Handle customers and group memberships on Amazon QuickSight utilizing SCIM occasions generated in IAM Identification Heart with Azure AD

Amazon QuickSight is cloud-native, scalable enterprise intelligence (BI) service that helps identification federation. AWS Identification and Entry Administration (IAM) permits organizations to make use of the identities managed of their enterprise identification supplier (IdP) and federate single sign-on (SSO) to QuickSight. As extra organizations are constructing centralized consumer identification shops with all their functions, together with on-premises apps, third-party apps, and functions on AWS, they want an answer to automate consumer provisioning into these functions and maintain their attributes in sync with their centralized consumer identification retailer.

When architecting a consumer repository, some organizations resolve to arrange their customers in teams or use attributes (resembling division identify), or a mixture of each. In case your group makes use of Microsoft Azure Lively Listing (Azure AD) for centralized authentication and makes use of its consumer attributes to arrange the customers, you may allow federation throughout all QuickSight accounts in addition to handle customers and their group membership in QuickSight utilizing occasions generated within the AWS platform. This enables system directors to centrally handle consumer permissions from Azure AD. Provisioning, updating, and de-provisioning customers and teams in QuickSight now not requires administration in two locations with this resolution. This makes positive that customers and teams in QuickSight keep in line with info in Azure AD via computerized synchronization.

On this submit, we stroll you thru the steps required to configure federated SSO between QuickSight and Azure AD through AWS IAM Identification Heart (Successor to AWS Single Signal-On) the place computerized provisioning is enabled for Azure AD. We additionally display computerized consumer and group membership replace utilizing a System for Cross-domain Identification Administration (SCIM) occasion.

Resolution overview

The next diagram illustrates the answer structure and consumer movement.

On this submit, IAM Identification Heart gives a central place to deliver collectively administration of customers and their entry to AWS accounts and cloud functions. Azure AD is the consumer repository and configured because the exterior IdP in IAM Identification Heart. On this resolution, we display the usage of two consumer attributes (division, jobTitle) particularly in Azure AD. IAM Identification Heart helps computerized provisioning (synchronization) of consumer and group info from Azure AD into IAM Identification Heart utilizing the SCIM v2.0 protocol. With this protocol, the attributes from Azure AD are handed alongside to IAM Identification Heart, which inherits the outlined attribute for the consumer’s profile in IAM Identification Heart. IAM Identification Heart additionally helps identification federation with SAML (Safety Assertion Markup Language) 2.0. This enables IAM Identification Heart to authenticate identities utilizing Azure AD. Customers can then SSO into functions that assist SAML, together with QuickSight. The primary half of this submit focuses on how one can configure this finish to finish (see Signal-In Circulation within the diagram).

Subsequent, consumer info begins to get synchronized between Azure AD and IAM Identification Heart through SCIM protocol. You may automate making a consumer in QuickSight utilizing an AWS Lambda operate triggered by the CreateUser SCIM occasion originated from IAM Identification Heart, which was captured in Amazon EventBridge. In the identical Lambda operate, you may subsequently replace the consumer’s membership by including into the required group (whose identify is comprised of two consumer attributes: department-jobTitle, in any other case create the group if it doesn’t exist but, previous to including the membership.

On this submit, this automation half is omitted as a result of it might be redundant with the content material mentioned within the following sections.

This submit explores and demonstrates an UpdateUser SCIM occasion triggered by the consumer profile replace on Azure AD. The occasion is captured in EventBridge, which invokes a Lambda operate to replace the group membership in QuickSight (see Replace Circulation within the diagram). As a result of a given consumer is meant to belong to just one group at a time on this instance, the operate will substitute the consumer’s present group membership with the brand new one.

In Half I, you arrange SSO to QuickSight from Azure AD through IAM Identification Heart (the sign-in movement):

1. Configure Azure AD because the exterior IdP in IAM Identification Heart.
2. Add and configure an IAM Identification Heart utility in Azure AD.
3. Full configuration of IAM Identification Heart.
4. Arrange SCIM computerized provisioning on each Azure AD and IAM Identification Heart, and make sure in IAM Identification Heart.
5. Add and configure a QuickSight utility in IAM Identification Heart.
6. Configure a SAML IdP and SAML 2.0 federation IAM function.
7. Configure attributes within the QuickSight utility.
8. Create a consumer, group, and group membership manually through the AWS Command Line Interface (AWS CLI) or API.
9. Confirm the configuration by logging in to QuickSight from the IAM Identification Heart portal.

In Half II, you arrange automation to alter group membership upon an SCIM occasion (the replace movement):

1. Perceive SCIM occasions and occasion patterns for EventBridge.
2. Create attribute mapping for the group identify.
3. Create a Lambda operate.
4. Add an EventBridge rule to set off the occasion.
5. Confirm the configuration by altering the consumer attribute worth at Azure AD.

Conditions

For this walkthrough, you must have the next stipulations:

• IAM Identification Heart. For directions, discuss with Steps 1–2 within the AWS IAM Identification Heart Getting Began information.
• A QuickSight account subscription.
• Primary understanding of IAM and privileges required to create an IAM IdP, roles, and insurance policies.
• An Azure AD subscription. You want not less than one consumer with the next attributes to be registered in Azure AD:
  • userPrincipalName – Obligatory area for Azure AD consumer.
  • displayName – Obligatory area for Azure AD consumer.
  • Mail – Obligatory area for IAM Identification Heart to work with QuickSight.
  • jobTitle – Used to allocate consumer to group
  • division – Used to allocate consumer to group.
  • givenName – Optionally available area.
  • surname – Optionally available area.

Half I: Arrange SSO to QuickSight from Azure AD through IAM Identification Heart

This part presents the steps to arrange the sign-in movement.

Configure an exterior IdP as Azure AD in IAM Identification Heart

To configure your exterior IdP, full the next steps:

1. On the IAM Identification Heart console, select Settings.
2. Select Actions on the Identification supply tab, then select Change identification supply.
3. Select Exterior identification supplier, then select Subsequent.

The IdP metadata is displayed. Maintain this browser tab open.

Add and configure an IAM Identification Heart utility in Azure AD

To arrange your IAM Identification Heart utility, full the next steps:

1. Open a brand new browser tab.
2. Log in to the Azure AD portal utilizing your Azure administrator credentials.
3. Beneath Azure companies, select Azure Lively Listing.
4. Within the navigation pane, underneath Handle, select Enterprise functions, then select New utility.
5. Within the Browse Azure AD Galley part, seek for IAM Identification Heart, then select AWS IAM Identification Heart (successor to AWS Single Signal-On).
   
6. Enter a reputation for the applying (on this submit, we use IIC-QuickSight) and select Create.
7. Within the Handle part, select Single sign-on, then select SAML.
8. Within the Assign customers and teams part, select Assign customers and teams.
9. Select Add consumer/group and add not less than one consumer.
10. Choose Consumer as its function.
11. Within the Arrange single signal on part, select Get began.
12. Within the Primary SAML Configuration part, select Edit, and fill out following parameters and values:
13. Identifier – The worth within the IAM Identification Heart issuer URL area.
14. Reply URL – The worth within the IAM Identification Heart Assertion Client Service (ACS) URL area.
15. Signal on URL – Go away clean.
16. Relay State – Go away clean.
17. Logout URL – Go away clean.
18. Select Save.

The configuration ought to appear to be the next screenshot.

19. Within the SAML Certificates part, obtain the Federation Metadata XML file and the Certificates (Uncooked) file.
    

You’re all set with Azure AD SSO configuration at this second. In a while, you’ll return to this web page to configure automated provisioning, so maintain this browser tab open.

Full configuration of IAM Identification Heart

Full your IAM Identification Heart configuration with the next steps:

1. Return to the browser tab for IAM Identification Heart console which you have got stored open in earlier step.
2. For IdP SAML metadata underneath the Identification supplier metadata part, select Select file.
3. Select the beforehand downloaded metadata file (IIC-QuickSight.xml).
4. For IdP certificates underneath the Identification supplier metadata part, select Select file.
5. Select the beforehand downloaded certificates file (IIC-QuickSight.cer).
6. Select Subsequent.
7. Enter ACCEPT, then select Change Identification supplier supply.

Arrange SCIM computerized provisioning on each Azure AD and IAM Identification Heart

Your provisioning technique remains to be set as Handbook (non-SCIM). On this step, we allow computerized provisioning in order that IAM Identification Heart turns into conscious of the customers, which permits identification federation to QuickSight.

1. Within the Computerized provisioning part, select Allow.
   
2. Select Entry token to indicate your token.
   
3. Return to the browser tab (Azure AD), which you stored open in Step 1.
4. Within the Handle part, select Enterprise functions.
5. Select IIC-QuickSight, then select Provisioning.
6. Select Computerized in Provisioning Mode and enter the next values:
7. Tenant URL – The worth within the SCIM endpoint area.
8. Secret Token – The worth within the Entry token area.
9. Select Take a look at Connection.
10. After the check connection is efficiently full, set Provisioning Standing to On.
    
11. Select Save.
12. Select Begin provisioning to start out computerized provisioning utilizing the SCIM protocol.

When provisioning is full, it would lead to propagating a number of customers from Azure AD to IAM Identification Heart. The next screenshot exhibits the customers that have been provisioned in IAM Identification Heart.

Word that upon this SCIM provisioning, the customers in QuickSight ought to be created utilizing the Lambda operate triggered by the occasion originated from IAM Identification Heart. On this submit, we create a consumer and group membership through the AWS CLI (Step 8).

Add and configure a QuickSight utility in IAM Identification Heart

On this step, we create a QuickSight utility in IAM Identification Heart. You additionally configure an IAM SAML supplier, function, and coverage for the applying to work. Full the next steps:

1. On the IAM Identification Heart console, on the Functions web page, select Add Software.
2. For Pre-integrated utility underneath Choose an utility, enter quicksight.
3. Choose Amazon QuickSight, then select Subsequent.
4. Enter a reputation for Show identify, resembling Amazon QuickSight.
5. Select Obtain underneath IAM Identification Heart SAML metadata file and put it aside in your laptop.
6. Go away all different fields as they’re, and save the configuration.
7. Open the applying you’ve simply created, then select Assign Customers.

The customers provisioned through SCIM earlier will likely be listed.

8. Select the entire customers to assign to the applying.

Configure a SAML IdP and a SAML 2.0 federation IAM function

To arrange your IAM SAML IdP for IAM Identification Heart and IAM function, full the next steps:

1. On the IAM console, within the navigation pane, select Identification suppliers, then select Add supplier.
2. Select SAML as Supplier sort, and enter Azure-IIC-QS as Supplier identify.
3. Beneath Metadata doc, select Select file and add the metadata file you downloaded earlier.
4. Select Add supplier to save lots of the configuration.
5. Within the navigation pane, select Roles, then select Create function.
6. For Trusted entity sort, choose SAML 2.0 federation.
7. For Select a SAML 2.0 supplier, choose the SAML supplier that you simply created, then select Permit programmatic and AWS Administration Console entry.
8. Select Subsequent.
9. On the Add Permission web page, select Subsequent.

On this submit, we create QuickSight customers through an AWS CLI command, subsequently we’re not creating any permission coverage. Nonetheless, if the self-provisioning function in QuickSight is required, the permission coverage for the CreateReader, CreateUser, and CreateAdmin actions (relying on the function of the QuickSight customers) is required.

10. On the Title, evaluate, and create web page, underneath Function particulars, enter qs-reader-azure for the function.
11. Select Create function.
12. Word the ARN of the function.

You employ the ARN to configure attributes in your IAM Identification Heart utility.

Configure attributes within the QuickSight utility

To affiliate the IAM SAML IdP and IAM function to the QuickSight utility in IAM Identification Heart, full the next steps:

1. On the IAM Identification Heart console, within the navigation pane, select Functions.
2. Choose the Amazon QuickSight utility, and on the Actions menu, select Edit attribute mappings.
3. Select Add new attribute mapping.
4. Configure the mappings within the following desk.

Word the next values:

• Substitute <ACCOUNTID> together with your AWS account ID.
• PrincipalTag:E mail is for the e-mail syncing function for self-provisioning customers that should be enabled on the QuickSight admin web page. On this submit, don’t allow this function as a result of we register the consumer with an AWS CLI command.

5. Select Save adjustments.

Create a consumer, group, and group membership with the AWS CLI

As described earlier, customers and teams in QuickSight are being created manually on this resolution. We create them through the next AWS CLI instructions.

Step one is to create a consumer in QuickSight specifying the IAM function created earlier and e-mail handle registered in Azure AD. The second step is to create a gaggle with the group identify as mixed attribute values from Azure AD for the consumer created in step one. The third step is so as to add the consumer into the group created earlier; member-name signifies the consumer identify created in QuickSight that’s comprised of <IAM Function identify>/<session identify>. See the next code:

aws quicksight register-user 
--aws-account-id <ACCOUNTID> --namespace default 
--identity-type IAM --email <e-mail registered in Azure AD> 
--user-role READER --iam-arn arn:aws:iam::<ACCOUNTID>:function/qs-reader-azure 
--session-name <e-mail registered in Azure AD>

 aws quicksight create-group 
--aws-account-id <ACCOUNTID> --namespace default 
--group-name Advertising and marketing-Specialist

 aws quicksight create-group-membership 
--aws-account-id <ACCOUNTID> --namespace default 
--member-name qs-reader-azure/<e-mail registered in Azure AD> 
–-group-name Advertising and marketing-Specialist

At this level, the end-to-end configuration of Azure AD, IAM Identification Heart, IAM, and QuickSight is full.

Confirm the configuration by logging in to QuickSight from the IAM Identification Heart portal

Now you’re able to log in to QuickSight utilizing the IdP-initiated SSO movement:

1. Open a brand new non-public window in your browser.
2. Log in to the IAM Identification Heart portal (https://d-xxxxxxxxxx.awsapps.com/begin).

You’re redirected to the Azure AD login immediate.

3. Enter your Azure AD credentials.

You’re redirected again to the IAM Identification Heart portal.

4. Within the IAM Identification Heart portal, select Amazon QuickSight.

You’re routinely redirected to your QuickSight dwelling.

Half II: Automate group membership change upon SCIM occasions

On this part, we configure the replace movement.

Perceive the SCIM occasion and occasion sample for EventBridge

When an Azure AD administrator makes any adjustments to the attributes on the actual consumer profile, the change will likely be synced with the consumer profile in IAM Identification Heart through SCIM protocol, and the exercise is recorded in an AWS CloudTrail occasion referred to as UpdateUser by sso-directory.amazonaws.com (IAM Identification Heart) because the occasion supply. Equally, the CreateUser occasion is recorded when a consumer is created on Azure AD, and the DisableUser occasion is for when a consumer is disabled.

The next screenshot on the  Occasion historical past web page exhibits two CreateUser occasions: one is recorded by IAM Identification Heart, and the opposite one is by QuickSight. On this submit, we use the one from IAM Identification Heart.

To ensure that EventBridge to have the ability to deal with the movement correctly, every occasion should specify the fields of an occasion that you really want the occasion sample to match. The next occasion sample is an instance of the UpdateUser occasion generated in IAM Identification Heart upon SCIM synchronization:

{
  "supply": ["aws.sso-directory"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "element": {
    "eventSource": ["sso-directory.amazonaws.com"],
    "eventName": ["UpdateUser"]
  }
}

On this submit, we display an computerized replace of group membership in QuickSight that’s triggered by the UpdateUser SCIM occasion.

Create attribute mapping for the group identify

To ensure that the Lambda operate to handle group membership in QuickSight, it should acquire the 2 consumer attributes (division and jobTitle). To make the method easier, we’re combining two attributes in Azure AD (division, jobTitle) into one attribute in IAM Identification Heart (title), utilizing the attribute mappings function in Azure AD. IAM Identification Heart then makes use of the title attribute as a chosen group identify for this consumer.

1. Log in to the Azure AD console, navigate to Enterprise Functions, IIC-QuickSight, and Provisioning.
2. Select Edit attribute mappings.
3. Beneath Mappings, select Provision Azure Lively Listing Customers.
   
4. Select jobTitle from the checklist of Azure Lively Listing Attributes.
5. Change the next settings:
   1. Mapping Sort – Expression
   2. Expression – Be part of("-", [department], [jobTitle])
   3. Goal attribute – title
      
6. Select Save.
7. You may go away the provisioning web page.

The attribute is routinely up to date in IAM Identification Heart. The up to date consumer profile appears to be like like the next screenshots (Azure AD on the left, IAM Identification Heart on the correct).

