Tutorial: Setup an Identity Provider with your
Amazon FinSpace environment
Important
Amazon FinSpace Dataset Browser will be discontinued on March 26,
2025. Starting November 29, 2023, FinSpace will no longer accept the creation of new Dataset Browser
environments. Customers using Amazon FinSpace with Managed Kdb Insights
You can integrate any SAML 2.0 compliant IdP when creating a new Amazon FinSpace environment.
Prerequisites
Before creating a FinSpace environment with SAML based SSO, do the following:
Inside your organization's network, configure your identity store, such as Windows Active Directory, to work with a SAML-based IdP. SAML based IdPs include Microsoft Windows Active Directory Federation Services, Okta, and so on.
Step 1: Generate a SAML
metadata document
Using your IdP, generate a metadata document that describes your organization as an identity provider. You will need the metadata document or the URL to the metadata document when creating the FinSpace environment.
Step 2: Determine
the SAML attribute for email
Determine the SAML attribute name that contains the email address in the SAML
assertion. Email address is required to identify the user in FinSpace. For example,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
Check your IdP documentation for details. You will need the SAML attribute when
creating the FinSpace environment.
Step 3: Create a
FinSpace environment
Create a FinSpace environment. Once the FinSpace environment is ready, copy and save the Redirect / Sign-in url and URN from the Summary section of the environment page. You will need the parameters for configuration in the IdP.
Step 4: Create an application for FinSpace in your IdP
Once the environment is created, add an application for FinSpace in your IdP and use the Redirect / Sign-in url and URN where appropriate.
Step 5: Assign users to the newly created FinSpace application in your IdP
Once the application is added, assign users to the application in IdP. A minimum of one user is required to create a superuser in FinSpace.
Step 6: Create a superuser in your FinSpace environment
Note
In order to create a FinSpace environment, you need to be a user with AdministratorAccess role or FinSpace policy.
Now that the users are assigned to your FinSpace application in your IdP, create a superuser.
After your FinSpace is created, you must create a first superuser to add additional users and to configure permission groups from within the FinSpace web application. A superuser has all permissions to take all actions in FinSpace. The first superuser must be created in the AWS console page. After the superuser is created, the superuser logs in to the FinSpace web application for the first time.
To create a superuser
-
Sign in to your AWS account in which the FinSpace environment was created and open the Amazon FinSpace console at https://console.aws.amazon.com/finspace
. Your AWS account number is displayed for verification purposes. -
Choose Environments and select the FinSpace environment for which a superuser will be created.
-
Under Superusers, choose Add Superuser.
-
On Specify Superuser details page, enter the Email address, First name, and Last name.
-
Choose Next.
-
On the next page, review the superuser details.
-
Choose Create and view credentials to get a temporary password.
Note
If you have created an environment with SSO, you will not get a temporary password as you will be authenticated with your IdP.
-
On the View Credentials page, view and copy the superuser security credentials. You also get a welcome message which you can use to email users instructions for signing into FinSpace.
Share these credentials with the person designated as the superuser. The credentials are necessary to sign in to your FinSpace web application. The Environment domain is the sign-in url for your FinSpace web application.
Note
This is the last time these credentials will be available to be copied. However, you can create new credentials at any time.
You have successfully created a FinSpace environment configured with your SAML 2.0 IdP. Learn more about managing users in SSO and permissions.
