Streamline Business Intelligence Identity Management with Amazon QuickSight and AWS IAM Identity Center

In April 2025, this post received a review for accuracy. Amazon QuickSight is now fully integrated with AWS IAM Identity Center, allowing administrators to facilitate user logins through existing credentials. QuickSight serves as a scalable, serverless, and machine learning (ML)-enhanced business intelligence (BI) solution that simplifies data connectivity, dashboard creation, and the sharing of insights and visuals with a vast user base, whether internal or external.

AWS IAM Identity Center provides a secure method to create or link workforce identities and manage access across AWS accounts and applications. It is the preferred method for workforce authentication and authorization for organizations of all sizes. With IAM Identity Center, you can create user identities within AWS or connect to existing identity sources, such as Microsoft Active Directory, Okta, Ping Identity, JumpCloud, Google Workspace, and Azure Active Directory (Azure AD).

This latest feature allows administrators to set up QuickSight accounts using IAM Identity Center, linking it directly with their identity provider or the IAM Identity Center identity store without the need for extra single sign-on configuration in QuickSight. Utilizing supported identity provider groups, administrators can assign QuickSight roles such as administrator, author, and reader to users, enabling seamless sign-in to QuickSight directly from the AWS access portal or the QuickSight interface.

In this article, we will demonstrate how to simplify BI identity management using QuickSight and IAM Identity Center.

Use Case Overview

Amazon IXD – VGT2 is a fictional organization in the healthcare sector, managing applications for hospitals nationwide. With thousands of healthcare professionals accessing the application portal, securing user access is paramount to address business and compliance needs. The organization has already configured Okta with IAM Identity Center, which facilitates identity and access management for IAM Identity Center enabled applications. This guide will detail the steps for Amazon IXD – VGT2 to sign up for QuickSight utilizing IAM Identity Center.

Solution Overview

When an external identity provider like Okta is enabled, signing up for QuickSight via IAM Identity Center allows for various sign-in flows:

QuickSight Service Provider (SP) Initiated Sign-in
The user visits the QuickSight application URL and is redirected to the IdP sign-in page. After successful authentication, they are taken to QuickSight.
AWS Access Portal SP Initiated Sign-in
The user loads the AWS access portal URL, redirected to the configured IdP sign-in page. After logging in, they select the QuickSight application tile and are taken to QuickSight.
External IdP Initiated Sign-in
Users navigate to the application portal hosted by the IdP and log in. They select the IAM Identity Center AWS access portal, where enabled applications like QuickSight are displayed. Choosing the QuickSight tile redirects them to the application.

Prerequisites

To follow this walkthrough, ensure you have:

An organization with IAM Identity Center set up.
Okta configured as an IdP in IAM Identity Center; refer to Okta for setup instructions.
An AWS account for QuickSight within the same organization as IAM Identity Center, not currently subscribed to QuickSight.
The administrator must have AWS Identity and Access Management (IAM) administrator access or permissions for QuickSight and IAM Identity Center. Check IAM policy examples for Amazon QuickSight for further details.

Subscribe to QuickSight with IAM Identity Center

To subscribe to QuickSight, follow these steps:

Sign in to your AWS account and open QuickSight from the AWS Management Console, located under Analytics.
Click on Sign up for QuickSight.
Provide a notification email address for the QuickSight account owner or group which will receive service notifications.
Select the identity option to subscribe with; for this instance, choose Use AWS IAM Identity Center.
Enter an account name and click Configure.
Assign groups in IAM Identity Center to QuickSight roles (admin, author, reader) to grant users access to the application. If you are using an external IdP, ensure that the groups are correctly assigned to the IAM Identity Center application. If a group is unavailable in QuickSight, it may not be assigned yet. For role group creation, consider making groups such as QuickSightAdmins, QuickSightAuthors, and QuickSightReaders. In Okta, use attributes to automate group assignments.
Search for an IAM Identity Center group for each QuickSight role. You can add more groups later from the Manage Users page in the QuickSight admin console.
Select an IAM role to manage QuickSight access to AWS resources.
Optionally choose the Pixel-Perfect Reports add-on.
Review your selections and click Finish.
Finally, click Go to Amazon QuickSight.

Validate User Sign-in to QuickSight

You can now verify that users can sign in to QuickSight via both IdP-initiated and SP-initiated flows.

Test IdP Initiated Flow

To test the IdP-initiated flow:

Navigate to the Okta console and log in with a user assigned to one of the QuickSight roles.
Once logged in, users will see the Identity Center application on their dashboard.
Select the AWS IAM Identity Center application from the available options.

This post highlights the importance of efficient identity management in business intelligence. For more insights on improving professional relationships, check out this blog post. Additionally, you may find this resource helpful. For authoritative information regarding employment regulations, visit SHRM.