|OIDC/SAML based SSO providers can be mapped into IAM as an Identity Provider. A web identity/SAML role should be setup to work with this Identity Provider. In this workshop, we will use Cognito user pool as an OIDC Identity Provider.|
|If user is not signed in, redirect to SSO authentication portal with redirect url set to current portal page. Once user is authenticated, SSO will redirect back to your portal with an OpenId token (OIDC implicit flow).|
Make API Gateway call, passing the OpenId token. API Gateway invokes lambda function and code therein can assume the role using the token.
We use STS assume role with web identity call just to validate the token. We are not going to use the returned credentials.|
If desired, the token validation can be done locally without making the STS call. If this is of interest, continue with the workshop as laid out and then check out the comments in lambda code. Instructions on enabling alternate flow is provided therein.
|If the token/assert string is valid, lambda is able to assume the role.|
|Once token validity is verified, make parallel calls to API Gateway to get the dashboard list and embed urls (for both dashboard and session). If user doesn't exist, exception processing is done to register the user and add user to a QuickSight reader group. API Gateway returns list of dashboards that user can access and embed urls.|
These divs are hidden initially. Once user selects a dashboard from drop down, NavigateToDashboard function is used to load the selected dashboard using the same iframe (No need to generate another embed url) and the div is made visible. Alternate options are detailed in code comments. Likewise, when user clicks on the embedded session view in top banner, the div with embedded QuickSight session is made visible.