Azure
You can use Microsoft Azure AD as an identity provider (IdP) to access your Amazon Redshift cluster. This tutorial shows you how you can use Azure as an identity provider (IdP) to access your Amazon Redshift cluster.
To learn how to federate Amazon Redshift access with Microsoft Azure AD single sign-on, watch the following video.
Step 1: Set up Azure and your Amazon account to trust each other
The following procedure describes how to set up a trust relationship.
To set up Azure AD and your Amazon account to trust each other
-
Create or use an existing Amazon Redshift cluster for your Azure AD users to connect to. To configure the connection, certain properties of this cluster are needed, such as the cluster identifier. For more information, see Creating a Cluster.
-
Set up an Azure Active Directory, groups, users used for Amazon on the Microsoft Azure portal.
-
Add Amazon Redshift as an enterprise application on the Microsoft Azure portal to use for single sign-on to the Amazon Console and federated login to Amazon Redshift. Choose Enterprise application.
-
Choose +New application. The Add an application page appears.
-
Search for
AWS
in the search field. -
Choose Amazon Web Services (Amazon) and choose Add. This creates the Amazon application.
-
Under Manage, choose Single sign-on.
-
Choose SAML. The Amazon Web Services (Amazon) | SAML-based Sign-on page appears.
-
Choose Yes to proceed to the Set up Single Sign-On with SAML page. This page shows the list of pre-configured single sign-on related attributes.
-
For Basic SAML Configuration, choose the edit icon and choose Save.
-
When you are configuring for more than one application, provide an identifier value. For example, enter
. Note that from the second application onwards, use this format with a # sign to specify a unique SPN value.https://signin.aws.amazon.com/saml#2
-
In the User Attributes and Claims section, choose the edit icon.
By default, the Unique User Identifier (UID), Role, RoleSessionName, and SessionDuration claims are pre-configured.
-
Choose + Add new claim to add a claim for database users.
For Name, enter
DbUser
.For Namespace, enter
https://redshift.amazon.com/SAML/Attributes
.For Source, choose Attribute.
For Source attribute, choose user.userprincipalname. Then, choose Save.
-
Choose + Add new claim to add a claim for AutoCreate.
For Name, enter
AutoCreate
.For Namespace, enter
https://redshift.amazon.com/SAML/Attributes
.For Source, choose Attribute.
For Source attribute, choose "true". Then, choose Save.
Here,
is your Amazon account,123456789012
is an IAM role you created, andAzureSSO
is the IAM provider.AzureADProvider
Claim name Value Unique user identifier (name ID)
user.userprincipalname
https://aws.amazon.com/SAML/Attributes/SessionDuration
"900"
https://aws.amazon.com/SAML/Attributes/Role
arn:aws:iam::
123456789012
:role/AzureSSO
,arn:aws:iam::123456789012
:saml-provider/AzureADProvider
https://aws.amazon.com/SAML/Attributes/RoleSessionName
user.userprincipalname
https://redshift.amazon.com/SAML/Attributes/AutoCreate
"true"
https://redshift.amazon.com/SAML/Attributes/DbGroups
user.assignedroles
https://redshift.amazon.com/SAML/Attributes/DbUser
user.userprincipalname
-
Under App Registration >
> Authentication, add Mobile And Desktop Application. Specify the URL as http://localhost/redshift/.your-application-name
-
In the SAML Signing Certificate section, choose Download to download and save the federation metadata XML file for use when you create an IAM SAML identity provider. This file is used to create the single sign-on federated identity.
-
Create an IAM SAML identity provider on the IAM console. The metadata document that you provide is the federation metadata XML file that you saved when you set up Azure Enterprise Application. For detailed steps, see Creating and Managing an IAM Identity Provider (Console) in the IAM User Guide.
-
Create an IAM role for SAML 2.0 federation on the IAM console. For detailed steps, see Creating a Role for SAML in the IAM User Guide.
Create an IAM policy that you can attach to the IAM role that you created for SAML 2.0 federation on the IAM console. For detailed steps, see Creating IAM Policies (Console) in the IAM User Guide.
Modify the following policy (in JSON format) for your environment:
Substitute the Amazon Region of your cluster for
.us-west-1
Substitute your Amazon account for
.123456789012
Substitute your cluster identifier (or
*
for all clusters) for
.cluster-identifier
Substitute your database (or
*
for all databases) for
.dev
Substitute the unique identifier of your IAM role for
.AROAJ2UCCR6DPCEXAMPLE
Substitute your tenant or company email domain for
.example.com
Substitute the database group that you plan to assign the user to for
.my_dbgroup
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "redshift:GetClusterCredentials", "Resource": [ "arn:aws:redshift:
us-west-1
:123456789012
:dbname:cluster-identifier
/dev
", "arn:aws:redshift:us-west-1
:123456789012
:dbuser:cluster-identifier
/${redshift:DbUser}", "arn:aws:redshift:us-west-1
:123456789012
:cluster:cluster-identifier
" ], "Condition": { "StringEquals": { "aws:userid": "AROAJ2UCCR6DPCEXAMPLE
:${redshift:DbUser}@example.com
" } } }, { "Effect": "Allow", "Action": "redshift:CreateClusterUser", "Resource": "arn:aws:redshift:us-west-1
:123456789012
:dbuser:cluster-identifier
/${redshift:DbUser}" }, { "Effect": "Allow", "Action": "redshift:JoinGroup", "Resource": "arn:aws:redshift:us-west-1
:123456789012
:dbgroup:cluster-identifier
/my_dbgroup
" }, { "Effect": "Allow", "Action": [ "redshift:DescribeClusters", "iam:ListRoles" ], "Resource": "*" } ] }This policy grants permissions as follows:
The first section grants permission to the
GetClusterCredentials
API operation to get temporary credentials for the specified cluster. In this example, the resource is
with databasecluster-identifier
, in accountdev
, and in Amazon Region123456789012
. Theus-west-1
${redshift:DbUser}
clause allows only users that match theDbUser
value specified in Azure AD to connect.The condition clause enforces that only certain users get temporary credentials. These are users under the role specified by the role unique ID
in the IAM account identified by an email address in your company's email domain. For more information about unique IDs, see Unique IDs in the IAM User Guide.AROAJ2UCCR6DPCEXAMPLE
Your setup with your IdP (in this case, Azure AD) determines how the condition clause is written. If your employee's email is
johndoe@example.com
, first set${redshift:DbUser}
to the super field that matches the employee's user namejohndoe
. Then, to make this condition work, set the Amazon SAMLRoleSessionName
field to the super field that matches the employee’s emailjohndoe@example.com
. When you take this approach, consider the following:If you set
${redshift:DbUser}
to be the employee's email, then remove the@example.com
in the example JSON to match theRoleSessionName
.If you set the
RoleSessionId
to be just the employee's user name, then remove the@example.com
in the example to match theRoleSessionName
.In the example JSON, the
${redshift:DbUser}
andRoleSessionName
are both set to the employee's email. This example JSON uses the Amazon Redshift database user name with@example.com
to sign the user in to access the cluster.
The second section grants permission to create a
dbuser
name in the specified cluster. In this example JSON, it restricts creation to${redshift:DbUser}
.The third section grants permission to specify which
dbgroup
a user can join. In this example JSON, a user can join themy_dbgroup
group in the specified cluster.The fourth section grants permission to actions the user can do on all resources. In this example JSON, it allows users to call
redshift:DescribeClusters
to get cluster information such as the cluster endpoint, Amazon Region, and port. It also allows users to calliam:ListRoles
to check which roles a user can assume.
Step 2: Set up JDBC or ODBC for authentication to Azure
Troubleshooting
To troubleshoot issues with the Browser Azure AD plugin, consider the following.
-
To use the Browser Azure AD plugin, you must set the reply URL specified in the request to match the reply URL configured for your application. Navigate to the Set up Single Sign-On with SAML page on the Microsoft Azure portal. Then check the Reply URL is set to http://localhost/redshift/.
-
If you get an IdP tenant error, verify that the IdP Tenant name matches the domain name you initially used to set up the Active Directory in Microsoft Azure.
On Windows, navigate to the Connection Settings section of the Amazon Redshift ODBC DSN Setup page. Then check the tenant name of your company configured on your IdP (Azure) matches the domain name you initially used to set up the Active Directory in Microsoft Azure.
On macOS and Linux, find the odbc.ini file. Then check the tenant name of your company configured on your IdP (Azure) matches the domain name you initially used to set up the Active Directory in Microsoft Azure.
-
If you get an error that the reply URL specified in the request does not match the reply URLs configured for your application, verify that the Redirect URIs is the same as the reply URL.
Navigate to the App registration page of your application on the Microsoft Azure portal. Then check the Redirect URIs matches the reply URL.
-
If you get the unexpected response: unauthorized error, verify that you completed the Mobile and desktop applications configuration.
Navigate to the App registration page of your application on the Microsoft Azure portal. Then navigate to Authentication and check that you configured Mobile and desktop applications to use http://localhost/redshift/ as the redirect URIs.