Allow federation to Amazon QuickSight accounts with Ping One

Amazon QuickSight is a scalable, serverless, embeddable, machine studying (ML)-powered enterprise intelligence (BI) service constructed for the cloud that helps identification federation in each Commonplace and Enterprise editions. Organizations are working in the direction of centralizing their identification and entry technique throughout all of their purposes, together with on-premises, third-party, and purposes on AWS. Many organizations use Ping One to regulate and handle person authentication and authorization centrally. In case your group makes use of Ping One for cloud purposes, you may allow federation to your entire QuickSight accounts while not having to create and handle customers in QuickSight. This authorizes customers to entry QuickSight property—analyses, dashboards, folders, and datasets—by means of centrally managed Ping One.

On this put up, we undergo the steps to configure federated single sign-on (SSO) between a Ping One occasion and a QuickSight account. We exhibit registering an SSO utility in Ping One, creating teams, and mapping to an AWS Identification and Entry Administration (IAM) position that interprets to QuickSight person license varieties (admin, creator, and reader). These QuickSight roles symbolize three totally different personas supported in QuickSight. Directors can publish the QuickSight app in Ping One to allow customers to carry out SSO to QuickSight utilizing their Ping credentials.


To finish this walkthrough, it’s essential to have the next conditions:

  • A Ping One subscription
  • A number of QuickSight account subscriptions

Resolution overview

The walkthrough consists of the next steps:

  1. Create teams in Ping One for every of the QuickSight person license varieties.
  2. Register an AWS utility in Ping One.
  3. Add Ping One as your SAML identification supplier (IdP) in AWS.
  4. Configure an IAM coverage.
  5. Configure an IAM position.
  6. Configure your AWS utility in Ping One.
  7. Check the applying from Ping One.

Create teams in Ping One for every of the QuickSight roles

To create teams in Ping One, full the next steps:

  1. Register to the Ping One portal utilizing an administrator account.
  2. Underneath Identities, select Teams.
  3. Select the plus signal so as to add a gaggle.
  4. For Group Identify, enter QuickSightReaders.
  5. Select Save.
  6. Repeat these steps to create the teams QuickSightAdmins and QuickSightAuthors.

Register an AWS utility in Ping One

To configure the combination of an AWS utility in Ping One, you could add AWS to your listing of managed software program as a service (SaaS) apps.

  1. Register to the Ping One portal utilizing an administrator account.
  2. Underneath Connections, select Utility Catalog.
  3. Within the search field, enter amazon internet providers.
  4. Select Amazon Internet Providers – AWS from the outcomes so as to add the applying.  BDB-2210-Ping-AWS-APP
  5. For Identify, enter Amazon QuickSight.
  6. Select Subsequent.
    BDB-2210-Ping-AWS-SAVEUnderneath Map Attributes, there needs to be 4 attributes.
  7. Delete the attribute associated to SessionDuration.
  8. Select Username as the worth for all of the remaining attributes for now.
    We replace these values in later steps.
  9. Select Subsequent.
  10. Within the Choose Teams part, add the QuickSightAdmins, QuickSightAuthors, and QuickSightReaders teams you created.
  11. Select Save.
  12. After the applying is created, select the applying once more and obtain the federation metadata XML.

You utilize this within the subsequent step.

Add Ping One as your SAML IdP in AWS

To configure Ping One as your SAML IdP, full the next steps:

  1. Open a brand new tab in your browser.
  2. Register to the IAM console in your AWS account with admin permissions.
  3. On the IAM console, beneath Entry Administration within the navigation pane, select Identification suppliers.
  4. Select Add supplier.
  5. For Supplier identify, enter PingOne.
  6. Select file to add the metadata doc you downloaded earlier.
  7. Select Add supplier.
  8. Within the banner message that seems, select View supplier.
  9. Copy the IdP ARN to make use of in a later step.

Configure an IAM coverage

On this step, you create an IAM coverage to map three totally different roles with permissions in QuickSight.

Use the next steps to arrange QuickSightUserCreationPolicy. This coverage grants privileges in QuickSight to the federated person primarily based on the assigned teams in Ping One.

  1. On the IAM console, select Insurance policies.
  2. Select Create coverage.
  3. On the JSON tab, substitute the present textual content with the next code:
       "Model": "2012-10-17",
        "Assertion": [ 
                "Sid": "VisualEditor0", 
                 "Effect": "Allow", 
                 "Action": "quicksight:CreateAdmin", 
                 "Resource": "*", 
                 "Condition": { 
                     "StringEquals": { 
                         "aws:PrincipalTag/user-role": "QuickSightAdmins" 
                 "Sid": "VisualEditor1", 
                 "Effect": "Allow", 
                 "Action": "quicksight:CreateUser", 
                 "Resource": "*", 
                 "Condition": { 
                     "StringEquals": { 
                         "aws:PrincipalTag/user-role": "QuickSightAuthors" 
                 "Sid": "VisualEditor2", 
                 "Effect": "Allow", 
                 "Action": "quicksight:CreateReader", 
                 "Resource": "*", 
                 "Condition": { 
                     "StringEquals": { 
                         "aws:PrincipalTag/user-role": "QuickSightReaders" 
  4. Select Overview coverage.
  5. For Identify, enter QuickSightUserCreationPolicy.
  6. Select Create coverage.

Configure an IAM position

Subsequent, create the position that Ping One customers assume when federating into QuickSight. Use the next steps to arrange the federated position:

  1. On the IAM console, select Roles.
  2. Select Create position.
  3. For Trusted entity kind, choose SAML 2.0 federation.
  4. For SAML 2.0-based supplier, select the supplier you created earlier (PingOne).
  5. Choose Enable programmatic and AWS Administration Console entry.
  6. For Attribute, select SAML:aud.
  7. For Worth, enter
  8. Select Subsequent.
  9. Underneath Permissions insurance policies, choose the QuickSightUserCreationPolicy IAM coverage you created within the earlier step.
  10. Select Subsequent.
  11. For Position identify, enter QSPingOneFederationRole.
  12. Select Create position.
  13. On the IAM console, within the navigation pane, select Roles.
  14. Select the QSPingOneFederationRole position you created to open the position’s properties.
  15. Copy the position ARN to make use of in later steps.
  16. On the Belief relationships tab, beneath Trusted entities, confirm that the IdP you created is listed.
  17. Underneath Situation within the coverage code, confirm that SAML:aud with a worth of is current.
  18. Select Edit belief coverage so as to add a further situation.
  19. Underneath Situation, add the next code:
    "StringLike": {
    "aws:RequestTag/user-role": "*"

  20. Underneath Motion, add the next code:


  21. Select Replace coverage to save lots of modifications.

Configure an AWS utility in Ping One

To configure your AWS utility, full the next steps:

  1. Register to the Ping One portal utilizing a Ping One administrator account.
  2. Underneath Connections, select Utility.
  3. Select the Amazon QuickSight utility you created earlier.
  4. On the Profile tab, select Allow Superior ConfigurationBDB-2210-Ping-AdvancedConfig
  5. Select Allow within the pop-up window.
  6. On the Configuration tab, select the pencil icon to edit the configuration.
  7. Underneath SIGNING KEY, choose Signal Assertion & Response.
  8. Underneath SLO BINDING, for Assertion Validity Length In Seconds, enter a length, akin to 900.
  9. For Goal Utility URL, enter
  10. Select Save.
    BDB-2210-Ping-AdvancedConfig5On the Attribute Mappings tab, you now add or replace the attributes as within the following desk.
Attribute Identify Worth
saml_subject Username Username ‘arn:aws:iam::xxxxxxxxxx:position/QSPingOneFederationRole,
arn:aws:iam::xxxxxxxxxx:saml-provider/PingOne’ person.memberOfGroupNames[0]
  1. Enter for the attribute identify and use the corresponding worth from the desk for the expression.
  2. Select Save.
  3. If in case you have a couple of QuickSight person position (for this put up, QuickSightAdmins, QuicksightAuthors, and QuickSightReaders), you may add all the suitable position names as follows:
    #knowledge.containsAny(person.memberOfGroupNames,{'QuickSightAdmins'})? 'QuickSightAdmins' : 
    #knowledge.containsAny(person.memberOfGroupNames,{'QuickSightAuthorss'}) ? 'QuickSightAuthors' : 
    #knowledge.containsAny(person.memberOfGroupNames,{'QuickSightReaders'}) ?'QuickSightReaders' : null

  4. To edit the position attribute, select the gear icon subsequent to the position.
  5. Populate the corresponding expression from the desk and select Save.

The format of the expression is the position ARN (copied within the position creation step) adopted by the IdP ARN (copied within the IdP creation step) separated by a comma.

Check the applying

On this part, you take a look at your Ping One SSO configuration through the use of a Microsoft utility.

  1. Within the Ping One portal, beneath Identities, select Teams.
  2. Select a gaggle and select Add Customers Individually.
  3. From the listing of customers, add the suitable customers to the group by selecting the plus signal.
  4. Select Save.
  5. To check the connectivity, beneath Atmosphere, select Properties, then copy the URL beneath APPLICATION PORTAL URL.
  6. Browse to the URL in a non-public shopping window.
  7. Enter your person credentials and select Signal On.
    Upon a profitable sign-in, you’re redirected to the All Functions web page with a brand new utility referred to as Amazon QuickSight.
  8. Select the Amazon QuickSight utility to be redirected to the QuickSight console.

Word within the following screenshot that the person identify on the prime of the web page reveals because the Ping One federated person.


This put up offered step-by-step directions to configure federated SSO between Ping One and the QuickSight console. We additionally mentioned learn how to create insurance policies and roles in IAM and map teams in Ping One to IAM roles for safe entry to the QuickSight console.

For extra discussions and assist getting solutions to your questions, take a look at the QuickSight Group.

Concerning the authors

Srikanth Baheti is a Specialised World Huge Sr. Resolution Architect for Amazon QuickSight. He began his profession as a guide and labored for a number of personal and authorities organizations. Later he labored for PerkinElmer Well being and Sciences & eResearch Know-how Inc, the place he was answerable for designing and growing excessive site visitors internet purposes, extremely scalable and maintainable knowledge pipelines for reporting platforms utilizing AWS providers and Serverless computing.

Raji Sivasubramaniam is a Sr. Options Architect at AWS, specializing in Analytics. Raji is specialised in architecting end-to-end Enterprise Knowledge Administration, Enterprise Intelligence and Analytics options for Fortune 500 and Fortune 100 corporations throughout the globe. She has in-depth expertise in built-in healthcare knowledge and analytics with large number of healthcare datasets together with managed market, doctor concentrating on and affected person analytics.

Raj Jayaraman is a Senior Specialist Options Architect for Amazon QuickSight. Raj focuses on serving to clients develop pattern dashboards, embed analytics and undertake BI design patterns and greatest practices.

Latest articles

Related articles

Leave a reply

Please enter your comment!
Please enter your name here