Embedding Workflow

OIDC/SAML based SSO providers can be mapped into IAM as an Identity Provider. A web identity/SAML role should be setup to work with this Identity Provider. In this workshop, we will use Cognito user pool as an OIDC Identity Provider.
EF
The portal page can be served out to user from your web server (We will use API Gateway and Lambda to simulate a web server). Once the page loads, JavaScript code can be used to check if the user is signed in to SSO (How this is done varies based on your SSO provider).
EF
If user is not signed in, redirect to SSO authentication portal with redirect url set to current portal page. Once user is authenticated, SSO will redirect back to your portal with an OpenId token (OIDC implicit flow).
EF
Make API Gateway call, passing the OpenId token. API Gateway invokes lambda function and code therein can assume the role using the token. We use STS assume role with web identity call just to validate the token. We are not going to use the returned credentials.

If desired, the token validation can be done locally without making the STS call. If this is of interest, continue with the workshop as laid out and then check out the comments in lambda code. Instructions on enabling alternate flow is provided therein.
EF
If the token/assert string is valid, lambda is able to assume the role.
EF
Once token validity is verified, make parallel calls to API Gateway to get the dashboard list and embed urls (for both dashboard and session). If user doesn't exist, exception processing is done to register the user and add user to a QuickSight reader group. API Gateway returns list of dashboards that user can access and embed urls.
EF
Once API Gateway response is received, JavaScript passes dashboard embed Url and a div (that is setup in the portal page) to embedDashboard function (This function is present in the QuickSight JS library that is added to the portal page). This process is repeated for session embed url as well. We are doing both in same application to get you familiar with both options. You can pick the option that works best for your use case. The urls are embedded into iframes within the identified divs and loads the dashboard and session from QuickSight.

These divs are hidden initially. Once user selects a dashboard from drop down, NavigateToDashboard function is used to load the selected dashboard using the same iframe (No need to generate another embed url) and the div is made visible. Alternate options are detailed in code comments. Likewise, when user clicks on the embedded session view in top banner, the div with embedded QuickSight session is made visible.
EF