Create a Lambda operate

Now we create a Lambda operate to replace QuickSight group membership upon the SCIM occasion. The core a part of the operate is to acquire the consumer’s title attribute worth in IAM Identification Heart based mostly on the triggered occasion info, after which to make sure that the consumer exists in QuickSight. If the group identify doesn’t exist but, it creates the group in QuickSight after which provides the consumer into the group. Full the next steps:

1. On the Lambda console, select Create operate.
2. For Title, enter UpdateQuickSightUserUponSCIMEvent.
3. For Runtime, select Python 3.9.
4. For Time Out, set to fifteen seconds.
5. For Permissions, create and fasten an IAM function that features the next permissions (the trusted entity (principal) ought to be lambda.amazonaws.com):

   {
       "Model": "2012-10-17",
       "Assertion": [
           {
               "Sid": "MinimalPrivForScimQsBlog",
               "Effect": "Allow",
               "Action": [
                   "identitystore:DescribeUser",
                   "quicksight:RegisterUser",
                   "quicksight:DescribeUser",
                   "quicksight:CreateGroup",
                   "quicksight:DeleteGroup",
                   "quicksight:DescribeGroup",
                   "quicksight:ListUserGroups",
                   "quicksight:CreateGroupMembership",
                   "quicksight:DeleteGroupMembership",
                   "quicksight:DescribeGroupMembership",
                   "logs:CreateLogGroup",
                   "logs:CreateLogStream",
                   "logs:PutLogEvents"
               ],
               "Useful resource": "*"
           }
       ]
   }

6. Write Python code utilizing the Boto3 SDK for IdentityStore and QuickSight. The next is the complete pattern Python code:

import sys
import boto3
import json
import logging
from time import strftime
from datetime import datetime

# Set logging
logger = logging.getLogger()
logger.setLevel(logging.INFO)

def lambda_handler(occasion, context):
  '''
  Modify QuickSight group membership upon SCIM occasion from IAM Identification Heart originated from Azure AD.
  It really works on this means:
    Azure AD -> SCIM -> Identification Heart -> CloudTrail -> EventBridge -> Lambda -> QuickSight
  Word that this can be a simple pattern to indicate how one can replace QuickSight group membership upon sure SCIM occasion.
  For instance, it assumes that 1:1 user-to-group assigmnent, just one (mixed) SAML attribute, and many others. 
  For manufacturing, take buyer necessities into consideration and develop your personal code.
  '''

  # Setting variables (hard-coded. get dynamically for manufacturing code)
  qs_namespace_name="default"
  qs_iam_role="qs-reader-azure"

  # Get hold of account ID and area
  account_id = boto3.consumer('sts').get_caller_identity()['Account']
  area = boto3.session.Session().region_name

  # Setup shoppers
  qs = boto3.consumer('quicksight')
  iic = boto3.consumer('identitystore')

  # Examine boto3 model
  logger.debug(f"## Your boto3 model: {boto3.__version__}")

  # Get consumer information from occasion information
  event_json = json.dumps(occasion)
  logger.debug(f"## Occasion: {event_json}")
  iic_store_id = occasion['detail']['requestParameters']['identityStoreId']
  iic_user_id = occasion['detail']['requestParameters']['userId']  # For UpdateUser occasion, userId is offered via requestParameters
  logger.information("## Getting consumer information from Identification Retailer.")
  attempt:
    res_iic_describe_user = iic.describe_user(
      IdentityStoreId = iic_store_id,
      UserId = iic_user_id
    )
  besides Exception as e:
    logger.error("## Operation failed on account of unknown error. Exiting.")
    logger.error(e)
    sys.exit()
  else:
    logger.information(f"## Consumer information retrieval succeeded.")
    azure_user_attribute_title = res_iic_describe_user['Title']
    azure_user_attribute_userprincipalname = res_iic_describe_user['UserName']
    qs_user_name = qs_iam_role + "/" + azure_user_attribute_userprincipalname
    logger.information(f"#### Identification Heart consumer identify: {azure_user_attribute_userprincipalname}")
    logger.information(f"#### QuickSight group identify desired: {azure_user_attribute_title}")
    logger.debug(f"#### res_iic_describe_user: {json.dumps(res_iic_describe_user)}, which is {sort(res_iic_describe_user)}")

  # Exit if consumer is just not current since this operate is meant to be referred to as by UpdateUser occasion
  attempt:
    # Get QuickSight consumer identify
    res_qs_describe_user = qs.describe_user(
      UserName = qs_user_name,
      AwsAccountId = account_id,
      Namespace = qs_namespace_name
    )
  besides qs.exceptions.ResourceNotFoundException as e:
    logger.error(f"## Consumer {qs_user_name} is just not present in QuickSight.")
    logger.error(f"## Be certain the QuickSight consumer has been created upfront. Exiting.")
    logger.error(e)
    sys.exit()
  besides Exception as e:
    logger.error("## Operation failed on account of unknown error. Exiting.")
    logger.error(e)
    sys.exit()
  else:
    logger.information(f"## Consumer {qs_user_name} is present in QuickSight.")

