Options for providing IAM credentials
To provide IAM credentials for a JDBC or ODBC connection, choose one of the following options.
-
AWS profile
As an alternative to providing credentials values in the form of JDBC or ODBC settings, you can put the values in a named profile. For more information, see Using a Configuration Profile.
-
IAM credentials
Provide values for AccessKeyID, SecretAccessKey, and, optionally, SessionToken in the form of JDBC or ODBC settings. SessionToken is required only for an IAM role with temporary credentials. For more information, see JDBC and ODBC options for providing IAM credentials.
-
Identity provider federation
When you use identity provider federation to enable users from an identity provider to authenticate to Amazon Redshift, specify the name of a credential provider plugin. For more information, see Using a credentials provider plugin.
The Amazon Redshift JDBC and ODBC drivers include plugins for the following SAML-based identity federation credential providers:
-
Microsoft Active Identity Federation Services (AD FS)
-
PingOne
-
Okta
-
Microsoft Azure Active Directory (Azure AD)
You can provide the plugin name and related values in the form of JDBC or ODBC settings or by using a profile. For more information, see Options for JDBC driver version 2.1 configuration and Configure ODBC driver options.
-
For more information, see Configure a JDBC or ODBC connection to use IAM credentials.
Using a Configuration Profile
You can supply the IAM credentials options and GetClusterCredentials
options as settings in named profiles in your AWS configuration file. To provide the
profile name, use the Profile JDBC option. The configuration is stored in a file named config
or a file named credentials
in a folder named .aws
in your home directory.
For a SAML-based credential provider plugin included with an Amazon Redshift JDBC or ODBC
driver, you can use the settings described just preceding in Using a credentials provider plugin. If plugin_name
isn't used, the other options are ignored.
The following example shows the ~/.aws/credentials file with two profiles.
[default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY [user2] aws_access_key_id=AKIAI44QH8DHBEXAMPLE aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY session_token=AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU 9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz +scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==
To use the credentials for the user2
example, specify
Profile=user2
in the JDBC URL.
For more information on using profiles, see Configuration and credential file settings in the AWS Command Line Interface User Guide.
For more information on using profiles for JDBC driver, see Amazon Redshift JDBC driver installation and configuration guide
For more information on using profiles for ODBC driver, see Amazon Redshift ODBC driver installation and configuration guide
JDBC and ODBC options for providing IAM credentials
The following table lists the JDBC and ODBC options for providing IAM credentials.
Option |
Description |
---|---|
|
For use only in an ODBC connection string. Set to 1 to use IAM authentication. |
|
The access key ID and secret access key for the
IAM role or user configured for IAM database authentication.
SessionToken is required only for an IAM role with
temporary credentials. SessionToken isn't used for a user. For
more information, see Temporary Security
Credentials. |
plugin_name |
The fully qualified name of a class that
implements a credentials provider. The Amazon Redshift JDBC driver includes
SAML-based credential provider plugins. If you provide
plugin_name , you can also provide other related
options. For more information, see Using a credentials provider plugin. |
|
The name of a profile in an AWS credentials or config file that contains values for the JDBC connection options. For more information, see Using a Configuration Profile. |
Using a credentials provider plugin
Amazon Redshift uses credentials provider plugins for single sign-on authentication.
To support single sign-on authentication, Amazon Redshift provides the Azure AD plugin for Microsoft Azure Active Directory. For information on how to configure this plugin, see Setting up JDBC or ODBC single sign-on authentication with Microsoft Azure AD.
Setting up multi-factor authentication
To support multi-factor authentication (MFA), Amazon Redshift provides browser-based plugins. Use the browser SAML plugin for Okta, PingOne, and the browser Azure AD plugin for Microsoft Azure Active Directory.
With the browser SAML plugin, SAML authentication flows like this:

-
A user tries to log in.
-
The plugin launches a local server to listen to incoming connections on the localhost.
-
The plugin launches a web browser to request a SAML response over HTTPS from the specified single sign-on login URL federated identity provider endpoint.
-
The web browser follows the link and prompts the user to enter credentials.
-
After the user authenticates and grants consent, the federated identity provider endpoint returns a SAML response over HTTPS to the URI indicated by
redirect_uri
. -
The web browser moves the response message with the SAML response to the indicated
redirect_uri
. -
The local server accepts the incoming connection and the plugin retrieves the SAML response and passes it to Amazon Redshift.
With the browser Azure AD plugin, SAML authentication flows like this:

A user tries to log in.
The plugin launches a local server to listen to incoming connections on the localhost.
The plugin launches a web browser to request an authorization code from the Azure AD
oauth2/authorize
endpoint.The web browser follows the generated link over HTTPS and prompts the user to enter credentials. The link is generated using configuration properties, such as tenant and client_id.
After the user authenticates and grants consent, the Azure AD
oauth2/authorize
endpoint returns and sends a response over HTTPS with the authorization code to the indicatedredirect_uri
.The web browser moves the response message with the SAML response to the indicated
redirect_uri
.The local server accepts the incoming connection and the plugin requests and retrieves the authorization code and sends a POST request to the Azure AD
oauth2/token
endpoint.The Azure AD
oauth2/token
endpoint returns a response with an access token to the indicatedredirect_uri
.The plugin retrieves the SAML response and passes it to Amazon Redshift.
See the following sections:
-
Active Directory Federation Services (AD FS)
For more information, see Setting up JDBC or ODBC Single Sign-on authentication with AD FS.
-
PingOne (Ping)
Ping is supported only with the predetermined PingOne IdP Adapter using Forms authentication.
For more information, see Setting up JDBC or ODBC single sign-on authentication with Ping Identity.
-
Okta
Okta is supported only for the Okta-supplied application used with the AWS Management Console.
For more information, see Setting up JDBC or ODBC Single Sign-on authentication with Okta.
-
Microsoft Azure Active Directory
For more information, see Setting up JDBC or ODBC single sign-on authentication with Microsoft Azure AD.
Configuring plugin options
To use a SAML-based credentials provider plugin, specify the following options
using JDBC or ODBC options or in a named profile. If plugin_name
isn't
specified, the other options are ignored.
Option |
Description |
---|---|
plugin_name |
For JDBC, the class name that implements a credentials provider. Specify one of the following:
For ODBC, specify one of the following:
|
idp_host
|
The name of the corporate identity provider host.
