QuickSight SSO, how to assign IAM roles to Azure AD group?

0

Hi,

we configured SSO for QuickSight and followed the instructions in this blog: https://aws.amazon.com/de/blogs/big-data/enable-federation-to-amazon-quicksight-with-automatic-provisioning-of-users-between-aws-iam-identity-center-and-microsoft-azure-ad/ However, in this article every user will be an admin, because https://aws.amazon.com/SAML/Attributes/Role will always be mapped to arn:aws:iam:: <YourAWSAccount ID>:role/QuickSight-Admin-Role - the role does not depend on the user group. Enter image description here As described in the article, we created 3 IAM roles and Azure AD groups (Admin, Author, Reader). How can we assign IAM roles to the AD group? We already tried using claims in Azure AD, as described here: https://aws.amazon.com/de/blogs/big-data/enabling-amazon-quicksight-federation-with-azure-ad/

1 Answer
1

Hi,

In Azure AD you need to map the https://aws.amazon.com/SAML/Attributes/Role claim to group value by doing some condition claim transformation rule. Therefore user member of Group Author will have a role claim https://aws.amazon.com/SAML/Attributes/Role of value Author.

See https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

Jeff

AWS
answered a year ago
profile picture
EXPERT
iwasa
reviewed a year ago
  • +1 for Jeff's opinion.
    You need to specify the role to Assume to AWS when configuring SAML on Azure AD side.

  • Hi Jeff and isawa,

    that is what we did in Azure AD. We created a claim named https://aws.amazon.com/SAML/Attributes/Role and used a claim condition to map the scoped group to the value arn:aws:iam:: <Our Account ID>:saml-provider/IAM_Identity_Center, arn:aws:iam:: <Our Account ID>:role/<Name of the role we created for ADMIN/AUTHOR/READER>. However, we still get the error message invalid SAML response. When viewing the SAML response we see that the claims we created are not part of it. Are you sure that this works with Identity Center? We got some response in the blog https://aws.amazon.com/de/blogs/big-data/enable-federation-to-amazon-quicksight-with-automatic-provisioning-of-users-between-aws-iam-identity-center-and-microsoft-azure-ad/: Thank you Fabian. You can have only 1 IAM role for an Identity Center application at the moment. You could additionally create Author/Reader role with the policies which is given in "Configure IAM Policies" section and tie it up with different QuickSight applications in IAM Identity Center. This way, you could control which "user/user group" should have Admin/Author/Reader role. Does this mean we have to create 3 applications?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions