AWS Big Data Blog
Single sign-on with Amazon Redshift Serverless with Okta using Amazon Redshift Query Editor v2 and third-party SQL clients
June 2023: This post was reviewed and updated to support MFA setup instructions.
Amazon Redshift Serverless makes it easy to run and scale analytics in seconds without the need to set up and manage data warehouse clusters. With Redshift Serverless, users such as data analysts, developers, business professionals, and data scientists can get insights from data by simply loading and querying data in the data warehouse.
Customers use their preferred SQL clients to analyze their data in Redshift Serverless. They want to use an identity provider (IdP) or single sign-on (SSO) credentials to connect to Redshift Serverless to reuse existing using credentials and avoid additional user setup and configuration. When you use AWS Identity and Access Management (IAM) or IdP-based credentials to connect to a serverless data warehouse, Amazon Redshift automatically creates a database user for the end-user. You can simplify managing user privileges by using role-based access control. Admins can use a database-role mapping for SSO with the IAM roles that users are assigned to get their database privileges automatically. With this integration, organizations can simplify user management because they no longer need to create users and map them to database roles manually. You can define the mapped database roles as a principal tag for the IdP groups or IAM role, so Amazon Redshift database roles and users who are members of those IdP groups are granted to the database roles automatically.
In this post, we focus on Okta as the IdP and provide step-by-step guidance to integrate Redshift Serverless with Okta using the Amazon Redshift Query Editor V2 and with SQL clients like SQL Workbench/J. You can use this mechanism with other IdP providers such as Azure Active Directory or Ping with any applications or tools using Amazon’s JDBC/ODBC/Python driver.
Solution overview
The following diagram illustrates the authentication flow of Okta with Redshift Serverless using federated IAM roles and automatic database-role mapping.
The workflow contains the following steps:
- Either the user chooses an IdP app in their browser, or the SQL client initiates a user authentication request to the IdP (Okta).
- Upon a successful authentication, Okta submits a request to the AWS federation endpoint with a SAML assertion containing the PrincipalTags.
- The AWS federation endpoint validates the SAML assertion and invokes the AWS Security Token Service (AWS STS) API AssumeRoleWithSAML. The SAML assertion contains the IdP user and group information that is stored in the RedshiftDbUser and RedshiftDbRoles principal tags, respectively. Temporary IAM credentials are returned to the SQL client or, if using the Query Editor v2, the user’s browser is redirected to the Query Editor v2 console using the temporary IAM credentials.
- The temporary IAM credentials are used by the SQL client or Query Editor v2 to call the Redshift Serverless GetCredentials API. The API uses the principal tags to determine the user and database roles that the user belongs to. An associated database user is created if the user is signing in for the first time and is granted the matching database roles automatically. A temporary password is returned to the SQL client.
- Using the database user and temporary password, the SQL client or Query Editor v2 connects to Redshift Serverless. Upon login, the user is authorized based on the Amazon Redshift database roles that were assigned in Step 4.
To set up the solution, we complete the following steps:
- Set up your Okta application:
- Create Okta users.
- Create groups and assign groups to users.
- Create the Okta SAML application.
- Collect Okta information.
- Set up AWS configuration:
- Create the IAM IdP.
- Create the IAM role and policy.
- Configure Redshift Serverless role-based access.
- Federate to Redshift Serverless using the Query Editor V2.
- Configure the SQL client (for this post, we use SQL Workbench/J).
- Optionally, implement MFA with SQL Client and Query Editor V2.
Prerequisites
You need the following prerequisites to set up this solution:
- An AWS account. If you don’t have one, you can sign up for one.
- An Redshift Serverless data warehouse. For setup instructions, see Getting started with Amazon Redshift Serverless.
- The latest Redshift Serverless JDBC SDK driver-dependent libraries (download the libraries and unzip the JDBC JAR zipped folder).
- An Okta account that has an active subscription. You need an admin role to set up the application on Okta. If you’re new to Okta, you can sign up for a free trial or sign up for a developer account.
- A SQL client such as SQL Workbench/J.
Set up Okta application
In this section, we provide the steps to configure your Okta application.
Create Okta users
To create your Okta users, complete the following steps:
- Sign in to your Okta organization as a user with administrative privileges.
- On the admin console, under Directory in the navigation pane, choose People.
- Choose Add person.
- For First Name, enter the user’s first name.
- For Last Name, enter the user’s last name.
- For Username, enter the user’s user name in email format.
- Select I will set password and enter a password.
- Optionally, deselect User must change password on first login if you don’t want the user to change their password when they first sign in. Choose Save.
Create groups and assign groups to users
To create your groups and assign them to users, complete the following steps:
- Sign in to your Okta organization as a user with administrative privileges.
- On the admin console, under Directory in the navigation pane, choose Groups.
- Choose Add group.
- Enter a group name and choose Save.
- Choose the recently created group and then choose Assign people.
- Choose the plus sign and then choose Done.
- Repeat Steps 1–6 to add more groups.
In this post, we create two groups: sales and finance.
Create an Okta SAML application
To create your Okta SAML application, complete the following steps:
- Sign in to your Okta organization as a user with administrative privileges.
- On the admin console, under Applications in the navigation pane, choose Applications.
- Choose Create App Integration.
- Select SAML 2.0 as the sign-in method and choose Next.
- Enter a name for your app integration (for example,
redshift_app
) and choose Next. - Enter following values in the app and leave the rest as is:
- For Single Sign On URL, enter https://signin.thinkwithwp.com/saml.
- For Audience URI (SP Entity ID), enter
urn:amazon:webservices
. - For Name ID format, enter
EmailAddress
.
- Choose Next.
- Choose I’m an Okta customer adding an internal app followed by This is an internal app that we have created.
- Choose Finish.
- Choose Assignments and then choose Assign.
- Choose Assign to groups and then select Assign next to the groups that you want to add.
- Choose Done.
Set up Okta advanced configuration
After you create the custom SAML app, complete the following steps:
- On the admin console, navigate to General and choose Edit under SAML settings.
- Choose Next.
- Set Default Relay State to the Query Editor V2 URL, using the format
https://<region>.console.thinkwithwp.com/sqlworkbench/home
. For this post, we usehttps://us-west-2.console.thinkwithwp.com/sqlworkbench/home
. - Under Attribute Statements (optional), add the following properties:
- Provide the IAM role and IdP in comma-separated format using the Role attribute. You’ll create this same IAM role and IdP in a later step when setting up AWS configuration.
- Set
user.login
forRoleSessionName
. This is used as an identifier for the temporary credentials that are issued when the role is assumed. - Set the DB roles using
PrincipalTag:RedshiftDbRoles
. This uses the Okta groups to fill the principal tags and map them automatically with the Amazon Redshift database roles. Its value must be a colon-separated list in the format role1:role2. - Set
user.login
forPrincipalTag:RedshiftDbUser
. This uses the user name in the directory. This is a required tag and defines the database user that is used by Query Editor V2. - Set the transitive keys using
TransitiveTagKeys
. This prevents users from changing the session tags in case of role chaining.
The preceding tags are forwarded to the GetCredentials
API to get temporary credentials for your Redshift Serverless instance and map automatically with Amazon Redshift database roles. The following table summarizes their attribute statements configuration.
Name | Name Format | Format | Example |
https://thinkwithwp.com/SAML/Attributes/Role | Unspecified | arn:aws:iam::<yourAWSAccountID>:role/role-name,arn:aws:iam:: <yourAWSAccountID>:saml-provider/provider-name |
arn:aws:iam::112034567890:role/oktarole,arn:aws:iam::112034567890:saml-provider/oktaidp |
https://thinkwithwp.com/SAML/Attributes/RoleSessionName | Unspecified | user.login |
user.login |
https://thinkwithwp.com/SAML/Attributes/PrincipalTag:RedshiftDbRoles | Unspecified | String.join(":", isMemberOfGroupName("group1") ? 'group1' : '', isMemberOfGroupName("group2") ? 'group2' : '') |
String.join(":", isMemberOfGroupName("sales") ? 'sales' : '', isMemberOfGroupName("finance") ? 'finance' : '') |
https://thinkwithwp.com/SAML/Attributes/PrincipalTag:RedshiftDbUser | Unspecified | user.login |
user.login |
https://thinkwithwp.com/SAML/Attributes/TransitiveTagKeys | Unspecified | Arrays.flatten("RedshiftDbUser", "RedshiftDbRoles") |
Arrays.flatten("RedshiftDbUser", "RedshiftDbRoles") |
- After you add the attribute claims, choose Next followed by Finish.
Your attributes should be in similar format as shown in the following screenshot.
Collect Okta information
To gather your Okta information, complete the following steps:
- On the Sign On tab, choose View SAML setup instructions.
- For Identity Provider Single Sign-on URL, Use this URL when connecting with any third-party SQL client such as SQL Workbench/J.
- Use the IdP metadata in block 4 and save the metadata file in .xml format (for example,
metadata.xml
).
Set up AWS configuration
In this section, we provide the steps to configure your IAM resources.
Create the IAM IdP
To create your IAM IdP, complete the following steps:
- On the IAM console, under Access management in the navigation pane, choose Identity providers.
- Choose Add provider.
- For Provider type¸ select SAML.
- For Provider name¸ enter a name.
- Choose Choose file and upload the metadata file (.xml) you downloaded earlier.
- Choose Add provider.
Create the IAM Amazon Redshift access policy
To create your IAM policy, complete the following steps:
- On the IAM console, choose Policies.
- Choose Create policy.
- On the Create policy page, choose the JSON tab.
- For the policy, enter the JSON in following format:
The workgroup ARN is available on the Redshift Serverless workgroup configuration page.
The following example policy includes only a single Redshift Serverless workgroup; you can modify the policy to include multiple workgroups in the Resource section:
- Choose Next: Tags.
- Choose Next: Review.
- In the Review policy section, for Name, enter the name of your policy; for example, OktaRedshiftPolicy.
- For Description, you can optionally enter a brief description of what the policy does.
- Choose Create policy.
Create the IAM role
To create your IAM role, complete the following steps:
- On the IAM console, choose Roles in the navigation pane.
- Choose Create role.
- For Trusted entity type, select SAML 2.0 federation.
- For SAML 2.0-based provider, choose the IdP you created earlier.
- Select Allow programmatic and AWS Management Console access.
- Choose Next.
- Choose the policy you created earlier.
- Also, add the policy
AmazonRedshiftQueryEditorV2ReadSharing
. - Choose Next.
- In the Review section, for Role Name, enter the name of your role; for example,
oktarole
. - For Description, you can optionally enter a brief description of what the role does.
- Choose Create role.
- Navigate to the role that you just created and choose Trust Relationships.
- Choose Edit trust policy and choose
TagSession
under Add actions for STS.
When using session tags, trust policies for all roles connected to the IdP passing tags must have the sts:TagSession permission. For roles without this permission in the trust policy, the AssumeRole
operation fails.
- Choose Update policy.
The following screenshot shows the role permissions.
The following screenshot shows the trust relationships.
Update the advanced Okta Role Attribute
Complete the following steps:
- Switch back to Okta.com.
- Navigate to the application which you created earlier.
- Navigate to General and click Edit under SAML settings.
- Under Attribute Statements (optional), update the value for the attribute – https://thinkwithwp.com/SAML/Attributes/Role, using the actual role and identity provider arn values from the above step. For example,
arn:aws:iam::123456789012:role/oktarole,arn:aws:iam::123456789012:saml-provider/oktaidp
.
Configure Redshift Serverless role-based access
In this step, we create database roles in Amazon Redshift based on the groups that you created in Okta. Make sure the role name matches with the Okta Group name.
Amazon Redshift roles simplify managing privileges required for your end-users. In this post, we create two database roles, sales and finance, and grant them access to query tables with sales and finance data, respectively. You can download this sample SQL Notebook and import into Redshift Query Editor v2 to run all cells in the notebook used in this example. Alternatively, you can copy and enter the SQL into your SQL client.
The following is the syntax to create a role in Redshift Serverless:
For example:
Create the sales and finance database schema:
Create the tables:
The following is the syntax to grant permission to the Redshift Serverless role:
Grant relevant permission to the role as per your requirements. In the following example, we grant full permission to the role sales on sales_schema
and only select permission on finance_schema
to the role finance:
Federate to Redshift Serverless using Query Editor V2
The RedshiftDbRoles
principal tag and DBGroups
are both mechanisms that can be used to integrate with an IdP. However, federating with the RedshiftDbRoles
principal has some clear advantages when it comes to connecting with an IdP because it provides automatic mapping between IdP groups and Amazon Redshift database roles. Overall, RedshiftDbRoles
is more flexible, easier to manage, and more secure, making it the better option for integrating Amazon Redshift with your IdP.
Now you’re ready to connect to Redshift Serverless using the Query Editor V2 and federated login:
- Use the SSO URL you collected earlier and log in to your Okta account with your user credentials. For this demo, we log in with user Ethan.
- In the Query Editor v2, choose your Redshift Serverless instance (right-click) and choose Create connection.
- For Authentication, select Federated user.
- For Database, enter the database name you want to connect to.
- Choose Create Connection.
User Ethan will be able to access sales_schema
tables. If Ethan tries to access the tables in finance_schema
, he will get a permission denied error.
Configure the SQL client (SQL Workbench/J)
To set up SQL Workbench/J, complete the following steps:
- Create a new connection in SQL Workbench/J and choose Redshift Serverless as the driver.
- Choose Manage drivers and add all the files from the downloaded AWS JDBC driver pack .zip file (remember to unzip the .zip file).
- For Username and Password, enter the values that you set in Okta.
- Capture the values for
app_id
,app_name
, andidp_host
from the Okta app embed link, which can be found on the General tab of your application.
- Set the following extended properties:
- For app_id, enter the value from app embed link (for example,
0oa8p1o1RptSabT9abd0/avc8k7abc32lL4izh3b8
). - For app_name, enter the value from app embed link (for example,
dev-123456_redshift_app_2
). - For idp_host, enter the value from app embed link (for example,
dev-123456.okta.com
). - For plugin_name, enter
com.amazon.redshift.plugin.OktaCredentialsProvider
. The following screenshot shows the SQL Workbench/J extended properties.
- Choose OK.
- Choose Test from SQL Workbench/J to test the connection.
- When the connection is successful, choose OK.
- Choose OK to sign in with the users created.
- For app_id, enter the value from app embed link (for example,
User Ethan will be able to access the sales_schema
tables. If Ethan tries to access the tables in the finance_schema
, he will get a permission denied error.
Congratulations! You have federated with Redshift Serverless and Okta with SQL Workbench/J using RedshiftDbRoles
.
[Optional] Implement MFA with SQL Client and Query Editor V2
Implementing MFA poses an additional challenge because the nature of multi-factor authentication is an asynchronous process between initiating the login (the first factor) and completing the login (the second factor). The SAML response will be returned to the appropriate listener in each scenario; the SQL Client or the AWS console in the case of QEV2. Depending on which login options you will be giving your users, you may need an additional Okta application. See below for the different scenarios:
- If you are ONLY using QEV2 and not using any other SQL client, then you can use MFA with Query Editor V2 with the above application. There are no changes required in the custom SAML application which we have created above.
- If you are NOT using QEV2 and only using third party SQL client (SQL Workbench/J etc), then you need to modify the above custom SAML app as mentioned below.
- If you want to use QEV2 and third-party SQL Client with MFA, then you need create an additional custom SAML app as mentioned below.
Prerequisites for MFA
Each identity provider (IdP) has step for enabling and managing MFA for your users. In the case of Okta, see the following guides on how to enable MFA using the Okta Verify application and by defining an authentication policy.
- Add Okta Verify as an authenticator
- Create an authentication policy
- Add an authentication policy rule
Steps to create/update SAML application which supports MFA for a SQL Client
- If creating a second app, follow all the steps which are described under section 1 (Create an Okta SAML application). In this blog post, we are creating second app as
redshift_mfa_app
. - Open the custom SAML app and select General.
- Select Edit under SAML settings
- Click Next in General Settings
- Under General, update the Single sign-on URL to http://localhost:7890/redshift/
- Select Next followed by Finish.
Below is the screenshot from the MFA App after making above changes:
- Create AWS new Identity Provider and new IAM Role and follow all the steps which are described under section 2 (Set up AWS configuration). Please provide a new role name and IdP name for MFA based application.
Update IAM Trust Relationship
- To access Redshift via 3rd party tools using MFA, use the audience value as
http://localhost:7890/redshift/
. - Navigate to the IAM role created for MFA and select Trust relationships.
- Edit trust policy and replace the audience value under Condition as shown below.
(Put below policy in code block)
Configure SQL Client for MFA
To set up SQL Workbench/J, complete the following steps:
- Follow all the steps which are described under (Configure the SQL client (SQL Workbench/J))
- Modify your connection updating the extended properties:
- Choose OK
- Choose OK from SQL Workbench/J. You’re redirected to the browser to sign in with your Okta credentials.
- After that, you will get prompt for MFA. Choose either Enter a code or Get a push notification.
- Once authentication is successful, log in to be redirected to a page showing the connection as successful.
- With this connection profile, run the following query to return federated user name.
Troubleshooting
If your connection didn’t work, consider the following:
- Enable logging in the driver. For instructions, see Configure logging.
- Make sure to use the latest Amazon Redshift JDBC driver version.
- If you’re getting errors while setting up the application on Okta, make sure you have admin access.
- If you can authenticate via the SQL client but get a permission issue or can’t see objects, grant the relevant permission to the role, as detailed earlier in this post.
Clean up
When you’re done testing the solution, clean up the resources to avoid incurring future charges:
- Delete the Redshift Serverless instance by deleting both the workgroup and the namespace.
- Delete the IAM roles, IAM IdPs, and IAM policies.
Conclusion
In this post, we provided step-by-step instructions to integrate Redshift Serverless with Okta using the Amazon Redshift Query Editor V2 and SQL Workbench/J with the help of federated IAM roles and automatic database-role mapping. You can use a similar setup with any other SQL client (such as DBeaver or DataGrip) or business intelligence tool (such as Tableau Desktop). We also showed how Okta group membership is mapped automatically with Redshift Serverless roles to use role-based authentication seamlessly.
For more information about Redshift Serverless single sign-on using database roles, see Defining database roles to grant to federated users in Amazon Redshift Serverless.
About the Authors
Maneesh Sharma is a Senior Database Engineer at AWS with more than a decade of experience designing and implementing large-scale data warehouse and analytics solutions. He collaborates with various Amazon Redshift Partners and customers to drive better integration.
Debu Panda is a Senior Manager, Product Management at AWS. He is an industry leader in analytics, application platform, and database technologies, and has more than 25 years of experience in the IT world.
Mohamed Shaaban is a Senior Software Engineer in Amazon Redshift and is based in Berlin, Germany. He has over 12 years of experience in the software engineering. He is passionate about cloud services and building solutions that delight customers. Outside of work, he is an amateur photographer who loves to explore and capture unique moments.
Rajiv Gupta is Sr. Manager of Analytics Specialist Solutions Architects based out of Irvine, CA. He has 20+ years of experience building and managing teams who build data warehouse and business intelligence solutions.
Amol Mhatre is a Database Engineer in Amazon Redshift and works on Customer & Partner engagements. Prior to Amazon, he has worked on multiple projects involving Database & ERP implementations.
Ning Di is a Software Development Engineer at Amazon Redshift, driven by a genuine passion for exploring all aspects of technology.
Harsha Kesapragada is a Software Development Engineer for Amazon Redshift with a passion to build scalable and secure systems. In the past few years, he has been working on Redshift Datasharing, Security and Redshift Serverless.