This name should not include any slashes (‘/’). For an Okta identity
provider, the value for idp_host should end with
.okta.com . |
|
The port used by the identity provider. The default is 443. This port is ignored for Okta. |
|
A role Amazon Resource Name (ARN) from the
AttributeValue elements for the Role
attribute in the SAML assertion. To find the appropriate value for
the preferred role, work with your IdP administrator. For more
information, see Configure SAML assertions
for your IdP. |
|
A corporate user name, including the domain when applicable. For example, for Active Directory, the domain name is required in the format domain\username. |
password
|
The corporate user's password. We recommend not using this option. Instead, use your SQL client to supply the password. |
|
An ID for an Okta application. Used only with
Okta. The value for app_id follows
amazon_aws in the Okta application embed link. To
get this value, work with your IdP administrator. The following is
an example of an application embed link:
https://example.okta.com/home/amazon_aws/0oa2hylwrpM8UGehd1t7/272
|
|
A tenant used for Azure AD. Used only with Azure. |
|
A client ID for the Amazon Redshift enterprise application in Azure AD. Used only with Azure. |
Setting up JDBC or ODBC single sign-on authentication with Microsoft Azure AD
You can use Microsoft Azure AD as an identity provider (IdP) to access your Amazon Redshift cluster. Following, you can find a procedure that describes how to set up a trust relationship for this purpose. For more information about configuring AWS as a service provider for the IdP, see Configuring Your SAML 2.0 IdP with Relying Party Trust and Adding Claims in the IAM User Guide.
Note
To use Azure AD with JDBC, the Amazon Redshift JDBC driver must be version 1.2.37.1061 or later. To use Azure AD with ODBC, the Amazon Redshift ODBC driver must be version 1.4.10.1000 or later.
To learn how to federate Amazon Redshift access with Microsoft Azure AD single sign-on, watch the following video.
To set up Azure AD and your AWS account to trust each other
Create or use an existing Amazon Redshift cluster for your Azure AD users to connect to. To configure the connection, certain properties of this cluster are needed, such as the cluster identifier. For more information, see Creating a Cluster.
Set up an Azure Active Directory, groups, users used for AWS on the Microsoft Azure portal.
Add Amazon Redshift as an enterprise application on the Microsoft Azure portal to use for single sign-on to the AWS Console and federated login to Amazon Redshift. Choose Enterprise application.
Choose +New application. The Add an application page appears.
Search for
AWS
in the search field.Choose Amazon Web Services (AWS) and choose Add. This creates the AWS application.
Under Manage, choose Single sign-on.
Choose SAML. The Amazon Web Services (AWS) | SAML-based Sign-on page appears.
Choose Yes to proceed to the Set up Single Sign-On with SAML page. This page shows the list of pre-configured single sign-on related attributes.
For Basic SAML Configuration, choose the edit icon and choose Save.
When you are configuring for more than one application, provide an identifier value. For example, enter
. Note that from the second application onwards, use this format with a # sign to specify a unique SPN value.https://signin.aws.amazon.com/saml#2
In the User Attributes and Claims section, choose the edit icon.
By default, the Unique User Identifier (UID), Role, RoleSessionName, and SessionDuration claims are pre-configured.
Choose + Add new claim to add a claim for database users.
For Name, enter
DbUser
.For Namespace, enter
https://redshift.amazon.com/SAML/Attributes
.For Source, choose Attribute.
For Source attribute, choose user.userprincipalname. Then, choose Save.
Choose + Add new claim to add a claim for AutoCreate.
For Name, enter
AutoCreate
.For Namespace, enter
https://redshift.amazon.com/SAML/Attributes
.For Source, choose Attribute.
For Source attribute, choose "true". Then, choose Save.
Here,
is your AWS account,123456789012
is an IAM role you created, andAzureSSO
is the IAM provider.AzureADProvider
Claim name Value Unique user identifier (name ID)
user.userprincipalname
https://aws.amazon.com/SAML/Attributes/SessionDuration
"900"
https://aws.amazon.com/SAML/Attributes/Role
arn:aws:iam::
123456789012
:role/AzureSSO
,arn:aws:iam::123456789012
:saml-provider/AzureADProvider
https://aws.amazon.com/SAML/Attributes/RoleSessionName
user.userprincipalname
https://redshift.amazon.com/SAML/Attributes/AutoCreate
"true"
https://redshift.amazon.com/SAML/Attributes/DbGroups
user.assignedroles
https://redshift.amazon.com/SAML/Attributes/DbUser
user.userprincipalname
-
Under App Registration >
> Authentication, add Mobile And Desktop Application. Specify the URL as http://localhost/redshift/.your-application-name
In the SAML Signing Certificate section, choose Download to download and save the federation metadata XML file for use when you create an IAM SAML identity provider. This file is used to create the single sign-on federated identity.
Create an IAM SAML identity provider on the IAM console. The metadata document that you provide is the federation metadata XML file that you saved when you set up Azure Enterprise Application. For detailed steps, see Creating and Managing an IAM Identity Provider (Console) in the IAM User Guide.
Create an IAM role for SAML 2.0 federation on the IAM console. For detailed steps, see Creating a Role for SAML in the IAM User Guide.
Create an IAM policy that you can attach to the IAM role that you created for SAML 2.0 federation on the IAM console. For detailed steps, see Creating IAM Policies (Console) in the IAM User Guide.
