How to enable SSO for Amazon Redshift

Atlan supports SSO authentication for Amazon Redshift connections with Okta as the identity provider. Once you've configured SSO authentication for Amazon Redshift, your users can:

πŸ’ͺ Did you know? If you have already configured Okta and AWS, skip to configure SSO authentication in Atlan. Otherwise, complete all the steps below.

Create a client application in Okta

πŸ€“ Who can do this? You will need your Okta administrator to complete these steps β€” you may not have access yourself. You will also need inputs and approval from your AWS administrator.

You will need to create a client application in Okta to use for configuring the identity provider in AWS.

To create a client application, within Okta:

  1. Log in to your Okta Admin Console.
  2. From the left menu of the Admin Console, click Applications.
  3. Under Applications, click the Browse App Catalog button.
  4. On the Browse App Integration Catalog page, search for and select Amazon Web Services Redshift.
  5. From the Amazon Web Services Redshift page, click the Add integration button to create an integration.
  6. For Add Amazon Web Services Redshift, enter the following details:
    1. For Application label, enter a meaningful name for your new app integration β€” for example, Atlan_SSO.
    2. Click Done to proceed.
  7. On your new app page, click the Assignments tab and then click the Assign button:
    • Click Assign to People to select individual users to assign to the application.
    • Click Assign to Groups to select groups to assign to the application.
  8. On your new app page, click the Sign On tab and then navigate to the SAML Signing Certificates section:
    1. Under Actions, click Actions to expand the menu, and then from the dropdown, click View IdP metadata.
    2. This will open an XML file in a new tab. Save or download this file to use for configuring the identity provider in AWS.
    3. For User Authentication, click the Edit button:
      1. From the Authentication policy dropdown, click Okta Dashboard.
      2. Click Save to save your changes.

You will need the IdP metadata XML file to configure Okta as the identity provider in AWS.

Configure identity provider in AWS

πŸ€“ Who can do this? You will need your AWS administrator to complete these steps β€” you may not have access yourself. You will also need inputs and approval from your Okta administrator.

You will need to establish a trust relationship between Okta as the identity provider and AWS. You will also need to create a role that Okta can use to access Amazon Redshift and assign required permissions to that role.

Create an identity provider

To create an identity provider, within AWS:

  1. Sign in to the AWS Management Console and open the AWS Identity and Access Management (IAM) console.

  2. From the left menu of your AWS Identity and Access Management (IAM) console, click Identity providers and then click the Add provider button.
  3. In the Add an Identity provider dialog, enter the following details:
    1. For Provider type, select SAML.
    2. For Provider name, enter a name for the identity provider β€” for example, Okta_AtlanSSO.
    3. Under Metadata document, click Choose file and upload the IdP metadata XML file you downloaded from Okta.
    4. At the bottom of the dialog, click Add provider to add Okta as the identity provider in AWS.

Once you have configured Okta as the identity provider in AWS, you will need to create a role for Okta to access Amazon Redshift.

Create a role

To create a role, within AWS:

  1. Sign in to the AWS Management Console and open the AWS Identity and Access Management (IAM) console.
  2. From the left menu of your AWS Identity and Access Management (IAM) console, click Roles, and then from the top right, click the Create role button.
  3. On the Create role page, enter the following details:
    1. For Select trusted entity, under Trusted entity type, click SAML 2.0 federation. Under SAML 2.0 federation, enter the following details: 
      1. For SAML 2.0-based provider, select the identity provider you created in AWS β€” for example, Okta_AtlanSSO.
      2. Click Allow programmatic access only.
      3. For the Attribute dropdown, select SAML:aud.
      4. For Value, enter https://signin.aws.amazon.com/saml.
      5. Click Next to continue.
    2. For Add permissions, click Next to proceed to the next step.
    3. For Name, review, and create, under Role details, enter the following details:
      1. For Role name, enter a name for the role β€” for example, Okta_AtlanSSO_role.
      2. (Optional) For Description, enter a description for the new role.
    4. Click Create role to finish role setup. This will create a new role for Okta to access Amazon Redshift.

Once you have created a role for Okta to access Amazon Redshift, you will need to assign permissions to that role.

Create a policy

You will need to create an access policy and assign the following required permissions to the newly created role:

  • CreateClusterUser
  • JoinGroup
  • GetClusterCredentials

To create a policy, within AWS:

  1. Sign in to the AWS Management Console and open the AWS Identity and Access Management (IAM) console.
  2. From the left menu of your AWS Identity and Access Management (IAM) console, click Roles and then search for and select the role you created in the previous step β€” for example, Okta_AtlanSSO_role.
  3. On the newly created role page, to the right of Permission policies, click Add permissions, and then from the dropdown, click Create inline policy.
  4. On the Create policy page, you will need to assign the following permissions for Redshift β€” GetClusterCredentials, JoinGroup, and CreateClusterUser. Repeat the steps below to assign each permission:
    1. For Specify permissions, under Select a service, search for and select Redshift. Under Redshift, enter the following details:
      1. For Allowed actions, search for and select a permission β€” for example, GetClusterCredentials.
      2. For Resources, click All.
      3. Click Next to proceed.
    2. For Review and create, under Policy name, enter a name for the newly created policy β€” for example, Okta_AtlanSSO_rolepolicy.

Retrieve identity provider and role ARN

Once you have configured Okta as the identity provider and created a role in AWS, you will need the identity provider ARN and role ARN for further configuration in Okta.

To retrieve the identity provider and role ARN, within AWS:

  1. Sign in to the AWS Management Console and open the AWS Identity and Access Management (IAM) console.

  2. From the left menu of your AWS Identity and Access Management (IAM) console:
    1. Click Identity providers and then select the identity provider you created:
      1. On the identity provider page, under ARN, click the clipboard icon to copy the identity provider ARN value and store it in a secure location.
    2. Click Roles and then select the role you created:
      1. On the role page, under ARN, click the clipboard icon to copy the role ARN value and store it in a secure location.

Configure the client application in Okta

πŸ€“ Who can do this? You will need your Okta administrator to complete these steps β€” you may not have access yourself. You will also need inputs and approval from your AWS administrator.

You will need the identity provider ARN and role ARN from AWS for further configuration in Okta.

To further configure the client application in Okta:

  1. Log in to your Okta Admin Console.
  2. From the left menu of the Admin Console, click Applications.
  3. Under Applications, select the client application you created in Okta.
  4. On your new app page, click the Sign On tab.
  5. On the Sign On page, next to Settings, click Edit.
  6. Navigate to the Advanced Sign-on Settings section and enter the following details:
    1. For IdP ARN and Role ARN, enter the identity provider ARN and role ARN as comma-separated values β€” for example, arn:aws:iam::403973984390:role/oktaAtlan_SSO, arn:aws:iam::403976283490:saml-provider/oktaAtlan_SSO_role.
    2. For Allowed DB Groups (Redshift), enter the names of the Okta groups that should be provided access to Amazon Redshift.
    3. Click Save to confirm.
  7. On your new app page, click the General tab and navigate to the App Embed Link section.
    1. Under Embed Link, copy the link β€” for example, https://<example>.okta.com/home/amazon_aws_redshift/0oa78lx856GcTMDsa697/aln1dkqcfra0piaWa0g β€” and store the IdP host name and app ID in a secure location to use for configuring SSO authentication in Atlan. For example:
      • IdP host name: <example>.okta.com
      • App ID: 0oa78lx856GcTMDsa697/aln1dkqcfra0piaWa0g

Configure SSO authentication in Atlan

πŸ€“ Who can do this? You will need to be a connection admin in Atlan to complete these steps. You will also need inputs and approval from your Okta and AWS administrators.

Once you have configured Okta and AWS, you can enable SSO authentication for your Amazon Redshift users to query data and view sample data in Atlan.

 

To configure Okta SSO on a Amazon Redshift connection, from Atlan:

  1. From the left menu of any screen, click Assets.
  2. From the Assets page, click the Connector filter, and from the dropdown, select Redshift.
  3. From the pills below the search bar at the top of the screen, click Connection.
  4. From the list of results, select an Amazon Redshift connection to enable SSO authentication.
  5. From the sidebar on the right, next to Connection settings, click Edit.
  6. In the Connection settings dialog:
  7. (Optional) Toggle on Enable data policies created at source to apply for querying in Atlan to apply any data policies and user permissions at source to querying data and viewing sample data in Atlan. If toggled on, any existing data policies on the connection in Atlan will be deactivated and creation of new data policies will be disabled.
  8. At the bottom right of the Connection settings dialog, click Update.

Your users will now be able to run queries and view sample data using their Okta SSO credentials! πŸŽ‰

Related articles

Was this article helpful?
0 out of 0 found this helpful