Single sign-on with Amazon Redshift Serverless with Okta using Amazon Redshift Query Editor v2 and third-party SQL clients

June 2023: This post was reviewed and updated to support MFA setup instructions.

Amazon Redshift Serverless makes it easy to run and scale analytics in seconds without the need to set up and manage data warehouse clusters. With Redshift Serverless, users such as data analysts, developers, business professionals, and data scientists can get insights from data by simply loading and querying data in the data warehouse.

Customers use their preferred SQL clients to analyze their data in Redshift Serverless. They want to use an identity provider (IdP) or single sign-on (SSO) credentials to connect to Redshift Serverless to reuse existing using credentials and avoid additional user setup and configuration. When you use AWS Identity and Access Management (IAM) or IdP-based credentials to connect to a serverless data warehouse, Amazon Redshift automatically creates a database user for the end-user. You can simplify managing user privileges by using role-based access control. Admins can use a database-role mapping for SSO with the IAM roles that users are assigned to get their database privileges automatically. With this integration, organizations can simplify user management because they no longer need to create users and map them to database roles manually. You can define the mapped database roles as a principal tag for the IdP groups or IAM role, so Amazon Redshift database roles and users who are members of those IdP groups are granted to the database roles automatically.

In this post, we focus on Okta as the IdP and provide step-by-step guidance to integrate Redshift Serverless with Okta using the Amazon Redshift Query Editor V2 and with SQL clients like SQL Workbench/J. You can use this mechanism with other IdP providers such as Azure Active Directory or Ping with any applications or tools using Amazon’s JDBC/ODBC/Python driver.

Solution overview

The following diagram illustrates the authentication flow of Okta with Redshift Serverless using federated IAM roles and automatic database-role mapping.

The workflow contains the following steps:

1. Either the user chooses an IdP app in their browser, or the SQL client initiates a user authentication request to the IdP (Okta).
2. Upon a successful authentication, Okta submits a request to the AWS federation endpoint with a SAML assertion containing the PrincipalTags.
3. The AWS federation endpoint validates the SAML assertion and invokes the AWS Security Token Service (AWS STS) API AssumeRoleWithSAML. The SAML assertion contains the IdP user and group information that is stored in the RedshiftDbUser and RedshiftDbRoles principal tags, respectively. Temporary IAM credentials are returned to the SQL client or, if using the Query Editor v2, the user’s browser is redirected to the Query Editor v2 console using the temporary IAM credentials.
4. The temporary IAM credentials are used by the SQL client or Query Editor v2 to call the Redshift Serverless GetCredentials API. The API uses the principal tags to determine the user and database roles that the user belongs to. An associated database user is created if the user is signing in for the first time and is granted the matching database roles automatically. A temporary password is returned to the SQL client.
5. Using the database user and temporary password, the SQL client or Query Editor v2 connects to Redshift Serverless. Upon login, the user is authorized based on the Amazon Redshift database roles that were assigned in Step 4.

To set up the solution, we complete the following steps:

1. Set up your Okta application:
   • Create Okta users.
   • Create groups and assign groups to users.
   • Create the Okta SAML application.
   • Collect Okta information.
2. Set up AWS configuration:
   • Create the IAM IdP.
   • Create the IAM role and policy.
3. Configure Redshift Serverless role-based access.
4. Federate to Redshift Serverless using the Query Editor V2.
5. Configure the SQL client (for this post, we use SQL Workbench/J).
6. Optionally, implement MFA with SQL Client and Query Editor V2.

Prerequisites

You need the following prerequisites to set up this solution:

• An AWS account. If you don’t have one, you can sign up for one.
• An Redshift Serverless data warehouse. For setup instructions, see Getting started with Amazon Redshift Serverless.
• The latest Redshift Serverless JDBC SDK driver-dependent libraries (download the libraries and unzip the JDBC JAR zipped folder).
• An Okta account that has an active subscription. You need an admin role to set up the application on Okta. If you’re new to Okta, you can sign up for a free trial or sign up for a developer account.
• A SQL client such as SQL Workbench/J.

Set up Okta application

In this section, we provide the steps to configure your Okta application.

Create Okta users

To create your Okta users, complete the following steps:

1. Sign in to your Okta organization as a user with administrative privileges.
2. On the admin console, under Directory in the navigation pane, choose People.
3. Choose Add person.
4. For First Name, enter the user’s first name.
5. For Last Name, enter the user’s last name.
6. For Username, enter the user’s user name in email format.
7. Select I will set password and enter a password.
8. Optionally, deselect User must change password on first login if you don’t want the user to change their password when they first sign in. Choose Save.

Create groups and assign groups to users

To create your groups and assign them to users, complete the following steps:

1. Sign in to your Okta organization as a user with administrative privileges.
2. On the admin console, under Directory in the navigation pane, choose Groups.
3. Choose Add group.
4. Enter a group name and choose Save.
5. Choose the recently created group and then choose Assign people.
6. Choose the plus sign and then choose Done.
7. Repeat Steps 1–6 to add more groups.

In this post, we create two groups: sales and finance.

Create an Okta SAML application

To create your Okta SAML application, complete the following steps:

1. Sign in to your Okta organization as a user with administrative privileges.
2. On the admin console, under Applications in the navigation pane, choose Applications.
3. Choose Create App Integration.
4. Select SAML 2.0 as the sign-in method and choose Next.
5. Enter a name for your app integration (for example, redshift_app) and choose Next.
6. Enter following values in the app and leave the rest as is:
   • For Single Sign On URL, enter https://signin.aws.amazon.com/saml.
   • For Audience URI (SP Entity ID), enter urn:amazon:webservices.
   • For Name ID format, enter EmailAddress.
7. Choose Next.
8. Choose I’m an Okta customer adding an internal app followed by This is an internal app that we have created.
9. Choose Finish.
10. Choose Assignments and then choose Assign.
11. Choose Assign to groups and then select Assign next to the groups that you want to add.
12. Choose Done.

Set up Okta advanced configuration

After you create the custom SAML app, complete the following steps:

1. On the admin console, navigate to General and choose Edit under SAML settings.
2. Choose Next.
3. Set Default Relay State to the Query Editor V2 URL, using the format https://<region>.console.aws.amazon.com/sqlworkbench/home. For this post, we use https://us-west-2.console.aws.amazon.com/sqlworkbench/home.
4. Under Attribute Statements (optional), add the following properties:
   • Provide the IAM role and IdP in comma-separated format using the Role attribute. You’ll create this same IAM role and IdP in a later step when setting up AWS configuration.
   • Set user.login for RoleSessionName. This is used as an identifier for the temporary credentials that are issued when the role is assumed.
   • Set the DB roles using PrincipalTag:RedshiftDbRoles. This uses the Okta groups to fill the principal tags and map them automatically with the Amazon Redshift database roles. Its value must be a colon-separated list in the format role1:role2.
   • Set user.login for PrincipalTag:RedshiftDbUser. This uses the user name in the directory. This is a required tag and defines the database user that is used by Query Editor V2.
   • Set the transitive keys using TransitiveTagKeys. This prevents users from changing the session tags in case of role chaining.

The preceding tags are forwarded to the GetCredentials API to get temporary credentials for your Redshift Serverless instance and map automatically with Amazon Redshift database roles. The following table summarizes their attribute statements configuration.

5. After you add the attribute claims, choose Next followed by Finish.

Your attributes should be in similar format as shown in the following screenshot.

Collect Okta information

To gather your Okta information, complete the following steps:

1. On the Sign On tab, choose View SAML setup instructions.
   
2. For Identity Provider Single Sign-on URL, Use this URL when connecting with any third-party SQL client such as SQL Workbench/J.
3. Use the IdP metadata in block 4 and save the metadata file in .xml format (for example, metadata.xml).

Set up AWS configuration

In this section, we provide the steps to configure your IAM resources.

Create the IAM IdP

To create your IAM IdP, complete the following steps:

1. On the IAM console, under Access management in the navigation pane, choose Identity providers.
2. Choose Add provider.
3. For Provider type¸ select SAML.
4. For Provider name¸ enter a name.
5. Choose Choose file and upload the metadata file (.xml) you downloaded earlier.
6. Choose Add provider.

Create the IAM Amazon Redshift access policy

To create your IAM policy, complete the following steps:

1. On the IAM console, choose Policies.
2. Choose Create policy.
3. On the Create policy page, choose the JSON tab.
4. For the policy, enter the JSON in following format:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Allow",
               "Action": "redshift-serverless:GetCredentials",
               "Resource": "<Workgroup ARN>"
           },
           {
               "Sid": "VisualEditor1",
               "Effect": "Allow",
               "Action": "redshift-serverless:ListWorkgroups",
               "Resource": "*"
           }
       ]
   }

The workgroup ARN is available on the Redshift Serverless workgroup configuration page.

The following example policy includes only a single Redshift Serverless workgroup; you can modify the policy to include multiple workgroups in the Resource section:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "redshift-serverless:GetCredentials",
            "Resource": "arn:aws:redshift-serverless:us-west-2:123456789012:workgroup/4a4f12vc-123b-2d99-fd34-a12345a1e87f"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "redshift-serverless:ListWorkgroups",
            "Resource": "*"
        }
    ]
}

5. Choose Next: Tags.
6. Choose Next: Review.
7. In the Review policy section, for Name, enter the name of your policy; for example, OktaRedshiftPolicy.
8. For Description, you can optionally enter a brief description of what the policy does.
9. Choose Create policy.

Create the IAM role

To create your IAM role, complete the following steps:

1. On the IAM console, choose Roles in the navigation pane.
2. Choose Create role.
3. For Trusted entity type, select SAML 2.0 federation.
4. For SAML 2.0-based provider, choose the IdP you created earlier.
5. Select Allow programmatic and AWS Management Console access.
6. Choose Next.
7. Choose the policy you created earlier.
8. Also, add the policy AmazonRedshiftQueryEditorV2ReadSharing.
9. Choose Next.
10. In the Review section, for Role Name, enter the name of your role; for example, oktarole.
11. For Description, you can optionally enter a brief description of what the role does.
12. Choose Create role.
13. Navigate to the role that you just created and choose Trust Relationships.
14. Choose Edit trust policy and choose TagSession under Add actions for STS.

When using session tags, trust policies for all roles connected to the IdP passing tags must have the sts:TagSession permission. For roles without this permission in the trust policy, the AssumeRole operation fails.

15. Choose Update policy.

The following screenshot shows the role permissions.

The following screenshot shows the trust relationships.

Update the advanced Okta Role Attribute

Complete the following steps:

1. Switch back to Okta.com.
2. Navigate to the application which you created earlier.
3. Navigate to General and click Edit under SAML settings.
4. Under Attribute Statements (optional), update the value for the attribute – https://aws.amazon.com/SAML/Attributes/Role, using the actual role and identity provider arn values from the above step. For example, arn:aws:iam::123456789012:role/oktarole,arn:aws:iam::123456789012:saml-provider/oktaidp.

Configure Redshift Serverless role-based access

In this step, we create database roles in Amazon Redshift based on the groups that you created in Okta. Make sure the role name matches with the Okta Group name.

Amazon Redshift roles simplify managing privileges required for your end-users. In this post, we create two database roles, sales and finance, and grant them access to query tables with sales and finance data, respectively. You can download this sample SQL Notebook and import into Redshift Query Editor v2 to run all cells in the notebook used in this example. Alternatively, you can copy and enter the SQL into your SQL client.

The following is the syntax to create a role in Redshift Serverless:

create role <IdP groupname>;

For example:

create role sales;
create role finance;

Create the sales and finance database schema:

create schema sales_schema;
create schema finance_schema;

Create the tables:

CREATE TABLE IF NOT EXISTS finance_schema.revenue
(
account INTEGER   ENCODE az64
,customer VARCHAR(20)   ENCODE lzo
,salesamt NUMERIC(18,0)   ENCODE az64
)
DISTSTYLE AUTO
;

insert into finance_schema.revenue values (10001, 'ABC Company', 12000);
insert into finance_schema.revenue values (10002, 'Tech Logistics', 175400);
insert into finance_schema.revenue values (10003, 'XYZ Industry', 24355);
insert into finance_schema.revenue values (10004, 'The tax experts', 186577);

CREATE TABLE IF NOT EXISTS sales_schema.store_sales
(
ID INTEGER   ENCODE az64,
Product varchar(20),
Sales_Amount INTEGER   ENCODE az64
)
DISTSTYLE AUTO
;

Insert into sales_schema.store_sales values (1,'product1',1000);
Insert into sales_schema.store_sales values (2,'product2',2000);
Insert into sales_schema.store_sales values (3,'product3',3000);
Insert into sales_schema.store_sales values (4,'product4',4000);

The following is the syntax to grant permission to the Redshift Serverless role:

GRANT { { SELECT | INSERT | UPDATE | DELETE | DROP | REFERENCES } [,...]| ALL [ PRIVILEGES ] } ON { [ TABLE ] table_name [, ...] | ALL TABLES IN SCHEMA schema_name [, ...] } TO role <IdP groupname>;

Grant relevant permission to the role as per your requirements. In the following example, we grant full permission to the role sales on sales_schema and only select permission on finance_schema to the role finance:

grant usage on schema sales_schema to role sales;
grant select on all tables in schema sales_schema to role sales;

grant usage on schema finance_schema to role finance;
grant select on all tables in schema finance_schema to role finance;

Federate to Redshift Serverless using Query Editor V2

The RedshiftDbRoles principal tag and DBGroups are both mechanisms that can be used to integrate with an IdP. However, federating with the RedshiftDbRoles principal has some clear advantages when it comes to connecting with an IdP because it provides automatic mapping between IdP groups and Amazon Redshift database roles. Overall, RedshiftDbRoles is more flexible, easier to manage, and more secure, making it the better option for integrating Amazon Redshift with your IdP.

Now you’re ready to connect to Redshift Serverless using the Query Editor V2 and federated login:

1. Use the SSO URL you collected earlier and log in to your Okta account with your user credentials. For this demo, we log in with user Ethan.
2. In the Query Editor v2, choose your Redshift Serverless instance (right-click) and choose Create connection.
3. For Authentication, select Federated user.
4. For Database, enter the database name you want to connect to.
5. Choose Create Connection.

User Ethan will be able to access sales_schema tables. If Ethan tries to access the tables in finance_schema, he will get a permission denied error.

Configure the SQL client (SQL Workbench/J)

To set up SQL Workbench/J, complete the following steps:

1. Create a new connection in SQL Workbench/J and choose Redshift Serverless as the driver.
2. Choose Manage drivers and add all the files from the downloaded AWS JDBC driver pack .zip file (remember to unzip the .zip file).
3. For Username and Password, enter the values that you set in Okta.
   
4. Capture the values for app_id, app_name, and idp_host from the Okta app embed link, which can be found on the General tab of your application.
   
5. Set the following extended properties:
   • For app_id, enter the value from app embed link (for example, 0oa8p1o1RptSabT9abd0/avc8k7abc32lL4izh3b8).
   • For app_name, enter the value from app embed link (for example, dev-123456_redshift_app_2).
   • For idp_host, enter the value from app embed link (for example, dev-123456.okta.com).
   • For plugin_name, enter com.amazon.redshift.plugin.OktaCredentialsProvider. The following screenshot shows the SQL Workbench/J extended properties.
     
     6. Choose OK.
     7. Choose Test from SQL Workbench/J to test the connection.
     8. When the connection is successful, choose OK.
     9. Choose OK to sign in with the users created.

User Ethan will be able to access the sales_schema tables. If Ethan tries to access the tables in the finance_schema, he will get a permission denied error.

Congratulations! You have federated with Redshift Serverless and Okta with SQL Workbench/J using RedshiftDbRoles.

[Optional] Implement MFA with SQL Client and Query Editor V2

Implementing MFA poses an additional challenge because the nature of multi-factor authentication is an asynchronous process between initiating the login (the first factor) and completing the login (the second factor). The SAML response will be returned to the appropriate listener in each scenario; the SQL Client or the AWS console in the case of QEV2. Depending on which login options you will be giving your users, you may need an additional Okta application. See below for the different scenarios:

1. If you are ONLY using QEV2 and not using any other SQL client, then you can use MFA with Query Editor V2 with the above application. There are no changes required in the custom SAML application which we have created above.
2. If you are NOT using QEV2 and only using third party SQL client (SQL Workbench/J etc), then you need to modify the above custom SAML app as mentioned below.
3. If you want to use QEV2 and third-party SQL Client with MFA, then you need create an additional custom SAML app as mentioned below.

Prerequisites for MFA

Each identity provider (IdP) has step for enabling and managing MFA for your users. In the case of Okta, see the following guides on how to enable MFA using the Okta Verify application and by defining an authentication policy.

• Add Okta Verify as an authenticator
• Create an authentication policy
• Add an authentication policy rule

Steps to create/update SAML application which supports MFA for a SQL Client

1. If creating a second app, follow all the steps which are described under section 1 (Create an Okta SAML application). In this blog post, we are creating second app as redshift_mfa_app.
2. Open the custom SAML app and select General.
3. Select Edit under SAML settings
4. Click Next in General Settings
5. Under General, update the Single sign-on URL to http://localhost:7890/redshift/
6. Select Next followed by Finish.

Below is the screenshot from the MFA App after making above changes:

7. Create AWS new Identity Provider and new IAM Role and follow all the steps which are described under section 2 (Set up AWS configuration). Please provide a new role name and IdP name for MFA based application.

Update IAM Trust Relationship

1. To access Redshift via 3rd party tools using MFA, use the audience value as http://localhost:7890/redshift/ .
2. Navigate to the IAM role created for MFA and select Trust relationships.
3. Edit trust policy and replace the audience value under Condition as shown below.
   (Put below policy in code block)

"Condition": {
                "StringEquals": {
                    "SAML:aud": 
                        "http://localhost:7890/redshift/"
                    ]
                }
            }

Configure SQL Client for MFA

To set up SQL Workbench/J, complete the following steps:

1. Follow all the steps which are described under (Configure the SQL client (SQL Workbench/J))
2. Modify your connection updating the extended properties:
   • login_url – Get the Single Sign-on URL as shown in section -Collect Okta information. (For example, https://dev-123456.okta.com/app/dev-123456_redshiftapp_2/abc8p6o5psS6xUhBJ517/sso/saml)
   • plugin_name – com.amazon.redshift.plugin.BrowserSamlCredentialsProvider
     
3. Choose OK
4. Choose OK from SQL Workbench/J. You’re redirected to the browser to sign in with your Okta credentials.
5. After that, you will get prompt for MFA. Choose either Enter a code or Get a push notification.
   
6. Once authentication is successful, log in to be redirected to a page showing the connection as successful.
   
7. With this connection profile, run the following query to return federated user name.
   

Troubleshooting

If your connection didn’t work, consider the following:

• Enable logging in the driver. For instructions, see Configure logging.
• Make sure to use the latest Amazon Redshift JDBC driver version.
• If you’re getting errors while setting up the application on Okta, make sure you have admin access.
• If you can authenticate via the SQL client but get a permission issue or can’t see objects, grant the relevant permission to the role, as detailed earlier in this post.

Clean up

When you’re done testing the solution, clean up the resources to avoid incurring future charges:

1. Delete the Redshift Serverless instance by deleting both the workgroup and the namespace.
2. Delete the IAM roles, IAM IdPs, and IAM policies.

Conclusion

In this post, we provided step-by-step instructions to integrate Redshift Serverless with Okta using the Amazon Redshift Query Editor V2 and SQL Workbench/J with the help of federated IAM roles and automatic database-role mapping. You can use a similar setup with any other SQL client (such as DBeaver or DataGrip) or business intelligence tool (such as Tableau Desktop). We also showed how Okta group membership is mapped automatically with Redshift Serverless roles to use role-based authentication seamlessly.

For more information about Redshift Serverless single sign-on using database roles, see Defining database roles to grant to federated users in Amazon Redshift Serverless.

About the Authors

Maneesh Sharma is a Senior Database Engineer at AWS with more than a decade of experience designing and implementing large-scale data warehouse and analytics solutions. He collaborates with various Amazon Redshift Partners and customers to drive better integration.

Debu Panda is a Senior Manager, Product Management at AWS. He is an industry leader in analytics, application platform, and database technologies, and has more than 25 years of experience in the IT world.

Mohamed Shaaban is a Senior Software Engineer in Amazon Redshift and is based in Berlin, Germany. He has over 12 years of experience in the software engineering. He is passionate about cloud services and building solutions that delight customers. Outside of work, he is an amateur photographer who loves to explore and capture unique moments.

Rajiv Gupta is Sr. Manager of Analytics Specialist Solutions Architects based out of Irvine, CA. He has 20+ years of experience building and managing teams who build data warehouse and business intelligence solutions.

Amol Mhatre is a Database Engineer in Amazon Redshift and works on Customer & Partner engagements. Prior to Amazon, he has worked on multiple projects involving Database & ERP implementations.

Ning Di is a Software Development Engineer at Amazon Redshift, driven by a genuine passion for exploring all aspects of technology.

Harsha Kesapragada is a Software Development Engineer for Amazon Redshift with a passion to build scalable and secure systems. In the past few years, he has been working on Redshift Datasharing, Security and Redshift Serverless.