Modify the following policy (in JSON format) for your environment:
Substitute the AWS Region of your cluster for
.us-west-1
Substitute your AWS account for
.123456789012
Substitute your cluster identifier (or
*
for all clusters) for
.cluster-identifier
Substitute your database (or
*
for all databases) for
.dev
Substitute the unique identifier of your IAM role for
.AROAJ2UCCR6DPCEXAMPLE
Substitute your tenant or company email domain for
.example.com
Substitute the database group that you plan to assign the user to for
.my_dbgroup
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "redshift:GetClusterCredentials", "Resource": [ "arn:aws:redshift:
us-west-1
:123456789012
:dbname:cluster-identifier
/dev
", "arn:aws:redshift:us-west-1
:123456789012
:dbuser:cluster-identifier
/${redshift:DbUser}", "arn:aws:redshift:us-west-1
:123456789012
:cluster:cluster-identifier
" ], "Condition": { "StringEquals": { "aws:userid": "AROAJ2UCCR6DPCEXAMPLE
:${redshift:DbUser}@example.com
" } } }, { "Effect": "Allow", "Action": "redshift:CreateClusterUser", "Resource": "arn:aws:redshift:us-west-1
:123456789012
:dbuser:cluster-identifier
/${redshift:DbUser}" }, { "Effect": "Allow", "Action": "redshift:JoinGroup", "Resource": "arn:aws:redshift:us-west-1
:123456789012
:dbgroup:cluster-identifier
/my_dbgroup
" }, { "Effect": "Allow", "Action": [ "redshift:DescribeClusters", "iam:ListRoles" ], "Resource": "*" } ] }This policy grants permissions as follows:
The first section grants permission to the
GetClusterCredentials
API operation to get temporary credentials for the specified cluster. In this example, the resource is
with databasecluster-identifier
, in accountdev
, and in AWS Region123456789012
. Theus-west-1
${redshift:DbUser}
clause allows only users that match theDbUser
value specified in Azure AD to connect.The condition clause enforces that only certain users get temporary credentials. These are users under the role specified by the role unique ID
in the IAM account identified by an email address in your company's email domain. For more information about unique IDs, see Unique IDs in the IAM User Guide.AROAJ2UCCR6DPCEXAMPLE
Your setup with your IdP (in this case, Azure AD) determines how the condition clause is written. If your employee's email is
johndoe@example.com
, first set${redshift:DbUser}
to the super field that matches the employee's user namejohndoe
. Then, to make this condition work, set the AWS SAMLRoleSessionName
field to the super field that matches the employee’s emailjohndoe@example.com
. When you take this approach, consider the following:If you set
${redshift:DbUser}
to be the employee's email, then remove the@example.com
in the example JSON to match theRoleSessionName
.If you set the
RoleSessionId
to be just the employee's user name, then remove the@example.com
in the example to match theRoleSessionName
.In the example JSON, the
${redshift:DbUser}
andRoleSessionName
are both set to the employee's email. This example JSON uses the Amazon Redshift database user name with@example.com
to sign the user in to access the cluster.
The second section grants permission to create a
dbuser
name in the specified cluster. In this example JSON, it restricts creation to${redshift:DbUser}
.The third section grants permission to specify which
dbgroup
a user can join. In this example JSON, a user can join themy_dbgroup
group in the specified cluster.The fourth section grants permission to actions the user can do on all resources. In this example JSON, it allows users to call
redshift:DescribeClusters
to get cluster information such as the cluster endpoint, AWS Region, and port. It also allows users to calliam:ListRoles
to check which roles a user can assume.
To set up JDBC for authentication to Microsoft Azure AD
Configure your database client to connect to your cluster through JDBC using your Azure AD single sign-on.
You can use any client that uses a JDBC driver to connect using Azure AD single sign-on or use a language like Java to connect using a script. For installation and configuration information, see Configuring a connection for JDBC driver version 2.1 for Amazon Redshift.
For example, you can use SQLWorkbench/J as the client. When you configure SQLWorkbench/J, the URL of your database uses the following format.
jdbc:redshift:iam://
cluster-identifier
:us-west-1
/dev
If you use SQLWorkbench/J as the client, take the following steps:
-
Start SQL Workbench/J. On the Select Connection Profile page, add a Profile Group called
AzureAuth
. -
For Connection Profile, enter
Azure
. -
Choose Manage Drivers, and choose Amazon Redshift. Choose the Open Folder icon next to Library, then choose the appropriate JDBC .jar file.
-
On the Select Connection Profile page, add information to the connection profile as follows:
For User, enter your Microsoft Azure user name. This is the user name of the Microsoft Azure account that you are using for single sign-on that has permission to the cluster that you are trying to authenticate using.
For Password, enter your Microsoft Azure password.
For Drivers, choose Amazon Redshift (com.amazon.redshift.jdbc.Driver).
For URL, enter
jdbc:redshift:iam//
.your-cluster-identifier
:your-cluster-region
/your-database-name
-
Choose Extended Properties to add additional information to the connection properties, as described following.
For Azure AD single sign-on configuration, add additional information as follows:
For plugin_name, enter
com.amazon.redshift.plugin.AzureCredentialsProvider
. This value specifies to the driver to use Azure AD Single Sign-On as the authentication method.For idp_tenant, enter
. Used only for Microsoft Azure AD. This is the tenant name of your company configured on Azure AD. This value can either be the tenant name or the tenant unique ID with hyphens.your-idp-tenant
For client_secret, enter
. Used only for Microsoft Azure AD. This is your client secret of the Amazon Redshift application that you created when setting up your Azure Single Sign-On configuration. This is only applicable to the com.amazon.redshift.plugin.AzureCredentialsProvider plugin.your-azure-redshift-application-client-secret
For client_id, enter
. Used only for Microsoft Azure AD. This is the client ID (with hyphens) of the Amazon Redshift application that you created when setting up your Azure Single Sign-On configuration.your-azure-redshift-application-client-id
For Azure AD single sign-on with MFA configuration, add additional information to the connection properties as follows:
For plugin_name, enter
com.amazon.redshift.plugin.BrowserAzureCredentialsProvider
. This value specifies to the driver to use Azure AD single sign-on with MFA as the authentication method.For idp_tenant, enter
. Used only for Microsoft Azure AD. This is the tenant name of your company configured on Azure AD. This value can either be the tenant name or the tenant unique ID with hyphens.your-idp-tenant
For client_id, enter
. This option is used only for Microsoft Azure AD. This is the client ID (with hyphens) of the Amazon Redshift application that you created when setting up your Azure AD single sign-on with MFA configuration.your-azure-redshift-application-client-id
For listen_port, enter
. This is the port that local server is listening to. The default is 7890.your-listen-port
For idp_response_timeout, enter
. This is the number of seconds to wait before timing out when the IdP server sends back a response. The minimum number of seconds must be 10. If establishing the connection takes longer than this threshold, then the connection is aborted.the-number-of-seconds
-
To set up ODBC for authentication to Microsoft Azure AD
Configure your database client to connect to your cluster through ODBC using your Azure AD single sign-on.
Amazon Redshift provides ODBC drivers for Linux, Windows, and macOS operating systems. Before you install an ODBC driver, determine whether your SQL client tool is 32-bit or 64-bit. Install the ODBC driver that matches the requirements of your SQL client tool.
Also install and configure the latest Amazon Redshift OBDC driver for your operating system as follows:
For Windows, see Install and configure the Amazon Redshift ODBC driver on Microsoft Windows.
For macOS, see Install the Amazon Redshift ODBC driver on macOS X.
For Linux, see Install the Amazon Redshift ODBC driver on Linux.
On Windows, in the Amazon Redshift ODBC Driver DSN Setup page, under Connection Settings, enter the following information:
For Data Source Name, enter
. This specifies the data source name used as the ODBC profile name.your-DSN
For Auth type for Azure AD single sign-on configuration, choose
Identity Provider: Azure AD
. This is the authentication method that the ODBC driver uses to authenticate using Azure single sign-on.For Auth type for Azure AD single sign-on with MFA configuration, choose
Identity Provider: Browser Azure AD
. This is the authentication method that the ODBC driver uses to authenticate using Azure single sign-on with MFA.For Cluster ID, enter
.your-cluster-identifier
For Region, enter
.your-cluster-region
For Database, enter
.your-database-name
For User, enter
. This is the user name for the Microsoft Azure account that you are using for single sign-on that has permission to the cluster that you're trying to authenticate using. Use this only for Auth Type is Identity Provider: Azure AD.your-azure-username
For Password, enter
. Use this only for Auth Type is Identity Provider: Azure AD.your-azure-password
For IdP Tenant, enter
. This is the tenant name of your company configured on your IdP (Azure). This value can either be the tenant name or the tenant unique ID with hyphens.your-idp-tenant
For Azure Client Secret, enter
. This is the client secret of the Amazon Redshift application that you created when setting up your Azure single sign-on configuration.your-azure-redshift-application-client-secret
For Azure Client ID, enter
. This is the client ID (with hyphens) of the Amazon Redshift application that you created when setting up your Azure single sign-on configuration.your-azure-redshift-application-client-id
For Listen Port, enter
. This is the default listen port that local server is listening to. The default is 7890. This applies only to the Browser Azure AD plugin.your-listen-port
For Response Timeout, enter
. This is the number of seconds to wait before timing out when the IdP server sends back a response. The minimum number of seconds must be 10. If establishing the connection takes longer than this threshold, then the connection is aborted. This option applies only to the Browser Azure AD plugin.the-number-of-seconds
On macOS and Linux, edit the
odbc.ini
file as follows:Note
All entries are case-insensitive.
For clusterid, enter
. This is the name of the created Amazon Redshift cluster.your-cluster-identifier
For region, enter
. This is the AWS Region of the created Amazon Redshift cluster.your-cluster-region
For database, enter
. This is the name of the database that you're trying to access on the Amazon Redshift cluster.your-database-name
For locale, enter
en-us
. This is the language that error messages display in.For iam, enter
1
. This value specifies to the driver to authenticate using IAM credentials.For plugin_name for Azure AD single sign-on configuration, enter
AzureAD
. This specifies to the driver to use Azure Single Sign-On as the authentication method.For plugin_name for Azure AD single sign-on with MFA configuration, enter
BrowserAzureAD
. This specifies to the driver to use Azure Single Sign-On with MFA as the authentication method.For uid, enter
. This is the user name of the Microsoft Azure account you are using for single sign-on that has permission to the cluster you are trying to authenticate against. Use this only for plugin_name is AzureAD.your-azure-username
For pwd, enter
. Use this only for plugin_name is AzureAD.your-azure-password
For idp_tenant, enter
. This is the tenant name of your company configured on your IdP (Azure). This value can either be the tenant name or the tenant unique ID with hyphens.your-idp-tenant
For client_secret, enter
. This is the client secret of the Amazon Redshift application that you created when setting up your Azure single sign-on configuration.your-azure-redshift-application-client-secret
For client_id, enter
. This is the client ID (with hyphens) of the Amazon Redshift application that you created when setting up your Azure single sign-on configuration.your-azure-redshift-application-client-id
For listen_port, enter
. This is the port that local server is listening to. The default is 7890. This applies to the Browser Azure AD plugin.your-listen-port
For idp_response_timeout, enter
. This is the specified period of time in seconds to wait for response from Azure. This option applies to the Browser Azure AD plugin.the-number-of-seconds
On macOS and Linux, also edit the profile settings to add the following exports.
export ODBCINI=/opt/amazon/redshift/Setup/odbc.ini
export ODBCINSTINI=/opt/amazon/redshift/Setup/odbcinst.ini
To troubleshoot issues with the Browser Azure AD plugin
To use the Browser Azure AD plugin, you must set the reply URL specified in the request to match the reply URL configured for your application.
Navigate to the Set up Single Sign-On with SAML page on the Microsoft Azure portal. Then check the Reply URL is set to http://localhost/redshift/.
If you get an IdP tenant error, verify that the IdP Tenant name matches the domain name you initially used to set up the Active Directory in Microsoft Azure.
On Windows, navigate to the Connection Settings section of the Amazon Redshift ODBC DSN Setup page. Then check the tenant name of your company configured on your IdP (Azure) matches the domain name you initially used to set up the Active Directory in Microsoft Azure.
On macOS and Linux, find the odbc.ini file. Then check the tenant name of your company configured on your IdP (Azure) matches the domain name you initially used to set up the Active Directory in Microsoft Azure.
If you get an error that the reply URL specified in the request does not match the reply URLs configured for your application, verify that the Redirect URIs is the same as the reply URL.
Navigate to the App registration page of your application on the Microsoft Azure portal. Then check the Redirect URIs matches the reply URL.
If you get the unexpected response: unauthorized error, verify that you completed the Mobile and desktop applications configuration.
Navigate to the App registration page of your application on the Microsoft Azure portal. Then navigate to Authentication and check that you configured Mobile and desktop applications to use http://localhost/redshift/ as the redirect URIs.
Setting up JDBC or ODBC Single Sign-on authentication with AD FS
You can use AD FS as an identity provider (IdP) to access your Amazon Redshift cluster. Following, you can find a procedure that describes how to set up a trust relationship for this purpose. For more information about configuring AWS as a service provider for AD FS, see Configuring Your SAML 2.0 IdP with Relying Party Trust and Adding Claims in the IAM User Guide.
