1 Answer
- Newest
- Most votes
- Most comments
1
Hi,
In Azure AD you need to map the https://aws.amazon.com/SAML/Attributes/Role
claim to group value by doing some condition claim transformation rule. Therefore user member of Group Author
will have a role claim https://aws.amazon.com/SAML/Attributes/Role
of value Author
.
Jeff
answered a year ago
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
+1 for Jeff's opinion.
You need to specify the role to Assume to AWS when configuring SAML on Azure AD side.
Hi Jeff and isawa,
that is what we did in Azure AD. We created a claim named
https://aws.amazon.com/SAML/Attributes/Role
and used a claim condition to map the scoped group to the valuearn:aws:iam:: <Our Account ID>:saml-provider/IAM_Identity_Center, arn:aws:iam:: <Our Account ID>:role/<Name of the role we created for ADMIN/AUTHOR/READER>
. However, we still get the error message invalid SAML response. When viewing the SAML response we see that the claims we created are not part of it. Are you sure that this works with Identity Center? We got some response in the blog https://aws.amazon.com/de/blogs/big-data/enable-federation-to-amazon-quicksight-with-automatic-provisioning-of-users-between-aws-iam-identity-center-and-microsoft-azure-ad/:Thank you Fabian. You can have only 1 IAM role for an Identity Center application at the moment. You could additionally create Author/Reader role with the policies which is given in "Configure IAM Policies" section and tie it up with different QuickSight applications in IAM Identity Center. This way, you could control which "user/user group" should have Admin/Author/Reader role.
Does this mean we have to create 3 applications?