in.
  • For Sign out URL(s), enter a URL where you want your users to be redirected after logging out.
  • Under Allowed OAuth Flows and Allowed OAuth Scopes, select according to your requirement.
  • Click the Launch Hosted UI button and login/sign up to the user pool using the “Login with SAML” option.

• After successful login in the user will be provided with the id, access and refresh token.

SETTING UP THE IDENTITY POOL -

• Create an Identity Pool in Cognito using the management console. Please refer [6] for detailed steps.

  • While creation of the identity pool provide the associated role with appropriate QuickSight Permission. IAM identity Based Policy for Amazon QuickSight dashboards is referenced in [7].
  • Also make sure to give sts:AssumeRoleWithWebIdentity [8]permission to the role. Here AssuemRoleWithWebIdentity permission is granted to get a set of temporary security credentials for user. We are using “WebIdentity” since the user has been authenticated by Cognito.

• Enable Cognito user pool as authentication provider for the identity pool. Please refer [9] for detailed steps.

GET ID -

• Use the ID token issued by the user pool to make the GetId API[10] call which will generate an IdentityID.

GET CREDENTIALS FOR IDENTITY -

• Use the Identity ID and the ID token to get AWS credentials(Access key and secret access key) using the GetCredentialsForIdentity API[11] call.

• These credentials can be used by the user to access QuickSight dashboard.

=====References=====

[1] Creating a User Pool - https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-create-user-pool.html
[2] Creating and Managing a SAML Identity Provider for a User Pool - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html
[3] set up ADFS as a SAML identity provider with an Amazon Cognito user pool - https://aws.amazon.com/premiumsupport/knowledge-center/cognito-ad-fs-saml/
[4] Configuring a User Pool App Client - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html [5] Configuring a User Pool Domain - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain.html [6] Creating an Identity Pool - https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-create-identity-pool.html
[7] IAM Identity Based Policies for Amazon QuickSight: Dashboards - https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html#security_iam_id-based-policy-examples-dashboards
[8] AssumeRoleWithWebIdentity - https://docs.aws.amazon.com/de_de/cli/latest/reference/sts/assume-role-with-web-identity.html [9] Enable User pool as provider for identity pool - https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html#amazon-cognito-integrating-user-pools-with-identity-pools-configuring
[10] GetId - https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html [11] GetCredentialsForIdentity - https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html