Configuring authentication

To protect data from unauthorized access, Amazon Redshift data stores require all connections to be authenticated using user credentials.

The following table illustrates the required and optional connection options for each authentication method that can be used to connect to the Amazon Redshift ODBC driver version 2.x:

ODBC authentication method required and optional connection options
Authentication Method	Required	Optional
Standard	Host Port Database UID Password
IAM Profile	Host Port Database IAM Profile	ClusterID Region AutoCreate EndpointURL StsEndpointURL InstanceProfile Note ClusterID and Region must be set in Host if they are not set separately.
IAM Credentials	Host Port Database IAM AccessKeyID SecretAccessKey	ClusterID Region AutoCreate EndpointURL StsEndpointURL SessionToken UID Note ClusterID and Region must be set in Host if they are not set separately.
AD FS	Host Port Database IAM plugin_name UID Password IdP_Host IdP_Port	ClusterID Region AutoCreate EndpointUrl StsEndpointUrl Preferred_Role loginToRp SSL_Insecure Note ClusterID and Region must be set in Host if they are not set separately.
Azure AD	Host Port Database IAM plugin_name UID Password IdP_Tenant Client_ID Client_Secret	ClusterID Region AutoCreate EndpointUrl StsEndpointUrl Preferred_Role dbgroups_filter Note ClusterID and Region must be set in Host if they are not set separately.
JWT	Host Port Database IAM plugin_name web_identity_token	provider_name
Okta	Host Port Database IAM plugin_name UID Password IdP_Host App_Name App_ID	ClusterID Region AutoCreate EndpointUrl StsEndpointUrl Preferred_Role Note ClusterID and Region must be set in Host if they are not set separately.
Ping Federate	Host Port Database IAM plugin_name UID Password IdP_Host IdP_Port	ClusterID Region AutoCreate EndpointUrl StsEndpointUrl Preferred_Role SSL_Insecure partner_spid Note ClusterID and Region must be set in Host if they are not set separately.
Browser Azure AD	Host Port Database IAM plugin_name IdP_Tenant Client_ID UID	ClusterID Region AutoCreate EndpointUrl StsEndpointUrl Preferred_Role dbgroups_filter IdP_Response_Timeout listen_port Note ClusterID and Region must be set in Host if they are not set separately.
Browser SAML	Host Port Database IAM plugin_name login_url UID	ClusterID Region AutoCreate EndpointUrl StsEndpointUrl Preferred_Role dbgroups_filter IdP_Response_Timeout listen_port Note ClusterID and Region must be set in Host if they are not set separately.
Auth Profile	Host Port Database AccessKeyID SecretAccessKey
Browser Azure AD OAUTH2	Host Port Database IAM plugin_name IdP_Tenant Client_ID UID	ClusterID Region EndpointUrl IdP_Response_Timeout listen_port scope provider_name Note ClusterID and Region must be set in Host if they are not set separately.

Using an external credentials service

In addition to built-in support for AD FS, Azure AD, and Okta, the Windows version of the Amazon Redshift ODBC driver also provides support for other credentials services. The driver can authenticate connections using any SAML-based credential provider plugin of your choice.

To configure an external credentials service on Windows:

1. Create an IAM profile that specifies the credential provider plugin and other authentication parameters as needed. The profile must be ASCII-encoded, and must contain the following key-value pair, where PluginPath is the full path to the plugin application:

   plugin_name = PluginPath

   For example:

   plugin_name = C:\Users\kjson\myapp\CredServiceApp.exe 

   For information on how to create a profile, see Using a Configuration Profile in the Amazon Redshift Cluster Management Guide.

2. Configure the driver to use this profile. The driver detects and uses the authentication settings specified in the profile.