To set up AD FS and your AWS account to trust each other
Create or use an existing Amazon Redshift cluster for your AD FS users to connect to. To configure the connection, certain properties of this cluster are needed, such as the cluster identifier. For more information, see Creating a Cluster.
-
Set up AD FS to control Amazon Redshift access on the Microsoft Management Console:
-
Choose ADFS 2.0, and then choose Add Relying Party Trust. On the Add Relying Party Trust Wizard page, choose Start.
-
On the Select Data Source page, choose Import data about the relying party published online or on a local network.
-
For Federation metadata address (host name or URL), enter
https://signin.aws.amazon.com/saml-metadata.xml
. The metadata XML file is a standard SAML metadata document that describes AWS as a relying party. -
On the Specify Display Name page, enter a value for Display name.
-
On the Choose Issuance Authorization Rules page, choose an issuance authorization rule to either permit or deny all users to access this relying party.
-
On the Ready to Add Trust page, review your settings.
-
On the Finish page, choose Open the Edit Claim Rules dialog for this relying party trust when the wizard closes.
-
On the context (right-click) menu, choose Relying Party Trusts.
-
For your relying party, open the context (right-click) menu and choose Edit Claim Rules. On the Edit Claim Rules page, choose Add Rule.
-
For Claim rule template, choose Transform an Incoming Claim, and then on the Edit Rule – NameId page, do the following:
For Claim rule name, enter NameId.
For Incoming claim name, choose Windows Account Name.
For Outgoing claim name, choose Name ID.
For Outgoing name ID format, choose Persistent Identifier.
Choose Pass through all claim values.
-
On the Edit Claim Rules page, choose Add Rule. On the Select Rule Template page, for Claim rule template, choose Send LDAP Attributes as Claims.
-
On the Configure Rule page, do the following:
For Claim rule name, enter RoleSessionName.
For Attribute store, choose Active Directory.
For LDAP Attribute, choose Email Addresses.
For Outgoing Claim Type, choose https://aws.amazon.com/SAML/Attributes/RoleSessionName.
-
On the Edit Claim Rules page, choose Add Rule. On the Select Rule Template page, for Claim rule template, choose Send Claims Using a Custom Rule.
-
On the Edit Rule – Get AD Groups page, for Claim rule name, enter Get AD Groups.
-
For Custom rule, enter the following.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://temp/variable"), query = ";tokenGroups;{0}", param = c.Value);
-
On the Edit Claim Rules page, choose Add Rule. On the Select Rule Template page, for Claim rule template, choose Send Claims Using a Custom Rule.
-
On the Edit Rule – Roles page, for Claim rule name, type Roles.
-
For Custom rule, enter the following.
c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"] => issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-", "arn:aws:iam::123456789012:saml-provider/ADFS,arn:aws:iam::123456789012:role/ADFS-"));
Note the ARNs of the SAML provider and role to assume. In this example,
arn:aws:iam:123456789012:saml-provider/ADFS
is the ARN of the SAML provider andarn:aws:iam:123456789012:role/ADFS-
is the ARN of the role.
-
Make sure that you have downloaded the
federationmetadata.xml
file. Check that the document contents do not have invalid characters. This is the metadata file you use when configuring the trust relationship with AWS.Create an IAM SAML identity provider on the IAM console. The metadata document. that you provide is the federation metadata XML file that you saved when you set up Azure Enterprise Application. For detailed steps, see Creating and Managing an IAM Identity Provider (Console) in the IAM User Guide.
Create an IAM role for SAML 2.0 federation on the IAM console. For detailed steps, see Creating a Role for SAML in the IAM User Guide.
Create an IAM policy that you can attach to the IAM role that you created for SAML 2.0 federation on the IAM console. For detailed steps, see Creating IAM Policies (Console) in the IAM User Guide. For an Azure AD example, see Setting up JDBC or ODBC single sign-on authentication with Microsoft Azure AD.
To set up JDBC for authentication to AD FS
Configure your database client to connect to your cluster through JDBC using AD FS single sign-on.
You can use any client that uses a JDBC driver to connect using AD FS single sign-on or use a language like Java to connect using a script. For installation and configuration information, see Configuring a connection for JDBC driver version 2.1 for Amazon Redshift.
For example, you can use SQLWorkbench/J as the client. When you configure SQLWorkbench/J, the URL of your database uses the following format.
jdbc:redshift:iam://
cluster-identifier
:us-west-1
/dev
If you use SQLWorkbench/J as the client, take the following steps:
-
Start SQL Workbench/J. In the Select Connection Profile page, add a Profile Group, for example
ADFS
. -
For Connection Profile, enter your connection profile name, for example
ADFS
. -
Choose Manage Drivers, and choose Amazon Redshift. Choose the Open Folder icon next to Library, then choose the appropriate JDBC .jar file.
-
On the Select Connection Profile page, add information to the connection profile as follows:
For User, enter your AD FS user name. This is the user name of the account that you are using for single sign-on that has permission to the cluster that you are trying to authenticate using.
For Password, enter your AD FS password.
For Drivers, choose Amazon Redshift (com.amazon.redshift.jdbc.Driver).
For URL, enter
jdbc:redshift:iam//
.your-cluster-identifier
:your-cluster-region
/your-database-name
-
Choose Extended Properties. For plugin_name, enter
com.amazon.redshift.plugin.AdfsCredentialsProvider
. This value specifies to the driver to use AD FS single sign-on as the authentication method.
-
To set up ODBC for authentication to AD FS
Configure your database client to connect to your cluster through ODBC using AD FS single sign-on.
Amazon Redshift provides ODBC drivers for Linux, Windows, and macOS operating systems. Before you install an ODBC driver, determine whether your SQL client tool is 32-bit or 64-bit. Install the ODBC driver that matches the requirements of your SQL client tool.
Also install and configure the latest Amazon Redshift OBDC driver for your operating system as follows:
For Windows, see Install and configure the Amazon Redshift ODBC driver on Microsoft Windows.
For macOS, see Install the Amazon Redshift ODBC driver on macOS X.
For Linux, see Install the Amazon Redshift ODBC driver on Linux.
On Windows, in the Amazon Redshift ODBC Driver DSN Setup page, under Connection Settings, enter the following information:
For Data Source Name, enter
. This specifies the data source name used as the ODBC profile name.your-DSN
For Auth type, choose Identity Provider: SAML. This is the authentication method that the ODBC driver uses to authenticate using AD FS single sign-on.
For Cluster ID, enter
.your-cluster-identifier
For Region, enter
.your-cluster-region
For Database, enter
.your-database-name
For User, enter
. This is the user name for the AD FS account that you are using for single sign-on that has permission to the cluster that you're trying to authenticate using. Use this only for Auth type is Identity Provider: SAML.your-adfs-username
For Password, enter
. Use this only for Auth type is Identity Provider: SAML.your-adfs-password
On macOS and Linux, edit the
odbc.ini
file as follows:Note
All entries are case-insensitive.
For clusterid, enter
. This is the name of the created Amazon Redshift cluster.your-cluster-identifier
For region, enter
. This is the AWS Region of the created Amazon Redshift cluster.your-cluster-region
For database, enter
. This is the name of the database that you're trying to access on the Amazon Redshift cluster.your-database-name
For locale, enter
en-us
. This is the language that error messages display in.For iam, enter
1
. This value specifies to the driver to authenticate using IAM credentials.For plugin_name, do one of the following:
-
For AD FS single sign-on with MFA configuration, enter
BrowserSAML
. This is the authentication method that the ODBC driver uses to authenticate to AD FS. For AD FS single sign-on configuration, enter
ADFS
. This is the authentication method that the ODBC driver uses to authenticate using Azure AD single sign-on.
-
For uid, enter
. This is the user name of the Microsoft Azure account that you are using for single sign-on that has permission to the cluster you are trying to authenticate against. Use this only for plugin_name is ADFS.your-adfs-username
For pwd, enter
. Use this only for plugin_name is ADFS.your-adfs-password
On macOS and Linux, also edit the profile settings to add the following exports.
export ODBCINI=/opt/amazon/redshift/Setup/odbc.ini
export ODBCINSTINI=/opt/amazon/redshift/Setup/odbcinst.ini
Setting up JDBC or ODBC single sign-on authentication with Ping Identity
You can use Ping Identity as an identity provider (IdP) to access your Amazon Redshift cluster. Following, you can find a procedure that describes how to set up a trust relationship for this purpose using the PingOne portal. For more information about configuring AWS as a service provider for Ping Identity, see Configuring Your SAML 2.0 IdP with Relying Party Trust and Adding Claims in the IAM User Guide.
To set up Ping Identity and your AWS account to trust each other
Create or use an existing Amazon Redshift cluster for your Ping Identity users to connect to. To configure the connection, certain properties of this cluster are needed, such as the cluster identifier. For more information, see Creating a Cluster.
Add Amazon Redshift as a new SAML application on the PingOne portal. For detailed steps, see the Ping Identity documentation
. Go to My Applications.
Under Add Application, choose New SAML Application.
For Application Name, enter
Amazon Redshift
.For Protocol Version, choose SAML v2.0.
For Category, choose
.your-application-category
For Assertion Consumer Service (ACS), type
. This is the local host and port that the SAML assertion redirects to.your-redshift-local-host-url
For Entity ID, enter
urn:amazon:webservices
.For Signing, choose Sign Assertion.
In the SSO Attribute Mapping section, create the claims as shown in the following table.
Application attribute Identity bridge attribute of literal value https://aws.amazon.com/SAML/Attributes/Role
arn:aws:iam::
123456789012
:role/Ping
,arn:aws:iam::123456789012
:saml-provider/PingProvider
https://aws.amazon.com/SAML/Attributes/RoleSessionName
email
https://redshift.amazon.com/SAML/Attributes/AutoCreate
"true"
https://redshift.amazon.com/SAML/Attributes/DbUser
email
https://redshift.amazon.com/SAML/Attributes/DbGroups
The groups in the “DbGroups” attributes contain the @directory prefix. To remove this, in Identity bridge, enter memberOf. In Function, choose ExtractByRegularExpression. In Expression, enter (.*)[\@](?:.*).
For Group Access, set up the following group access, if needed:
https://aws.amazon.com/SAML/Attributes/Role
https://aws.amazon.com/SAML/Attributes/RoleSessionName
https://redshift.amazon.com/SAML/Attributes/AutoCreate
https://redshift.amazon.com/SAML/Attributes/DbUser
Review your setup and make changes, if necessary.
Use the Initiate Single Sign-On (SSO) URL as the login URL for the Browser SAML plugin.
Create an IAM SAML identity provider on the IAM console. The metadata document that you provide is the federation metadata XML file that you saved when you set up Ping Identity. For detailed steps, see Creating and Managing an IAM Identity Provider (Console) in the IAM User Guide.
Create an IAM role for SAML 2.0 federation on the IAM console. For detailed steps, see Creating a Role for SAML in the IAM User Guide.
Create an IAM policy that you can attach to the IAM role that you created for SAML 2.0 federation on the IAM console. For detailed steps, see Creating IAM Policies (Console) in the IAM User Guide. For an Azure AD example, see Setting up JDBC or ODBC single sign-on authentication with Microsoft Azure AD.
To set up JDBC for authentication to Ping Identity
Configure your database client to connect to your cluster through JDBC using Ping Identity single sign-on.
You can use any client that uses a JDBC driver to connect using Ping Identity single sign-on or use a language like Java to connect using a script. For installation and configuration information, see Configuring a connection for JDBC driver version 2.1 for Amazon Redshift.
For example, you can use SQLWorkbench/J as the client. When you configure SQLWorkbench/J, the URL of your database uses the following format.
jdbc:redshift:iam://
cluster-identifier
:us-west-1
/dev
If you use SQLWorkbench/J as the client, take the following steps:
-
Start SQL Workbench/J. In the Select Connection Profile page, add a Profile Group, for example
Ping
. -
For Connection Profile, enter
, for exampleyour-connection-profile-name
Ping
. -
Choose Manage Drivers, and choose Amazon Redshift. Choose the Open Folder icon next to Library, then choose the appropriate JDBC .jar file.
-
On the Select Connection Profile page, add information to the connection profile as follows:
For User, enter your PingOne user name. This is the user name of the PingOne account that you are using for single sign-on that has permission to the cluster that you are trying to authenticate using.
For Password, enter your PingOne password.
For Drivers, choose Amazon Redshift (com.amazon.redshift.jdbc.Driver).
For URL, enter
jdbc:redshift:iam//
.your-cluster-identifier
:your-cluster-region
/your-database-name
-
Choose Extended Properties and do one of the following:
For login_url, enter
. This value specifies to the URL to use single sign-on as the authentication to log in.your-ping-sso-login-url
For Ping Identity, for plugin_name, enter
com.amazon.redshift.plugin.PingCredentialsProvider
. This value specifies to the driver to use Ping Identity single sign-on as the authentication method.For Ping Identity with single sign-on, for plugin_name, enter
com.amazon.redshift.plugin.BrowserSamlCredentialsProvider
. This value specifies to the driver to use Ping Identity PingOne with single sign-on as the authentication method.
-
To set up ODBC for authentication to Ping Identity
Configure your database client to connect to your cluster through ODBC using Ping Identity PingOne single sign-on.
Amazon Redshift provides ODBC drivers for Linux, Windows, and macOS operating systems. Before you install an ODBC driver, determine whether your SQL client tool is 32-bit or 64-bit. Install the ODBC driver that matches the requirements of your SQL client tool.
Also install and configure the latest Amazon Redshift OBDC driver for your operating system as follows:
For Windows, see Install and configure the Amazon Redshift ODBC driver on Microsoft Windows.
For macOS, see Install the Amazon Redshift ODBC driver on macOS X.
For Linux, see Install the Amazon Redshift ODBC driver on Linux.
On Windows, in the Amazon Redshift ODBC Driver DSN Setup page, under Connection Settings, enter the following information:
For Data Source Name, enter
. This specifies the data source name used as the ODBC profile name.your-DSN
For Auth type, do one of the following:
For Ping Identity configuration, choose Identity Provider: Ping Federate. This is the authentication method that the ODBC driver uses to authenticate using Ping Identity single sign-on.
For Ping Identity with single sign-on configuration, choose Identity Provider: Browser SAML. This is the authentication method that the ODBC driver uses to authenticate using Ping Identity with single sign-on.
For Cluster ID, enter
.your-cluster-identifier
For Region, enter
.your-cluster-region
For Database, enter
.your-database-name
For User, enter
. This is the user name for the PingOne account that you are using for single sign-on that has permission to the cluster that you're trying to authenticate using. Use this only for Auth type is Identity Provider: PingFederate.your-ping-username
For Password, enter
. Use this only for Auth type is Identity Provider: PingFederate.your-ping-password
For Listen Port, enter
. This is the port that local server is listening to. The default is 7890. This applies only to the Browser SAML plugin.your-listen-port
For Response Timeout, enter
. This is the number of seconds to wait before timing out when the IdP server sends back a response. The minimum number of seconds must be 10. If establishing the connection takes longer than this threshold, then the connection is aborted. This applies only to the Browser SAML plugin.the-number-of-seconds
For Login URL, enter
. This applies only to the Browser SAML plugin.your-login-url
On macOS and Linux, edit the
odbc.ini
file as follows:Note
All entries are case-insensitive.
For clusterid, enter
. This is the name of the created Amazon Redshift cluster.your-cluster-identifier
For region, enter
. This is the AWS Region of the created Amazon Redshift cluster.your-cluster-region
For database, enter
. This is the name of the database that you're trying to access on the Amazon Redshift cluster.your-database-name
For locale, enter
en-us
. This is the language that error messages display in.For iam, enter
1
. This value specifies to the driver to authenticate using IAM credentials.For plugin_name, do one of the following:
-
For Ping Identity configuration, enter
BrowserSAML
. This is the authentication method that the ODBC driver uses to authenticate to Ping Identity. For Ping Identity with single sign-on configuration, enter
Ping
. This is the authentication method that the ODBC driver uses to authenticate using Ping Identity with single sign-on.
-
For uid, enter
. This is the user name of the Microsoft Azure account you are using for single sign-on that has permission to the cluster you are trying to authenticate against. Use this only for plugin_name is Ping.your-ping-username
For pwd, enter
. Use this only for plugin_name is Ping.your-ping-password
For login_url, enter
. This is the Initiate single sign-on URL that returns the SAML Response. This applies only to the Browser SAML plugin.your-login-url
For idp_response_timeout, enter
. This is the specified period of time in seconds to wait for response from PingOne Identity. This applies only to the Browser SAML plugin.the-number-of-seconds
For listen_port, enter
. This is the port that local server is listening to. The default is 7890. This applies only to the Browser SAML plugin.your-listen-port
On macOS and Linux, also edit the profile settings to add the following exports.
export ODBCINI=/opt/amazon/redshift/Setup/odbc.ini
export ODBCINSTINI=/opt/amazon/redshift/Setup/odbcinst.ini
Setting up JDBC or ODBC Single Sign-on authentication with Okta
You can use Okta as an identity provider (IdP) to access your Amazon Redshift cluster. Following, you can find a procedure that describes how to set up a trust relationship for this purpose. For more information about configuring AWS as a service provider for Okta, see Configuring Your SAML 2.0 IdP with Relying Party Trust and Adding Claims in the IAM User Guide.
To set up Okta and your AWS account to trust each other
Create or use an existing Amazon Redshift cluster for your Okta users to connect to. To configure the connection, certain properties of this cluster are needed, such as the cluster identifier. For more information, see Creating a Cluster.
Add Amazon Redshift as a new application on the Okta portal. For detailed steps, see the Okta documentation
. Choose Add Application.
Under Add Application, choose Create New App.
On the Create a New Add Application Integration page, for Platform, choose Web.
For Sign on method, choose SAML v2.0.
On the General Settings page, for App name, enter
. This is the name of your application.your-redshift-saml-sso-name
On the SAML Settings page, for Single sign on URL, enter
. This is the local host and port that the SAML assertion redirects to, for exampleyour-redshift-local-host-url
http://localhost:7890/redshift/
.
Use the Single sign on URL value as the Recipient URL and Destination URL.
For Signing, choose Sign Assertion.
For Audience URI (SP Entity ID), enter
urn:amazon:webservices
for the claims, as shown in the following table.In the Advanced Settings section, for SAML Issuer ID, enter
, which you can find in the View Setup Instructions section.your-Identity-Provider-Issuer-ID
In the Attribute Statements section, create the claims as shown in the following table.
