Tuesday, July 5, 2022
HomeBig DataAllow Amazon QuickSight federation with Google Workspace

Allow Amazon QuickSight federation with Google Workspace

Amazon QuickSight is a scalable, serverless, embeddable, machine studying (ML)-powered enterprise intelligence (BI) service constructed for the cloud that helps identification federation in each Normal and Enterprise editions. Organizations are working in the direction of centralizing their identification and entry technique throughout all of their functions, together with on-premises, third-party, and functions on AWS. Many organizations use Google Workspace to regulate and handle person authentication and authorization centrally. You’ll be able to allow federation to QuickSight accounts with no need to create and handle customers. This authorizes customers to entry QuickSight property—analyses, dashboards, folders, and datasets—by means of centrally managed Google Workspace Identities.

On this put up, we undergo the steps to configure federated single sign-on (SSO) between a Google Workspace occasion and QuickSight account. We show registering an SSO software in Google Workspace, and map QuickSight roles (admin, creator, and reader) to Google Workspace Identities. These QuickSight roles characterize three completely different personas supported in QuickSight. Directors can publish the QuickSight app in a Google Workspace Dashboard to allow customers to SSO to QuickSight utilizing their Google Workspace credentials.

Resolution overview

In your group, the portal is often a perform of your identification supplier (IdP), which handles the trade of belief between your group and QuickSight.

On the Google Workspace Dashboard, you possibly can overview an inventory of apps. This put up exhibits you easy methods to configure the customized app for AWS.

The person move consists of the next steps:

  1. The person logs in to your group’s portal and chooses the choice to go to the QuickSight console.
  2. The portal verifies the person’s identification in your group.
  3. The portal generates a SAML authentication response that features assertions that establish the person and embrace attributes concerning the person. The portal sends this response to the consumer browser. Though not mentioned right here, you can even configure your IdP to incorporate a SAML assertion attribute known as SessionDuration that specifies how lengthy the console session is legitimate.
  4. The consumer browser is redirected to the AWS single sign-on endpoint and posts the SAML assertion.
  5. The endpoint requests non permanent safety credentials on behalf of the person, and creates a QuickSight sign-in URL that makes use of these credentials.
  6. AWS sends the sign-in URL again to the consumer as a redirect.
  7. The consumer browser is redirected to the QuickSight console. If the SAML authentication response contains attributes that map to a number of AWS Identification and Entry Administration (IAM) roles, the person is first prompted to pick the function for accessing the console.

The next diagram illustrates the answer structure.

The next are the high-level steps to arrange federated single sign-on entry by way of Google Workspace:

  1. Obtain the Google IdP data.
  2. Create an IAM IdP with Google as SAML IdP.
  3. Configure IAM insurance policies for QuickSight roles.
  4. Configure IAM QuickSight roles for federated customers.
  5. Create a customized person attribute in Google Workspace.
  6. Add the AWS SAML attributes to your Google Workspace person profile.
  7. Arrange the AWS SAML app in Google Workspace.
  8. Grant entry to customers in Google Workspace.
  9. Confirm federated entry to your QuickSight occasion.

Detailed procedures for every of those steps comprise the rest of this put up.


For this walkthrough, you need to have the next conditions:

  • A Google Workspace subscription
  • An AWS account with QuickSight subscription
  • Primary understanding of QuickSight roles—admin, creator, and reader
  • Primary understanding of IAM and privileges required to create an IAM identification supplier, roles, insurance policies, and customers

Obtain the Google IdP data

First, let’s get the SAML metadata that accommodates important data to allow your AWS account to authenticate the IdP and find the required communication endpoint places. Full the next steps:

  1. Log in to the Google Workspace Admin console.
  2. On the Admin console house web page, beneath Safety within the navigation pane, select Authentication and SSO with SAML functions.
  3. Below IdP metadata, select Obtain Metadata.

Create an IAM IdP with Google as SAML IdP

You now configure Azure AD as your SAML IdP by way of the IAM console. Full the next steps:

  1. On the IAM console, select Identification suppliers within the navigation pane.
  2. Select Add supplier.
  3. For Configure supplier, choose SAML.
  4. For Supplier identify, enter a reputation for the IdP (akin to Google).
  5. For Metadata doc, select Select file and specify the SAML metadata doc that you just downloaded.
  6. Select Add supplier.
  7. Doc the Amazon Useful resource Title (ARN) by viewing the IdP you simply created.

The ARN ought to seems just like arn:aws:iam::<YOURACCOUNTNUMBER>:saml-provider/Google. We’d like this ARN to configure declare guidelines later on this put up.

Configure IAM insurance policies for QuickSight roles

On this step, we create three IAM insurance policies for various function permissions in QuickSight:

  • QuickSight-Federated-Admin
  • QuickSight-Federated-Creator
  • QuickSight-Federated-Reader

Use the next steps to arrange the QuickSight-Federated-Admin coverage. This coverage grants admin privileges in QuickSight to the federated person:

  1. On the IAM console, select Insurance policies.
  2. Select Create coverage.
  3. Select JSON and exchange the prevailing textual content with the next code:
        “Model”: “2012-10-17”,
        “Assertion”: [
                “Effect”: “Allow”,
                “Action”: “quicksight:CreateAdmin”,
                “Resource”: “*”

  4. Select Overview coverage.
  5. For Title, enter QuickSight-Federated-Admin.
  6. Select Create coverage.
  7. Repeat these steps to create QuickSight-Federated-Creator, and use the next coverage to grant creator privileges in QuickSight to the federated person:
        “Model”: “2012-10-17”,
        “Assertion”: [
                “Effect”: “Allow”,
                “Action”: “quicksight:CreateUser”,
                “Resource”: “*”

  8. Repeat the steps to create QuickSight-Federated-Reader, and use the next coverage to grant reader privileges in QuickSight to the federated person:
        “Model”: "2012-10-17",
        "Assertion": [
                "Effect": "Allow",
                "Action": "quicksight:CreateReader",
                "Resource": "*"

Configure IAM QuickSight roles for federated customers

Subsequent, create the roles that Google IdP customers assume when federating into QuickSight. The next steps arrange the admin function:

  1. On the IAM console, select Roles within the navigation pane.
  2. Select Create function.
  3. For Trusted entity sort, select SAML 2.0 federation.
  4. For SAML supplier, select the supplier you created earlier (Google).
  5. For Attribute, select SAML:aud.
  6. For Worth, enter https://signin.aws.amazon.com/saml.
  7. Select Subsequent.
  8. On the Add permissions web page, choose the QuickSight-Federated-Admin IAM coverage you created earlier.
  9. Select Subsequent.
  10. For Function identify, enter QuickSight-Admin-Function.
  11. For Function description, enter an outline.
  12. Select Create function.
  13. On the IAM console, within the navigation pane, select Roles.
  14. Select the QuickSight-Admin-Function function you created to open the function’s properties.
  15. On the Belief relationships tab, select Edit belief relationship.
  16. Below Trusted entities, confirm that the IdP you created is listed.
  17. Below Situation, confirm that SAML:aud with a price of https://signin.aws.amazon.com/saml is current.
  18. Repeat these steps to create creator and reader roles and fasten the suitable insurance policies:
    1. For QuickSight-Creator-Function, use the coverage QuickSight-Federated-Creator.
    2. For QuickSight-Reader-Function, use the coverage QuickSight-Federated-Reader.
  19. Navigate to the newly created roles and be aware the ARNs for them.

We use these ARNs to configure claims guidelines later on this put up. They’re within the following format:

  • arn:aws:iam:: <YOURACCOUNTNUMBER>:function/QuickSight-Admin-Function
  • arn:aws:iam:: <YOURACCOUNTNUMBER>:function/QuickSight-Creator-Function
  • arn:aws:iam:: <YOURACCOUNTNUMBER>:function/QuickSight-Reader-Function

Create a customized person attribute in Google Workspace

Now let’s create a customized person attribute in your Google Workspace. This permits us so as to add the SAML attributes that the AWS Administration Console expects as a way to enable a SAML-based authentication.

  1. Log in to Google Admin console with admin credentials.
  2. Below Listing, select Customers.
  3. On the Extra choices menu, select Handle customized attributes.
  4. Select Add Customized Attribute.
  5. For Choose sort of trusted entity, select SAML 2.0 federation.
  6. Configure the customized attribute as follows:
    1. Class: Amazon
    2. Description: Amazon Customized Attributes
  7. For Customized fields, enter the next:
    1. Title: Function
    2. Information sort: Textual content
    3. Visibility: Seen to person and admin
    4. No. of values: Multi-value
  8. Select Add.

The brand new class seems on the Handle person attributes web page.