  # Take away present membership except it is the specified one
  qs_new_group = azure_user_attribute_title  # Set "Title" SAML attribute as the specified QuickSight group identify
  in_desired_group = False  # Set this flag True when the consumer is already a member of the specified group
  logger.information(f"## Beginning group membership elimination.")
  attempt:
    res_qs_list_user_groups = qs.list_user_groups(
      UserName = qs_user_name,
      AwsAccountId = account_id,
      Namespace = qs_namespace_name
    )
  besides Exception as e:
    logger.error("## Operation failed on account of unknown error. Exiting.")
    logger.error(e)
    sys.exit()
  else:
    # Skip if the array is empty (consumer is just not member of any teams)
    if not res_qs_list_user_groups['GroupList']:
      logger.information(f"## Consumer {qs_user_name} is just not a member of any QuickSight group. Skipping elimination.")
    else:
      for grp in res_qs_list_user_groups['GroupList']:
        qs_current_group = grp['GroupName']
        # Retain membership if the brand new and present group names match
        if qs_current_group == qs_new_group:
          logger.information(f"## The consumer {qs_user_name} already belong to the specified group. Skipping elimination.")
          in_desired_group = True
        else:
          # Take away all pointless memberships
          logger.information(f"## Eradicating consumer {qs_user_name} from present group {qs_current_group}.")
          attempt:
            res_qs_delete_group_membership = qs.delete_group_membership(
              MemberName = qs_user_name,
              GroupName = qs_current_group,
              AwsAccountId = account_id,
              Namespace = qs_namespace_name
            )
          besides Exception as e:
            logger.error(f"## Operation failed on account of unknown error. Exiting.")
            logger.error(e)
            sys.exit()
          else:
            logger.information(f"## The consumer {qs_user_name} has faraway from {qs_current_group}.")

  # Create group membership based mostly on IIC attribute "Title"
  logger.information(f"## Beginning group membership task.")
  if in_desired_group is True:
      logger.information(f"## The consumer already belongs to the specified one. Skipping task.")
  else:
    attempt:
      logger.information(f"## Checking if the specified group exists.")
      res_qs_describe_group = qs.describe_group(
        GroupName = qs_new_group,
        AwsAccountId = account_id,
        Namespace = qs_namespace_name
      )
    besides qs.exceptions.ResourceNotFoundException as e:
      # Create a QuickSight group if not current
      logger.information(f"## Group {qs_new_group} is just not current. Creating.")
      at this time = datetime.now()
      res_qs_create_group = qs.create_group(
        GroupName = qs_new_group,
        Description = 'Mechanically created at ' + at this time.strftime('%Y.%m.%d %H:%M:%S'),
        AwsAccountId = account_id,
        Namespace = qs_namespace_name
      )
    besides Exception as e:
      logger.error(f"## Operation failed on account of unknown error. Exiting.")
      logger.error(e)
      sys.exit()
    else:
      logger.information(f"## Group {qs_new_group} is present in QuickSight.")

    # Add the consumer to the specified group
    logger.information("## Modifying group membership based mostly on its newest attributes.")
    logger.information(f"#### QuickSight consumer identify: {qs_user_name}")
    logger.information(f"#### QuickSight group identify: {qs_new_group}")
    attempt: 
      res_qs_create_group_membership = qs.create_group_membership(
        MemberName = qs_user_name,
        GroupName = qs_new_group,
        AwsAccountId = account_id,
        Namespace = qs_namespace_name
    )
    besides Exception as e:
      logger.error("## Operation failed on account of unknown error. Exiting.")
      logger.error(e)
    else:
      logger.information("## Group membership modification succeeded.")
      qs_group_member_name = res_qs_create_group_membership['GroupMember']['MemberName']
      qs_group_member_arn = res_qs_create_group_membership['GroupMember']['Arn']
      logger.debug("## QuickSight group information:")
      logger.debug(f"#### qs_user_name: {qs_user_name}")
      logger.debug(f"#### qs_group_name: {qs_new_group}")
      logger.debug(f"#### qs_group_member_name: {qs_group_member_name}")
      logger.debug(f"#### qs_group_member_arn: {qs_group_member_arn}")
      logger.debug("## IIC information:")
      logger.debug(f"#### IIC consumer identify: {azure_user_attribute_userprincipalname}")
      logger.debug(f"#### IIC consumer id: {iic_user_id}")
      logger.debug(f"#### Title: {azure_user_attribute_title}")
      logger.information(f"## Consumer {qs_user_name} has been efficiently added to the group {qs_new_group} in {qs_namespace_name} namespace.")
  
