Use JumpCloud SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials.
Read this article to learn how to configure the Amazon Redshift connector.
Prerequisites
- A JumpCloud administrator account
- JumpCloud SSO Package or higher or SSO add-on feature.
- AWS Admin account (AWS root user)
- AWS organization
Important Considerations
- This connector supports additional Constant Attributes that are sent in the assertion. E.g., Amazon supports SessionDuration in order to allow up to 12 hour sessions before logout. By default, the connector template contains this additional attribute where the Name is https://aws.amazon.com/SAML/Attributes/SessionDuration and the Value in seconds must be between 15 minutes and 12 hours; e.g., for 15 minutes, enter a value of 900.
Additional Considerations
Before you begin to set up SSO with Amazon Redshift, decide on names for the resources involved in setup.
All names need to be lowercase.
- In JumpCloud, you should have a name(s) for:
- Users who need access to Redshift.
- A User Group Name.
- Usernames for users need to be all lowercase.
- The user group name in JumpCloud needs to match the DB Group Name in Redshift.
- In AWS, prepare a name for:
- The IAM IdP Name.
- In Redshift, plan names for:
- The Cluster Name.
- DB Name.
- A master user name (some_admin)
- A master user password (save creds so we can login to the db directly to setup the dbgroup)
- A DB Group Name.
The DB Group Name needs to match the JumpCloud User Group name.
Learn more about the AWS side of this process.
Creating a new JumpCloud Application Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Click + Add New Application.
- Type the name of the application in the Search field and select it.
- Click Next.
- In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
If this is a Bookmark Application, enter your sign-in URL in the Bookmark URL field.
- Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<applicationname>.
The SSO IdP URL is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.
- Click Save Application.
- If successful, click:
- Configure Application and go to the next section
- Close to configure your new application at a later time
Configuring the SSO Integration
To configure JumpCloud 1
Create a Group of Users
- Log in to the JumpCloud Admin Portal.
- Select Groups.
- Click (+).
- In the Details tab, enter a name for the user group. It needs to match the RedShift DB group name.
- Select the Users tab to add users to the group.
- Click save and keep the Admin Portal open.
Set Up the SAML Application
- Create a new application or select it from the Configured Applications list.
- Select the SSO tab.
- Add or change any attributes.
- In the User Groups tab, select the User Group you created in the previous section.
- Click save.
Download the JumpCloud metadata file
- Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
- Select the SSO tab and click Export Metadata.
- The JumpCloud-<applicationname>-metadata.xml will be exported to your local Downloads folder.
Metadata can also be downloaded from the Configured Applications list. Search for and select the application in the list and then click Export Metadata in the top right corner of the window.
To configure AWS 1
- Log in to the Amazon Web Services console for your organization as an administrator.
- In the main console, go to All Services, under Security, Identity & Compliance select IAM.
- On the left hand side nav, select Identity Providers.
- Select Create Provider.
- In Provider Type, select SAML.
- For Provider Name, enter a name of your choice.
- Select Choose File, then upload the metadata file you downloaded from JumpCloud.
- Select Next Step.
- On the next screen, select Create.
- Select the identity provider you created in steps 5-6.
- Download the metadata XML file to the local machine.
To configure JumpCloud 2
- In the JumpCloud Admin Portal, open the AWS Redshift SSO connector you configured.
- For Service Provider Metadata File, upload the file you downloaded from AWS.
- Click save.
To configure AWS 2
Create a Security Group
- Go to the AWS management console.
- In the main console, go to All Services, under Compute, select EC2.
- In the left hand navigation, under Network & Security, select Security Groups.
- Click Create security group.
- For Security group name, enter a name of your choice.
- Under Inbound rules, click Add rule.
- For Type, select Redshift.
- For source, enter the internal IP of the VPN you’re connected to, or its subnet address.
- Skip Outbound rules and Tags, then click Create security group.
Create an Access Policy
- In the AWS Management console, click Services, then select IAM under Security, Identity, & Compliance.
- Under Access Management on the left-hand side, select Policies.
- Click Create policy.
- Select the JSON tab, and overwrite it with the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGetClusterCreds",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:REGION:ACCOUNT_NUMBER:dbuser:testcluster/${redshift:DbUser}",
"arn:aws:redshift:REGION:ACCOUNT_NUMBER:dbname:testcluster/testdb"
]
},
{
"Sid": "AllowCreateClusterUser",
"Effect": "Allow",
"Action": "redshift:CreateClusterUser",
"Resource": "arn:aws:redshift:REGION:ACCOUNT_NUMBER:dbuser:testcluster/${redshift:DbUser}"
},
{
"Sid": "AllowJoinGroup",
"Effect": "Allow",
"Action": "redshift:JoinGroup",
"Resource": "arn:aws:redshift:REGION:ACCOUNT_NUMBER:dbgroup:testcluster/redshift_dbgroup"
}
]
}
Make sure to replace ACCOUNT_NUMBER with your AWS account number. See Prerequisites on where to find this. For REGION, replace it with the region that the Redshift is being deployed or is already in.
- Click Review policy.
- For name, enter the name of your choice.
- Click, Create policy.
Create a Role
- In the AWS Management console, click Services, then select IAM under Security, Identity, & Compliance.
- Under Access Management on the left-hand side, select Roles.
- Click Create role.
- For Select type of trust entity, select SAML 2.0 federation.
- In SAML provider, select the identity provider you created in Configure AWS 1.
- Choose Allow programmatic access only.
- For Attribute, select SAML:aud.
- For Value, enter http://localhost:7890/redshift/. The resulting Trusted Entity should look like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::ACCOUNT_NUMBER:saml-provider/redshift-sso"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "http://localhost:7890/redshift/""
}
}
}
]
}
- Click Next: Permissions.
- Attach the policy you created in Create an Access Policy.
- Select Next: Review.
- Define a Role Name.
- Select Create role.
Create a Subnet Group in Redshift
- In the AWS Management console, click Services, then select Amazon Redshift under Database.
- In the left-hand navigation, select CONFIG, then select Subnet groups.
- Click Create cluster subnet group.
- For name, enter the name of your choice.
- For VPC, select the VPC that contains the subnets that you want to include.
- Select AZ and associated subnets. Make sure you select the same subnet that’s associated with the VPN. You can also select to add all the subnets for the VPC.
- Click Create cluster subnet group.
Create a Cluster in Redshift
- In the AWS Management console, click Services, then select Amazon Redshift under Database.
- In the left-hand navigation, select CLUSTERS, then click Create cluster.
- For cluster identifier, enter the name of your choice.
- Select the Node type, then enter the number of nodes.
- Enter the following information for Database Configurations:
- Database name: the name of your choice.
- Database port: 5493
- Master username: a master username of your choice
- Master password: a master password of your choice. Note: Save these credentials for Create the DB Group, in Configure the SQL Client.
- In Additional configurations, turn off Use defaults, then select Network and security.
- For Virtual private cloud, select the VPC you selected for the Redshift Subnet Group.
- For VPC security group, select the security group you created in Create a Security Group.
- For Cluster subnet group, select the subnet group you created in Create a Subnet Group.
- Select AZ or No Preference.
- For Enhanced VPC routing, select disabled, then for Publicly accessible select No.
- Expand Database configurations.
- Select a Parameter group and the Encryption.
- Configure settings for Maintenance, Monitoring, and Backup according to your preferences.
- Click Create cluster.
- In the Clusters list view, select the cluster you just created.
- Under General information, copy the JDBC URL. It looks like this: jdbc:redshift://testcluster.XXXXXXXXXX.REGION.redshift.amazonaws.com:5439/testdb
Configure the SQL Client
In the SQL Client, you have three phases to complete:
Set up Redshift with the SQL Client
- Download the Redshift JDBC driver. It needs to be 1.2.41 or higher with SDK: https://s3.amazonaws.com/redshift-downloads/drivers/jdbc/1.2.41.1065/RedshiftJDBC42-1.2.41.1065.jar
- Download and run SQL Workbench. It requires Java 8 or later and you can use any JDBC tool: https://www.sql-workbench.eu/downloads.html
- Unzip and run sqlworkbench.jar.
- In the Connection Window, select Manage Drivers, then select Amazon Redshift.
- Select RedshiftJDBC42-1.2.41.1065.jar for the driver.
- For Class Name, select com.amazon.redshift.jdbc.Driver.
Later versions of the Redshift JDBC driver might have the Class Name as com.amazon.redshift.jdbc42.Driver. See https://docs.aws.amazon.com/redshift/latest/mgmt/configure-jdbc-connection.html for more information.
- Click OK.
The Redshift cluster is local to the VPC and uses a VPN access to connect the VPC to the redshift JDBC url that maps to a private IP.
Create the DB Group
- Connect directly to the Cluster with the master username and password you created in Create a Cluster in Redshift to create the DB Group.
- In the Connection Window, enter the following information:
- For Driver, select Amazon Redshift.
- For URL, enter the JDBC URL you copied in step 17 of Create a Cluster in Redshift.
- For username, enter the master username that you created in steps 5c-5d of Create a Cluster in Redshift.
- For password, enter the master password that you created in steps 5c-5d of Create a Cluster in Redshift.
- For Extended Properties, enter:
- For login_url enter https://sso.jumpcloud.com/saml2/redshift-sso.
- For Plugin_name enter com.amazon.redshift.plugin.BrowserSamlCredentialsProvider.
- For idp_response_timeout, put 60.
- Select the option for Copy to system properties before connecting.
- Click OK.
- Click OK again. Then you’re logged into the Redshift DB directly and the top right shows the connection:
- “Catalog=testdb, URL=jdbc:redshift://testcluster.XXXXXXXXXX.REGION.redshift.amazonaws.com:5439/testdb”.
- Execute the following SQL commands to create a DB group:
- CREATE GROUP redshift-dbgroup;
- Commit;
- Notes:
- Use GRANT with the GROUP command to add any other specific DB permissions other than the default.
- If there are already users that exist that you want to only connect via SSO and not direct, then also execute the following command: alter user existing_user password disable.
- Notes:
- Disconnect from DB.
Connect the Redshift DB with JumpCloud SSO
- In the Connection Window enter the following information:
- Driver: Amazon Redshift
- URL: jdbc:redshift:iam://testcluster.XXXXXXXXXX.REGION.redshift.amazonaws.com:5439/testdb
- Note: Notice the addition of :iam: into the original JDBC URL string
- Username: <clear any user creds>
- Password: <clear any user creds>
- Extended Properties stay the same from when you configured them in Step 3 of Create the DB Group.
- Click OK.
- You’re redirected to the JumpCloud User Login screen. Complete the auth workflow.
- After you log in, you’re redirected to a local page that says, “Thank you for using Amazon Redshift! You can now close this window.”
- Go back to the SQL Application. You find that you are logged in to the Redshift DB with JumpCloud SSO. The top right shows your connection: “Catalog=testdb, URL=jdbc:redshift:iam://testcluster.XXXXXXXXXX.REGION.redshift.amazonaws.com:5439/testdb”.
Authorizing User SSO Access
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel.
To authorize user access from the Application Configuration panel
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
- Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
- Select the check box next to the group of users you want to give access.
- Click save.
To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.
Validating SSO user authentication workflow(s)
IdP-initiated user workflow
- Access the JumpCloud User Console
- Go to Applications and click an application tile to launch it
- JumpCloud asserts the user’s identity to the SP and is authenticated without the user having to log in to the application
SP-initiated user workflow
- Go to the SP application login – generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO
This varies by SP.
- Login redirects the user to JumpCloud where the user enters their JumpCloud credentials
- After the user is logged in successfully, they are redirected back to the SP and automatically logged in
Removing the SSO Integration
These are steps for removing the integration in JumpCloud. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and JumpCloud may result in users losing access to the application.
To deactivate the SSO Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Select the SSO tab.
- Scroll to the bottom of the configuration.
- Click Deactivate SSO.
- Click save.
- If successful, you will receive a confirmation message.
To delete the application
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to delete.
- Check the box next to the application to select it.
- Click Delete.
- Enter the number of the applications you are deleting
- Click Delete Application.
- If successful, you will see an application deletion confirmation notification.