Add the AWS SAML attributes to the Google Workspace person profile

Now that we now have configured a customized person attribute, let’s add the SAML attributes that we famous earlier to the Google Workspace person profile.

  1. Whereas logged in to the Google Admin console with admin credentials, navigate to the Customers web page.
  2. Within the Customers checklist, discover the person. In case you need assistance, see Discover a person account.
  3. Select the person’s identify to open their account web page.
  4. Select Person data.
  5. Select customized attribute you latterly created, named Amazon.
  6. Add a price to this tradition attribute famous earlier within the following format: <AWS Function ARN>,<AWS supplier/IdP ARN>.
  7. Select Save.

Arrange the AWS SAML app in Google Workspace

Now that we now have the whole lot in place, we’re able to create a SAML app inside our Google Workspace account and supply the QuickSight occasion beginning URL. This offers the entry level for Google Workspace customers to SSO into the QuickSight occasion.

  1. Whereas logged in to Google Admin console with admin credentials, beneath Apps, select Internet and cellular apps.
  2. Select Add App, and Seek for apps.
  3. Enter Amazon Internet Providers within the search discipline.
  4. Within the search outcomes, hover over the Amazon Internet Providers SAML app and select Choose.
  5. On the Google Identification Supplier particulars web page, select Proceed.
  6. On the Service supplier particulars web page, the ACS URL and Entity ID values for Amazon Internet Providers are configured by default.
  7. For Begin URL, enter https://quicksight.aws.amazon.com.
  8. On the Attribute Mapping web page, select the Choose discipline menu and map the next Google listing attributes to their corresponding Amazon Internet Providers attributes:
    Google Listing Attribute Amazon Internet Providers Attribute
    Primary Data > Main E mail https://aws.amazon.com/SAML/Attributes/RoleSessionName
    Amazon > Function https://aws.amazon.com/SAML/Attributes/Function

  1. Select End.

Grant entry to customers in Google Workspace

When the SAML app is created in Google workspace, it’s turned off by default. This implies for customers logged in to their Google Workspace account, the SAML app isn’t seen to them. We now allow the AWS SAML app to your Google Workspace customers.

  1. Whereas logged in to the Google Admin console with admin credentials, navigate to the Internet and cellular apps web page.
  2. Select Amazon Internet Providers.

  3. Select Person entry.
  4. To activate a service for everybody in your group, select ON for everybody.
  5. Select Save.

In case you don’t wish to activate this software for all customers, you possibly can alternatively grant entry to a subset of customers by utilizing Google Workspace organizational models.

Confirm federated entry to the QuickSight occasion

To check your SAML 2.0-based authentication with QuickSight for customers in your present IDP (Google Workspace), full the next steps:

  1. Open a brand new browser session, for instance, utilizing Chrome, in a brand new incognito window.
  2. Log in to your Google Workspace account (for the aim of this demo, we use the Google Workspace admin account).
  3. Select Amazon Internet Providers from the checklist of Google apps.


This put up supplied a step-by-step information for configuring Google Workspace as your IdP, and utilizing IAM roles to allow SSO to QuickSight. Now your customers have a seamless sign-in expertise to QuickSight and have the suitable degree of entry associated to their function.

Though this put up demonstrated the mixing of IAM and Google Workspace, you possibly can replicate this resolution utilizing your selection of SAML 2.0 IdPs. For different supported federation choices, see Utilizing identification federation and single sign-on (SSO) with Amazon QuickSight.

To get solutions to your questions associated to QuickSight, seek advice from the QuickSight Group.

You probably have any questions or suggestions, please go away a remark.

In regards to the Authors

Sriharsh Adari is a Senior Options Architect at Amazon Internet Providers (AWS), the place he helps clients work backwards from enterprise outcomes to develop revolutionary options on AWS. Over time, he has helped a number of clients on information platform transformations throughout trade verticals. His core space of experience embrace Know-how Technique, Knowledge Analytics, and Knowledge Science. In his spare time, he enjoys enjoying sports activities, binge-watching TV exhibits, and enjoying Tabla.

Srikanth Baheti is a Specialised World Extensive Sr. Resolution Architect for Amazon QuickSight. He began his profession as a advisor and labored for a number of non-public and authorities organizations. Later he labored for PerkinElmer Well being and Sciences & eResearch Know-how Inc, the place he was liable for designing and growing excessive site visitors internet functions, extremely scalable and maintainable information pipelines for reporting platforms utilizing AWS companies and Serverless computing.



Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments