Handle customers and group memberships on Amazon QuickSight utilizing SCIM occasions generated in IAM Id Middle with Azure AD

Amazon QuickSight is cloud-native, scalable enterprise intelligence (BI) service that helps identification federation. AWS Id and Entry Administration (IAM) permits organizations to make use of the identities managed of their enterprise identification supplier (IdP) and federate single sign-on (SSO) to QuickSight. As extra organizations are constructing centralized consumer identification shops with all their purposes, together with on-premises apps, third-party apps, and purposes on AWS, they want an answer to automate consumer provisioning into these purposes and hold their attributes in sync with their centralized consumer identification retailer.

When architecting a consumer repository, some organizations resolve to prepare their customers in teams or use attributes (equivalent to division identify), or a mixture of each. In case your group makes use of Microsoft Azure Energetic Listing (Azure AD) for centralized authentication and makes use of its consumer attributes to prepare the customers, you possibly can allow federation throughout all QuickSight accounts in addition to handle customers and their group membership in QuickSight utilizing occasions generated within the AWS platform. This enables system directors to centrally handle consumer permissions from Azure AD. Provisioning, updating, and de-provisioning customers and teams in QuickSight now not requires administration in two locations with this answer. This makes certain that customers and teams in QuickSight keep in step with info in Azure AD by way of computerized synchronization.

On this submit, we stroll you thru the steps required to configure federated SSO between QuickSight and Azure AD by way of AWS IAM Id Middle (Successor to AWS Single Signal-On) the place computerized provisioning is enabled for Azure AD. We additionally show computerized consumer and group membership replace utilizing a System for Cross-domain Id Administration (SCIM) occasion.

Resolution overview

The next diagram illustrates the answer structure and consumer circulation.

On this submit, IAM Id Middle supplies a central place to deliver collectively administration of customers and their entry to AWS accounts and cloud purposes. Azure AD is the consumer repository and configured because the exterior IdP in IAM Id Middle. On this answer, we show the usage of two consumer attributes (division, jobTitle) particularly in Azure AD. IAM Id Middle helps computerized provisioning (synchronization) of consumer and group info from Azure AD into IAM Id Middle utilizing the SCIM v2.0 protocol. With this protocol, the attributes from Azure AD are handed alongside to IAM Id Middle, which inherits the outlined attribute for the consumer’s profile in IAM Id Middle. IAM Id Middle additionally helps identification federation with SAML (Safety Assertion Markup Language) 2.0. This enables IAM Id Middle to authenticate identities utilizing Azure AD. Customers can then SSO into purposes that help SAML, together with QuickSight. The primary half of this submit focuses on learn how to configure this finish to finish (see Signal-In Stream within the diagram).

Subsequent, consumer info begins to get synchronized between Azure AD and IAM Id Middle by way of SCIM protocol. You possibly can automate making a consumer in QuickSight utilizing an AWS Lambda operate triggered by the CreateUser SCIM occasion originated from IAM Id Middle, which was captured in Amazon EventBridge. In the identical Lambda operate, you possibly can subsequently replace the consumer’s membership by including into the required group (whose identify is comprised of two consumer attributes: department-jobTitle, in any other case create the group if it doesn’t exist but, previous to including the membership.

On this submit, this automation half is omitted as a result of it could be redundant with the content material mentioned within the following sections.

This submit explores and demonstrates an UpdateUser SCIM occasion triggered by the consumer profile replace on Azure AD. The occasion is captured in EventBridge, which invokes a Lambda operate to replace the group membership in QuickSight (see Replace Stream within the diagram). As a result of a given consumer is meant to belong to just one group at a time on this instance, the operate will change the consumer’s present group membership with the brand new one.

In Half I, you arrange SSO to QuickSight from Azure AD by way of IAM Id Middle (the sign-in circulation):

1. Configure Azure AD because the exterior IdP in IAM Id Middle.
2. Add and configure an IAM Id Middle software in Azure AD.
3. Full configuration of IAM Id Middle.
4. Arrange SCIM computerized provisioning on each Azure AD and IAM Id Middle, and make sure in IAM Id Middle.
5. Add and configure a QuickSight software in IAM Id Middle.
6. Configure a SAML IdP and SAML 2.0 federation IAM function.
7. Configure attributes within the QuickSight software.
8. Create a consumer, group, and group membership manually by way of the AWS Command Line Interface (AWS CLI) or API.
9. Confirm the configuration by logging in to QuickSight from the IAM Id Middle portal.

In Half II, you arrange automation to vary group membership upon an SCIM occasion (the replace circulation):

1. Perceive SCIM occasions and occasion patterns for EventBridge.
2. Create attribute mapping for the group identify.
3. Create a Lambda operate.
4. Add an EventBridge rule to set off the occasion.
5. Confirm the configuration by altering the consumer attribute worth at Azure AD.

Stipulations

For this walkthrough, you need to have the next stipulations:

• IAM Id Middle. For directions, confer with Steps 1–2 within the AWS IAM Id Middle Getting Began information.
• A QuickSight account subscription.
• Fundamental understanding of IAM and privileges required to create an IAM IdP, roles, and insurance policies.
• An Azure AD subscription. You want at the very least one consumer with the next attributes to be registered in Azure AD:
  • userPrincipalName – Obligatory discipline for Azure AD consumer.
  • displayName – Obligatory discipline for Azure AD consumer.
  • Mail – Obligatory discipline for IAM Id Middle to work with QuickSight.
  • jobTitle – Used to allocate consumer to group
  • division – Used to allocate consumer to group.
  • givenName – Non-obligatory discipline.
  • surname – Non-obligatory discipline.

Half I: Arrange SSO to QuickSight from Azure AD by way of IAM Id Middle

This part presents the steps to arrange the sign-in circulation.

Configure an exterior IdP as Azure AD in IAM Id Middle

To configure your exterior IdP, full the next steps:

1. On the IAM Id Middle console, select Settings.
2. Select Actions on the Id supply tab, then select Change identification supply.
3. Select Exterior identification supplier, then select Subsequent.

The IdP metadata is displayed. Maintain this browser tab open.

Add and configure an IAM Id Middle software in Azure AD

To arrange your IAM Id Middle software, full the next steps:

1. Open a brand new browser tab.
2. Log in to the Azure AD portal utilizing your Azure administrator credentials.
3. Beneath Azure companies, select Azure Energetic Listing.
4. Within the navigation pane, beneath Handle, select Enterprise purposes, then select New software.
5. Within the Browse Azure AD Galley part, seek for IAM Id Middle, then select AWS IAM Id Middle (successor to AWS Single Signal-On).
   
6. Enter a reputation for the applying (on this submit, we use IIC-QuickSight) and select Create.
7. Within the Handle part, select Single sign-on, then select SAML.
8. Within the Assign customers and teams part, select Assign customers and teams.
9. Select Add consumer/group and add at the very least one consumer.
10. Choose Consumer as its function.
11. Within the Arrange single signal on part, select Get began.
12. Within the Fundamental SAML Configuration part, select Edit, and fill out following parameters and values:
13. Identifier – The worth within the IAM Id Middle issuer URL discipline.
14. Reply URL – The worth within the IAM Id Middle Assertion Shopper Service (ACS) URL discipline.
15. Signal on URL – Depart clean.
16. Relay State – Depart clean.
17. Logout URL – Depart clean.
18. Select Save.

The configuration ought to appear like the next screenshot.

19. Within the SAML Certificates part, obtain the Federation Metadata XML file and the Certificates (Uncooked) file.
    

You’re all set with Azure AD SSO configuration at this second. Afterward, you’ll return to this web page to configure automated provisioning, so hold this browser tab open.

Full configuration of IAM Id Middle

Full your IAM Id Middle configuration with the next steps:

1. Return to the browser tab for IAM Id Middle console which you could have stored open in earlier step.
2. For IdP SAML metadata beneath the Id supplier metadata part, select Select file.
3. Select the beforehand downloaded metadata file (IIC-QuickSight.xml).
4. For IdP certificates beneath the Id supplier metadata part, select Select file.
5. Select the beforehand downloaded certificates file (IIC-QuickSight.cer).
6. Select Subsequent.
7. Enter ACCEPT, then select Change Id supplier supply.

Arrange SCIM computerized provisioning on each Azure AD and IAM Id Middle

Your provisioning methodology remains to be set as Handbook (non-SCIM). On this step, we allow computerized provisioning in order that IAM Id Middle turns into conscious of the customers, which permits identification federation to QuickSight.

1. Within the Automated provisioning part, select Allow.
   
2. Select Entry token to indicate your token.
   
3. Return to the browser tab (Azure AD), which you stored open in Step 1.
4. Within the Handle part, select Enterprise purposes.
5. Select IIC-QuickSight, then select Provisioning.
6. Select Automated in Provisioning Mode and enter the next values:
7. Tenant URL – The worth within the SCIM endpoint discipline.
8. Secret Token – The worth within the Entry token discipline.
9. Select Check Connection.
10. After the check connection is efficiently full, set Provisioning Standing to On.
    
11. Select Save.
12. Select Begin provisioning to begin computerized provisioning utilizing the SCIM protocol.

When provisioning is full, it would end in propagating a number of customers from Azure AD to IAM Id Middle. The next screenshot exhibits the customers that have been provisioned in IAM Id Middle.

Be aware that upon this SCIM provisioning, the customers in QuickSight must be created utilizing the Lambda operate triggered by the occasion originated from IAM Id Middle. On this submit, we create a consumer and group membership by way of the AWS CLI (Step 8).

Add and configure a QuickSight software in IAM Id Middle

On this step, we create a QuickSight software in IAM Id Middle. You additionally configure an IAM SAML supplier, function, and coverage for the applying to work. Full the next steps:

1. On the IAM Id Middle console, on the Purposes web page, select Add Utility.
2. For Pre-integrated software beneath Choose an software, enter quicksight.
3. Choose Amazon QuickSight, then select Subsequent.
4. Enter a reputation for Show identify, equivalent to Amazon QuickSight.
5. Select Obtain beneath IAM Id Middle SAML metadata file and put it aside in your laptop.
6. Depart all different fields as they’re, and save the configuration.
7. Open the applying you’ve simply created, then select Assign Customers.

The customers provisioned by way of SCIM earlier will probably be listed.

8. Select all the customers to assign to the applying.

Configure a SAML IdP and a SAML 2.0 federation IAM function

To arrange your IAM SAML IdP for IAM Id Middle and IAM function, full the next steps:

1. On the IAM console, within the navigation pane, select Id suppliers, then select Add supplier.
2. Select SAML as Supplier sort, and enter Azure-IIC-QS as Supplier identify.
3. Beneath Metadata doc, select Select file and add the metadata file you downloaded earlier.
4. Select Add supplier to avoid wasting the configuration.
5. Within the navigation pane, select Roles, then select Create function.
6. For Trusted entity sort, choose SAML 2.0 federation.
7. For Select a SAML 2.0 supplier, choose the SAML supplier that you simply created, then select Permit programmatic and AWS Administration Console entry.
8. Select Subsequent.
9. On the Add Permission web page, select Subsequent.

On this submit, we create QuickSight customers by way of an AWS CLI command, due to this fact we’re not creating any permission coverage. Nevertheless, if the self-provisioning characteristic in QuickSight is required, the permission coverage for the CreateReader, CreateUser, and CreateAdmin actions (relying on the function of the QuickSight customers) is required.

10. On the Identify, overview, and create web page, beneath Position particulars, enter qs-reader-azure for the function.
11. Select Create function.
12. Be aware the ARN of the function.

You employ the ARN to configure attributes in your IAM Id Middle software.

Configure attributes within the QuickSight software

To affiliate the IAM SAML IdP and IAM function to the QuickSight software in IAM Id Middle, full the next steps:

1. On the IAM Id Middle console, within the navigation pane, select Purposes.
2. Choose the Amazon QuickSight software, and on the Actions menu, select Edit attribute mappings.
3. Select Add new attribute mapping.
4. Configure the mappings within the following desk.

Be aware the next values:

• Exchange <ACCOUNTID> together with your AWS account ID.
• PrincipalTag:Electronic mail is for the e-mail syncing characteristic for self-provisioning customers that must be enabled on the QuickSight admin web page. On this submit, don’t allow this characteristic as a result of we register the consumer with an AWS CLI command.

5. Select Save adjustments.

Create a consumer, group, and group membership with the AWS CLI

As described earlier, customers and teams in QuickSight are being created manually on this answer. We create them by way of the next AWS CLI instructions.

Step one is to create a consumer in QuickSight specifying the IAM function created earlier and electronic mail deal with registered in Azure AD. The second step is to create a gaggle with the group identify as mixed attribute values from Azure AD for the consumer created in step one. The third step is so as to add the consumer into the group created earlier; member-name signifies the consumer identify created in QuickSight that’s comprised of <IAM Position identify>/<session identify>. See the next code:

aws quicksight register-user 
--aws-account-id <ACCOUNTID> --namespace default 
--identity-type IAM --email <electronic mail registered in Azure AD> 
--user-role READER --iam-arn arn:aws:iam::<ACCOUNTID>:function/qs-reader-azure 
--session-name <electronic mail registered in Azure AD>

 aws quicksight create-group 
--aws-account-id <ACCOUNTID> --namespace default 
--group-name Advertising-Specialist

 aws quicksight create-group-membership 
--aws-account-id <ACCOUNTID> --namespace default 
--member-name qs-reader-azure/<electronic mail registered in Azure AD> 
–-group-name Advertising-Specialist

At this level, the end-to-end configuration of Azure AD, IAM Id Middle, IAM, and QuickSight is full.

Confirm the configuration by logging in to QuickSight from the IAM Id Middle portal

Now you’re able to log in to QuickSight utilizing the IdP-initiated SSO circulation:

1. Open a brand new non-public window in your browser.
2. Log in to the IAM Id Middle portal (https://d-xxxxxxxxxx.awsapps.com/begin).

You’re redirected to the Azure AD login immediate.

3. Enter your Azure AD credentials.

You’re redirected again to the IAM Id Middle portal.

4. Within the IAM Id Middle portal, select Amazon QuickSight.

You’re routinely redirected to your QuickSight house.

Half II: Automate group membership change upon SCIM occasions

On this part, we configure the replace circulation.

Perceive the SCIM occasion and occasion sample for EventBridge

When an Azure AD administrator makes any adjustments to the attributes on the actual consumer profile, the change will probably be synced with the consumer profile in IAM Id Middle by way of SCIM protocol, and the exercise is recorded in an AWS CloudTrail occasion known as UpdateUser by sso-directory.amazonaws.com (IAM Id Middle) because the occasion supply. Equally, the CreateUser occasion is recorded when a consumer is created on Azure AD, and the DisableUser occasion is for when a consumer is disabled.

The next screenshot on the  Occasion historical past web page exhibits two CreateUser occasions: one is recorded by IAM Id Middle, and the opposite one is by QuickSight. On this submit, we use the one from IAM Id Middle.

To ensure that EventBridge to have the ability to deal with the circulation correctly, every occasion should specify the fields of an occasion that you really want the occasion sample to match. The next occasion sample is an instance of the UpdateUser occasion generated in IAM Id Middle upon SCIM synchronization:

{
  "supply": ["aws.sso-directory"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "element": {
    "eventSource": ["sso-directory.amazonaws.com"],
    "eventName": ["UpdateUser"]
  }
}

On this submit, we show an computerized replace of group membership in QuickSight that’s triggered by the UpdateUser SCIM occasion.

Create attribute mapping for the group identify

To ensure that the Lambda operate to handle group membership in QuickSight, it should get hold of the 2 consumer attributes (division and jobTitle). To make the method less complicated, we’re combining two attributes in Azure AD (division, jobTitle) into one attribute in IAM Id Middle (title), utilizing the attribute mappings characteristic in Azure AD. IAM Id Middle then makes use of the title attribute as a delegated group identify for this consumer.

1. Log in to the Azure AD console, navigate to Enterprise Purposes, IIC-QuickSight, and Provisioning.
2. Select Edit attribute mappings.
3. Beneath Mappings, select Provision Azure Energetic Listing Customers.
   
4. Select jobTitle from the listing of Azure Energetic Listing Attributes.
5. Change the next settings:
   1. Mapping Sort – Expression
   2. Expression – Be part of("-", [department], [jobTitle])
   3. Goal attribute – title
      
6. Select Save.
7. You possibly can go away the provisioning web page.

The attribute is routinely up to date in IAM Id Middle. The up to date consumer profile seems to be like the next screenshots (Azure AD on the left, IAM Id Middle on the precise).

Create a Lambda operate

Now we create a Lambda operate to replace QuickSight group membership upon the SCIM occasion. The core a part of the operate is to acquire the consumer’s title attribute worth in IAM Id Middle based mostly on the triggered occasion info, after which to make sure that the consumer exists in QuickSight. If the group identify doesn’t exist but, it creates the group in QuickSight after which provides the consumer into the group. Full the next steps:

1. On the Lambda console, select Create operate.
2. For Identify, enter UpdateQuickSightUserUponSCIMEvent.
3. For Runtime, select Python 3.9.
4. For Time Out, set to fifteen seconds.
5. For Permissions, create and connect an IAM function that features the next permissions (the trusted entity (principal) must be lambda.amazonaws.com):

   {
       "Model": "2012-10-17",
       "Assertion": [
           {
               "Sid": "MinimalPrivForScimQsBlog",
               "Effect": "Allow",
               "Action": [
                   "identitystore:DescribeUser",
                   "quicksight:RegisterUser",
                   "quicksight:DescribeUser",
                   "quicksight:CreateGroup",
                   "quicksight:DeleteGroup",
                   "quicksight:DescribeGroup",
                   "quicksight:ListUserGroups",
                   "quicksight:CreateGroupMembership",
                   "quicksight:DeleteGroupMembership",
                   "quicksight:DescribeGroupMembership",
                   "logs:CreateLogGroup",
                   "logs:CreateLogStream",
                   "logs:PutLogEvents"
               ],
               "Useful resource": "*"
           }
       ]
   }

6. Write Python code utilizing the Boto3 SDK for IdentityStore and QuickSight. The next is your complete pattern Python code:

import sys
import boto3
import json
import logging
from time import strftime
from datetime import datetime

# Set logging
logger = logging.getLogger()
logger.setLevel(logging.INFO)

def lambda_handler(occasion, context):
  '''
  Modify QuickSight group membership upon SCIM occasion from IAM Id Middle originated from Azure AD.
  It really works on this method:
    Azure AD -> SCIM -> Id Middle -> CloudTrail -> EventBridge -> Lambda -> QuickSight
  Be aware that this can be a simple pattern to indicate learn how to replace QuickSight group membership upon sure SCIM occasion.
  For instance, it assumes that 1:1 user-to-group assigmnent, just one (mixed) SAML attribute, and so forth. 
  For manufacturing, take buyer necessities into consideration and develop your personal code.
  '''

  # Setting variables (hard-coded. get dynamically for manufacturing code)
  qs_namespace_name="default"
  qs_iam_role="qs-reader-azure"

  # Acquire account ID and area
  account_id = boto3.consumer('sts').get_caller_identity()['Account']
  area = boto3.session.Session().region_name

  # Setup purchasers
  qs = boto3.consumer('quicksight')
  iic = boto3.consumer('identitystore')

  # Verify boto3 model
  logger.debug(f"## Your boto3 model: {boto3.__version__}")

  # Get consumer data from occasion knowledge
  event_json = json.dumps(occasion)
  logger.debug(f"## Occasion: {event_json}")
  iic_store_id = occasion['detail']['requestParameters']['identityStoreId']
  iic_user_id = occasion['detail']['requestParameters']['userId']  # For UpdateUser occasion, userId is supplied by way of requestParameters
  logger.data("## Getting consumer data from Id Retailer.")
  strive:
    res_iic_describe_user = iic.describe_user(
      IdentityStoreId = iic_store_id,
      UserId = iic_user_id
    )
  besides Exception as e:
    logger.error("## Operation failed resulting from unknown error. Exiting.")
    logger.error(e)
    sys.exit()
  else:
    logger.data(f"## Consumer data retrieval succeeded.")
    azure_user_attribute_title = res_iic_describe_user['Title']
    azure_user_attribute_userprincipalname = res_iic_describe_user['UserName']
    qs_user_name = qs_iam_role + "/" + azure_user_attribute_userprincipalname
    logger.data(f"#### Id Middle consumer identify: {azure_user_attribute_userprincipalname}")
    logger.data(f"#### QuickSight group identify desired: {azure_user_attribute_title}")
    logger.debug(f"#### res_iic_describe_user: {json.dumps(res_iic_describe_user)}, which is {sort(res_iic_describe_user)}")

  # Exit if consumer is just not current since this operate is meant to be known as by UpdateUser occasion
  strive:
    # Get QuickSight consumer identify
    res_qs_describe_user = qs.describe_user(
      UserName = qs_user_name,
      AwsAccountId = account_id,
      Namespace = qs_namespace_name
    )
  besides qs.exceptions.ResourceNotFoundException as e:
    logger.error(f"## Consumer {qs_user_name} is just not present in QuickSight.")
    logger.error(f"## Be certain the QuickSight consumer has been created prematurely. Exiting.")
    logger.error(e)
    sys.exit()
  besides Exception as e:
    logger.error("## Operation failed resulting from unknown error. Exiting.")
    logger.error(e)
    sys.exit()
  else:
    logger.data(f"## Consumer {qs_user_name} is present in QuickSight.")

  # Take away present membership until it is the specified one
  qs_new_group = azure_user_attribute_title  # Set "Title" SAML attribute as the specified QuickSight group identify
  in_desired_group = False  # Set this flag True when the consumer is already a member of the specified group
  logger.data(f"## Beginning group membership removing.")
  strive:
    res_qs_list_user_groups = qs.list_user_groups(
      UserName = qs_user_name,
      AwsAccountId = account_id,
      Namespace = qs_namespace_name
    )
  besides Exception as e:
    logger.error("## Operation failed resulting from unknown error. Exiting.")
    logger.error(e)
    sys.exit()
  else:
    # Skip if the array is empty (consumer is just not member of any teams)
    if not res_qs_list_user_groups['GroupList']:
      logger.data(f"## Consumer {qs_user_name} is just not a member of any QuickSight group. Skipping removing.")
    else:
      for grp in res_qs_list_user_groups['GroupList']:
        qs_current_group = grp['GroupName']
        # Retain membership if the brand new and present group names match
        if qs_current_group == qs_new_group:
          logger.data(f"## The consumer {qs_user_name} already belong to the specified group. Skipping removing.")
          in_desired_group = True
        else:
          # Take away all pointless memberships
          logger.data(f"## Eradicating consumer {qs_user_name} from present group {qs_current_group}.")
          strive:
            res_qs_delete_group_membership = qs.delete_group_membership(
              MemberName = qs_user_name,
              GroupName = qs_current_group,
              AwsAccountId = account_id,
              Namespace = qs_namespace_name
            )
          besides Exception as e:
            logger.error(f"## Operation failed resulting from unknown error. Exiting.")
            logger.error(e)
            sys.exit()
          else:
            logger.data(f"## The consumer {qs_user_name} has faraway from {qs_current_group}.")

  # Create group membership based mostly on IIC attribute "Title"
  logger.data(f"## Beginning group membership project.")
  if in_desired_group is True:
      logger.data(f"## The consumer already belongs to the specified one. Skipping project.")
  else:
    strive:
      logger.data(f"## Checking if the specified group exists.")
      res_qs_describe_group = qs.describe_group(
        GroupName = qs_new_group,
        AwsAccountId = account_id,
        Namespace = qs_namespace_name
      )
    besides qs.exceptions.ResourceNotFoundException as e:
      # Create a QuickSight group if not current
      logger.data(f"## Group {qs_new_group} is just not current. Creating.")
      immediately = datetime.now()
      res_qs_create_group = qs.create_group(
        GroupName = qs_new_group,
        Description = 'Routinely created at ' + immediately.strftime('%Y.%m.%d %H:%M:%S'),
        AwsAccountId = account_id,
        Namespace = qs_namespace_name
      )
    besides Exception as e:
      logger.error(f"## Operation failed resulting from unknown error. Exiting.")
      logger.error(e)
      sys.exit()
    else:
      logger.data(f"## Group {qs_new_group} is present in QuickSight.")

    # Add the consumer to the specified group
    logger.data("## Modifying group membership based mostly on its newest attributes.")
    logger.data(f"#### QuickSight consumer identify: {qs_user_name}")
    logger.data(f"#### QuickSight group identify: {qs_new_group}")
    strive: 
      res_qs_create_group_membership = qs.create_group_membership(
        MemberName = qs_user_name,
        GroupName = qs_new_group,
        AwsAccountId = account_id,
        Namespace = qs_namespace_name
    )
    besides Exception as e:
      logger.error("## Operation failed resulting from unknown error. Exiting.")
      logger.error(e)
    else:
      logger.data("## Group membership modification succeeded.")
      qs_group_member_name = res_qs_create_group_membership['GroupMember']['MemberName']
      qs_group_member_arn = res_qs_create_group_membership['GroupMember']['Arn']
      logger.debug("## QuickSight group data:")
      logger.debug(f"#### qs_user_name: {qs_user_name}")
      logger.debug(f"#### qs_group_name: {qs_new_group}")
      logger.debug(f"#### qs_group_member_name: {qs_group_member_name}")
      logger.debug(f"#### qs_group_member_arn: {qs_group_member_arn}")
      logger.debug("## IIC data:")
      logger.debug(f"#### IIC consumer identify: {azure_user_attribute_userprincipalname}")
      logger.debug(f"#### IIC consumer id: {iic_user_id}")
      logger.debug(f"#### Title: {azure_user_attribute_title}")
      logger.data(f"## Consumer {qs_user_name} has been efficiently added to the group {qs_new_group} in {qs_namespace_name} namespace.")
  