Claim name Value https://aws.amazon.com/SAML/Attributes/Role
arn:aws:iam::
123456789012
:role/Okta
,arn:aws:iam::123456789012
:saml-provider/Okta
https://aws.amazon.com/SAML/Attributes/RoleSessionName
user.email
https://redshift.amazon.com/SAML/Attributes/AutoCreate
"true"
https://redshift.amazon.com/SAML/Attributes/DbUser
user.email
In the App Embed Link section, find the URL that you can use as the login URL for the Browser SAML plugin.
Create an IAM SAML identity provider on the IAM console. The metadata document that you provide is the federation metadata XML file that you saved when you set up Okta. For detailed steps, see Creating and Managing an IAM Identity Provider (Console) in the IAM User Guide.
Create an IAM role for SAML 2.0 federation on the IAM console. For detailed steps, see Creating a Role for SAML in the IAM User Guide.
Create an IAM policy that you can attach to the IAM role that you created for SAML 2.0 federation on the IAM console. For detailed steps, see Creating IAM Policies (Console) in the IAM User Guide. For an Azure AD example, see Setting up JDBC or ODBC single sign-on authentication with Microsoft Azure AD.
To set up JDBC for authentication to Okta
Configure your database client to connect to your cluster through JDBC using Okta single sign-on.
You can use any client that uses a JDBC driver to connect using Okta single sign-on or use a language like Java to connect using a script. For installation and configuration information, see Configuring a connection for JDBC driver version 2.1 for Amazon Redshift.
For example, you can use SQLWorkbench/J as the client. When you configure SQLWorkbench/J, the URL of your database uses the following format.
jdbc:redshift:iam://
cluster-identifier
:us-west-1
/dev
If you use SQLWorkbench/J as the client, take the following steps:
-
Start SQL Workbench/J. In the Select Connection Profile page, add a Profile Group, for example
Okta
. -
For Connection Profile, enter
, for exampleyour-connection-profile-name
Okta
. -
Choose Manage Drivers, and choose Amazon Redshift. Choose the Open Folder icon next to Library, then choose the appropriate JDBC .jar file.
-
On the Select Connection Profile page, add information to the connection profile as follows:
For User, enter your Okta user name. This is the user name of the Okta account that you are using for single sign-on that has permission to the cluster that you are trying to authenticate using.
For Password, enter your Okta password.
For Drivers, choose Amazon Redshift (com.amazon.redshift.jdbc.Driver).
For URL, enter
jdbc:redshift:iam//
.your-cluster-identifier
:your-cluster-region
/your-database-name
-
Choose Extended Properties and do one of the following:
For login_url, enter
. This value specifies to the URL to use single sign-on as the authentication to log in to Okta.your-okta-sso-login-url
For Okta single sign-on, for plugin_name, enter
com.amazon.redshift.plugin.OktaCredentialsProvider
. This value specifies to the driver to use Okta single sign-on as the authentication method.For Okta single sign-on with MFA, for plugin_name, enter
com.amazon.redshift.plugin.BrowserSamlCredentialsProvider
. This value specifies to the driver to use Okta single sign-on with MFA as the authentication method.
-
To set up ODBC for authentication to Okta
Configure your database client to connect to your cluster through ODBC using Okta single sign-on.
Amazon Redshift provides ODBC drivers for Linux, Windows, and macOS operating systems. Before you install an ODBC driver, determine whether your SQL client tool is 32-bit or 64-bit. Install the ODBC driver that matches the requirements of your SQL client tool.
Also install and configure the latest Amazon Redshift OBDC driver for your operating system as follows:
For Windows, see Install and configure the Amazon Redshift ODBC driver on Microsoft Windows.
For macOS, see Install the Amazon Redshift ODBC driver on macOS X.
For Linux, see Install the Amazon Redshift ODBC driver on Linux.
On Windows, in the Amazon Redshift ODBC Driver DSN Setup page, under Connection Settings, enter the following information:
For Data Source Name, enter
. This specifies the data source name used as the ODBC profile name.your-DSN
For Auth type, do one of the following:
For Okta single sign-on configuration, choose
Identity Provider: Okta
. This is the authentication method that the ODBC driver uses to authenticate using Okta single sign-on.For Okta single sign-on with MFA configuration, choose
Identity Provider: Browser SAML
. This is the authentication method that the ODBC driver uses to authenticate using Okta single sign-on with MFA.
For Cluster ID, enter
.your-cluster-identifier
For Region, enter
.your-cluster-region
For Database, enter
.your-database-name
For User, enter
. This is the user name for the Okta account that you are using for single sign-on that has permission to the cluster that you're trying to authenticate using. Use this only for Auth type is Identity Provider: Okta.your-okta-username
For Password, enter
. Use this only for Auth type is Identity Provider: Okta.your-okta-password
On macOS and Linux, edit the
odbc.ini
file as follows:Note
All entries are case-insensitive.
For clusterid, enter
. This is the name of the created Amazon Redshift cluster.your-cluster-identifier
For region, enter
. This is the AWS Region of the created Amazon Redshift cluster.your-cluster-region
For database, enter
. This is the name of the database that you're trying to access on the Amazon Redshift cluster.your-database-name
For locale, enter
en-us
. This is the language that error messages display in.For iam, enter
1
. This value specifies to the driver to authenticate using IAM credentials.For plugin_name, do one of the following:
-
For Okta single sign-on with MFA configuration, enter
BrowserSAML
. This is the authentication method that the ODBC driver uses to authenticate to Okta single sign-on with MFA. For Okta single sign-on configuration, enter
Okta
. This is the authentication method that the ODBC driver uses to authenticate using Okta single sign-on.
-
For uid, enter
. This is the user name of the Okta account you are using for single sign-on that has permission to the cluster you are trying to authenticate against. Use this only for plugin_name is Okta.your-okta-username
For pwd, enter
. Use this only for plugin_name is Okta.your-okta-password
For login_url, enter
. This is the Initiate single sign-on URL that returns the SAML Response. This applies only to the Browser SAML plugin.your-login-url
For idp_response_timeout, enter
. This is the specified period of time in seconds to wait for response from PingOne. This applies only to the Browser SAML plugin.the-number-of-seconds
For listen_port, enter
. This is the port that local server is listening to. The default is 7890. This applies only to the Browser SAML plugin.your-listen-port
On macOS and Linux, also edit the profile settings to add the following exports.
export ODBCINI=/opt/amazon/redshift/Setup/odbc.ini
export ODBCINSTINI=/opt/amazon/redshift/Setup/odbcinst.ini