  # return response
  return {
    "namespaceName": qs_namespace_name,
    "userName": qs_user_name,
    "groupName": qs_new_group
  }

Word that this Lambda operate requires Boto3 1.24.64 or later. If the Boto3 included within the Lambda runtime is older than this, use a Lambda layer to make use of the most recent model of Boto3. For extra particulars, discuss with How do I resolve “unknown service”, “parameter validation failed”, and “object has no attribute” errors from a Python (Boto 3) Lambda operate.

Add an EventBridge rule to set off the occasion

To create an EventBridge rule to invoke the beforehand created Lambda operate, full the next steps:

1. On the EventBridge console, create a brand new rule.
2. For Title, enter updateQuickSightUponSCIMEvent.
3. For Occasion sample, enter the next code:

   {
     "supply": ["aws.sso-directory"],
     "detail-type": ["AWS API Call via CloudTrail"],
     "element": {
       "eventSource": ["sso-directory.amazonaws.com"],
       "eventName": ["UpdateUser"]
     }
   }

4. For Targets, select the Lambda operate you created (UpdateQuickSightUserUponSCIMEvent).
5. Allow the rule.

Confirm the configuration by altering a consumer attribute worth at Azure AD

Let’s modify a consumer’s attribute at Azure AD, after which examine if the brand new group is created and that the consumer is added into the brand new one.

1. Return to the Azure AD console.
2. From Handle, click on Customers.
3. Select one of many customers you beforehand used to log in to QuickSight from the IAM Identification Heart portal.
4. Select Edit properties, then edit the values for Job title and Division.
   
5. Save the configuration.
6. From Handle, select Enterprise utility, your utility identify, and Provisioning.
7. Select Cease provisioning after which Begin provisioning in sequence.

In Azure AD, the SCIM provisioning interval is mounted to 40 minutes. To get rapid outcomes, we manually cease and begin the provisioning.

8. Navigate to the QuickSight console.
9. On the drop-down consumer identify menu, select Handle QuickSight.
10. Select Handle teams.

Now you must discover that the brand new group is created and the consumer is assigned to this group.

Clear up

Once you’re completed with the answer, clear up your atmosphere to reduce value impression. Chances are you’ll need to delete the next sources:

• Lambda operate
• Lambda layer
• IAM function for the Lambda operate
• CloudWatch log group for the Lambda operate
• EventBridge rule
• QuickSight account
  • Word : There can solely be one QuickSight account per AWS account. So your QuickSight account would possibly already be utilized by different customers in your group. Delete the QuickSight account provided that you explicitly set it as much as comply with this weblog and are completely positive that it’s not being utilized by some other customers.
• IAM Identification Heart occasion
• IAM ID Supplier configuration for Azure AD
• Azure AD occasion

Abstract

This submit offered step-by-step directions to configure IAM Identification Heart SCIM provisioning and SAML 2.0 federation from Azure AD for centralized administration of QuickSight customers. We additionally demonstrated automated group membership updates in QuickSight based mostly on consumer attributes in Azure AD, through the use of SCIM occasions generated in IAM Identification Heart and establishing automation with EventBridge and Lambda.

With this event-driven strategy to provision customers and teams in QuickSight, system directors can have full flexibility in the place the varied other ways of consumer administration may very well be anticipated relying on the group. It additionally ensures the consistency of customers and teams between QuickSight and Azure AD each time a consumer accesses QuickSight.

We’re trying ahead to listening to any questions or suggestions.

In regards to the authors

Takeshi Nakatani is a Principal Bigdata Marketing consultant on Skilled Providers group in Tokyo. He has 25 years of expertise in IT business, expertised in architecting information infrastructure. On his days off, he could be a rock drummer or a motorcyclyst.

Wakana Vilquin-Sakashita is Specialist Resolution Architect for Amazon QuickSight. She works carefully with prospects to assist making sense of the info via visualization. Beforehand Wakana labored for S&P International  helping prospects to entry information, insights and researches related for his or her enterprise.