  # return response
  return {
    "namespaceName": qs_namespace_name,
    "userName": qs_user_name,
    "groupName": qs_new_group
  }

Be aware that this Lambda operate requires Boto3 1.24.64 or later. If the Boto3 included within the Lambda runtime is older than this, use a Lambda layer to make use of the most recent model of Boto3. For extra particulars, confer with How do I resolve “unknown service”, “parameter validation failed”, and “object has no attribute” errors from a Python (Boto 3) Lambda operate.

Add an EventBridge rule to set off the occasion

To create an EventBridge rule to invoke the beforehand created Lambda operate, full the next steps:

1. On the EventBridge console, create a brand new rule.
2. For Identify, enter updateQuickSightUponSCIMEvent.
3. For Occasion sample, enter the next code:

   {
     "supply": ["aws.sso-directory"],
     "detail-type": ["AWS API Call via CloudTrail"],
     "element": {
       "eventSource": ["sso-directory.amazonaws.com"],
       "eventName": ["UpdateUser"]
     }
   }

4. For Targets, select the Lambda operate you created (UpdateQuickSightUserUponSCIMEvent).
5. Allow the rule.

Confirm the configuration by altering a consumer attribute worth at Azure AD

Let’s modify a consumer’s attribute at Azure AD, after which examine if the brand new group is created and that the consumer is added into the brand new one.

1. Return to the Azure AD console.
2. From Handle, click on Customers.
3. Select one of many customers you beforehand used to log in to QuickSight from the IAM Id Middle portal.
4. Select Edit properties, then edit the values for Job title and Division.
   
5. Save the configuration.
6. From Handle, select Enterprise software, your software identify, and Provisioning.
7. Select Cease provisioning after which Begin provisioning in sequence.

In Azure AD, the SCIM provisioning interval is fastened to 40 minutes. To get rapid outcomes, we manually cease and begin the provisioning.

8. Navigate to the QuickSight console.
9. On the drop-down consumer identify menu, select Handle QuickSight.
10. Select Handle teams.

Now you need to discover that the brand new group is created and the consumer is assigned to this group.

Clear up

Once you’re completed with the answer, clear up your atmosphere to attenuate value influence. You could need to delete the next assets:

• Lambda operate
• Lambda layer
• IAM function for the Lambda operate
• CloudWatch log group for the Lambda operate
• EventBridge rule
• QuickSight account
  • Be aware : There can solely be one QuickSight account per AWS account. So your QuickSight account may already be utilized by different customers in your group. Delete the QuickSight account provided that you explicitly set it as much as comply with this weblog and are completely certain that it isn’t being utilized by another customers.
• IAM Id Middle occasion
• IAM ID Supplier configuration for Azure AD
• Azure AD occasion

Abstract

This submit supplied step-by-step directions to configure IAM Id Middle SCIM provisioning and SAML 2.0 federation from Azure AD for centralized administration of QuickSight customers. We additionally demonstrated automated group membership updates in QuickSight based mostly on consumer attributes in Azure AD, through the use of SCIM occasions generated in IAM Id Middle and organising automation with EventBridge and Lambda.

With this event-driven method to provision customers and teams in QuickSight, system directors can have full flexibility in the place the varied other ways of consumer administration could possibly be anticipated relying on the group. It additionally ensures the consistency of customers and teams between QuickSight and Azure AD every time a consumer accesses QuickSight.

We’re trying ahead to listening to any questions or suggestions.

Concerning the authors

Takeshi Nakatani is a Principal Bigdata Marketing consultant on Skilled Companies group in Tokyo. He has 25 years of expertise in IT business, expertised in architecting knowledge infrastructure. On his days off, he could be a rock drummer or a motorcyclyst.

Wakana Vilquin-Sakashita is Specialist Resolution Architect for Amazon QuickSight. She works carefully with clients to assist making sense of the info by way of visualization. Beforehand Wakana labored for S&P World  helping clients to entry knowledge, insights and researches related for his or her enterprise.