AD FS
This tutorial shows you how you can use AD FS as an identity provider (IdP) to access your Amazon Redshift cluster.
Step 1: Set up AD FS and your Amazon account to trust each other
The following procedure describes how to set up a trust relationship.
-
Create or use an existing Amazon Redshift cluster for your AD FS users to connect to. To configure the connection, certain properties of this cluster are needed, such as the cluster identifier. For more information, see Creating a Cluster.
-
Set up AD FS to control Amazon Redshift access on the Microsoft Management Console:
-
Choose ADFS 2.0, and then choose Add Relying Party Trust. On the Add Relying Party Trust Wizard page, choose Start.
-
On the Select Data Source page, choose Import data about the relying party published online or on a local network.
-
For Federation metadata address (host name or URL), enter
https://signin.aws.amazon.com/saml-metadata.xml
. The metadata XML file is a standard SAML metadata document that describes Amazon as a relying party. -
On the Specify Display Name page, enter a value for Display name.
-
On the Choose Issuance Authorization Rules page, choose an issuance authorization rule to either permit or deny all users to access this relying party.
-
On the Ready to Add Trust page, review your settings.
-
On the Finish page, choose Open the Edit Claim Rules dialog for this relying party trust when the wizard closes.
-
On the context (right-click) menu, choose Relying Party Trusts.
-
For your relying party, open the context (right-click) menu and choose Edit Claim Rules. On the Edit Claim Rules page, choose Add Rule.
-
For Claim rule template, choose Transform an Incoming Claim, and then on the Edit Rule – NameId page, do the following:
-
For Claim rule name, enter NameId.
-
For Incoming claim name, choose Windows Account Name.
-
For Outgoing claim name, choose Name ID.
-
For Outgoing name ID format, choose Persistent Identifier.
-
Choose Pass through all claim values.
-
-
On the Edit Claim Rules page, choose Add Rule. On the Select Rule Template page, for Claim rule template, choose Send LDAP Attributes as Claims.
-
On the Configure Rule page, do the following:
-
For Claim rule name, enter RoleSessionName.
-
For Attribute store, choose Active Directory.
-
For LDAP Attribute, choose Email Addresses.
-
For Outgoing Claim Type, choose https://aws.amazon.com/SAML/Attributes/RoleSessionName.
-
-
On the Edit Claim Rules page, choose Add Rule. On the Select Rule Template page, for Claim rule template, choose Send Claims Using a Custom Rule.
-
On the Edit Rule – Get AD Groups page, for Claim rule name, enter Get AD Groups.
-
For Custom rule, enter the following.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://temp/variable"), query = ";tokenGroups;{0}", param = c.Value);
-
On the Edit Claim Rules page, choose Add Rule. On the Select Rule Template page, for Claim rule template, choose Send Claims Using a Custom Rule.
-
On the Edit Rule – Roles page, for Claim rule name, type Roles.
-
For Custom rule, enter the following.
c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"] => issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-", "arn:aws:iam::123456789012:saml-provider/ADFS,arn:aws:iam::123456789012:role/ADFS-"));
Note the ARNs of the SAML provider and role to assume. In this example,
arn:aws:iam:123456789012:saml-provider/ADFS
is the ARN of the SAML provider andarn:aws:iam:123456789012:role/ADFS-
is the ARN of the role.
-
-
Make sure that you have downloaded the
federationmetadata.xml
file. Check that the document contents do not have invalid characters. This is the metadata file you use when configuring the trust relationship with Amazon. -
Create an IAM SAML identity provider on the IAM console. The metadata document. that you provide is the federation metadata XML file that you saved when you set up Azure Enterprise Application. For detailed steps, see Creating and Managing an IAM Identity Provider (Console) in the IAM User Guide.
-
Create an IAM role for SAML 2.0 federation on the IAM console. For detailed steps, see Creating a Role for SAML in the IAM User Guide.
-
Create an IAM policy that you can attach to the IAM role that you created for SAML 2.0 federation on the IAM console. For detailed steps, see Creating IAM Policies (Console) in the IAM User Guide. For an Azure AD example, see Setting up JDBC or ODBC single sign-on authentication.