- \n
- A JumpCloud administrator account<\/li>\n\n\n\n
- JumpCloud SSO Package or higher or SSO add-on feature.<\/li>\n\n\n\n
- AWS Admin account (AWS root user)<\/li>\n\n\n\n
- AWS organization<\/li>\n<\/ul>\n\n\n\n
Important Considerations<\/strong><\/p>\n\n\n\n
- \n
- This connector supports additional Constant Attributes that are sent in the assertion. E.g., Amazon supports\u00a0SessionDuration<\/a>\u00a0in order to allow up to 12 hour sessions before logout. By default, the connector template contains this additional attribute where the Name is \u00a0https:\/\/aws.amazon.com\/SAML\/Attributes\/SessionDuration<\/kbd>\u00a0and the Value in seconds must be between 15 minutes and 12 hours; e.g., for 15 minutes, enter a value of 900.\u00a0<\/li>\n<\/ul>\n\n\n\n
Additional Considerations<\/strong><\/p>\n\n\n\n
Before you begin to set up SSO with Amazon Redshift, decide on names for the resources involved in setup. <\/p>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nAll names need to be lowercase. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- In JumpCloud, you should have a name(s) for:\n
- \n
- Users who need access to Redshift. <\/li>\n\n\n\n
- A User Group Name.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
- \n
- Usernames for users need to be all lowercase.<\/li>\n\n\n\n
- The user group name in JumpCloud needs to match the DB Group Name in Redshift. <\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- In AWS, prepare a name for:\n
- \n
- The IAM IdP Name. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- In Redshift, plan names for:\n
- \n
- The Cluster Name. <\/li>\n\n\n\n
- DB Name. <\/li>\n\n\n\n
- A master user name (some_admin)<\/li>\n\n\n\n
- A master user password (save creds so we can login to the db directly to setup the dbgroup)<\/li>\n\n\n\n
- A DB Group Name. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
The DB Group Name needs to match the JumpCloud User Group name. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Learn more about the AWS side of this process<\/a>.<\/p>\n\n\n\n
Creating a new JumpCloud Application Integration<\/strong><\/h2>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to\u00a0USER AUTHENTICATION\u00a0<\/strong>>\u00a0SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Click + Add New Application<\/strong>.<\/li>\n\n\n\n
- Type the name of the application in the Search <\/strong>field and select it.<\/li>\n\n\n\n
- Click Next<\/strong>.<\/li>\n\n\n\n
- In the Display Label<\/strong>, type your name for the application. Optionally, you can enter a Description<\/strong>, adjust the User Portal Image and choose to hide or Show in User Portal<\/strong>.<\/li>\n<\/ol>\n\n\n\n
<\/p><\/div>Note:<\/strong> \nIf this is a Bookmark Application, enter your sign-in URL in the Bookmark URL<\/strong> field.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Optionally, expand Advanced Settings<\/strong> to specify a value for the SSO IdP URL<\/strong>. If no value is entered, it will default to https:\/\/sso.jumpcloud.com\/saml2\/<applicationname><\/kbd>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\")
<\/p><\/div>Warning:<\/strong> \nThe SSO IdP URL<\/strong> is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click Save Application<\/strong>.<\/li>\n\n\n\n
- If successful, click:\n
- \n
- Configure Application<\/strong> and go to the next section <\/li>\n\n\n\n
- Close<\/strong> to configure your new application at a later time <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
Configuring the SSO Integration<\/strong><\/h2>\n\n\n\n
To configure JumpCloud 1 <\/strong><\/h3>\n\n\n\n
Create a Group of Users<\/strong><\/h4>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Select Groups.<\/strong><\/li>\n\n\n\n
- Click (+<\/strong>).<\/li>\n\n\n\n
- In the Details<\/strong> tab, enter a name for the user group. It needs to match the RedShift DB group name.<\/li>\n\n\n\n
- Select the Users<\/strong> tab to add users to the group. <\/li>\n\n\n\n
- Click save<\/strong> and keep the Admin Portal open. <\/li>\n<\/ol>\n\n\n\n
Set Up the SAML Application<\/strong><\/h4>\n\n\n\n
- \n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the SSO<\/strong> tab.<\/li>\n\n\n\n
- Add or change any attributes.<\/li>\n\n\n\n
- In the User Groups<\/strong> tab, select the User Group you created in the previous section.<\/li>\n\n\n\n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Download the JumpCloud metadata<\/strong> file<\/strong><\/h4>\n\n\n\n
- \n
- Find your application in the Configured Applications<\/strong> list and click anywhere in the row to reopen its configuration window.<\/li>\n\n\n\n
- Select the SSO <\/strong>tab and click Export Metadata<\/strong>.<\/li>\n\n\n\n
- The JumpCloud-<applicationname>-metadata.xml<\/strong> will be exported to your local Downloads <\/strong>folder.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\")
<\/p><\/div>Tip:<\/strong> \nMetadata can also be downloaded from the Configured Applications<\/strong> list. Search for and select the application in the list and then click Export Metadata<\/strong> in the top right corner of the window.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To configure AWS 1<\/strong><\/h3>\n\n\n\n
- \n
- Log in to the Amazon Web Services console for your organization as an administrator.<\/li>\n\n\n\n
- In the main console, go to All Services<\/strong>, under Security, Identity & Compliance<\/strong> select IAM<\/strong>.<\/li>\n\n\n\n
- On the left hand side nav, select Identity Providers<\/strong>.<\/li>\n\n\n\n
- Select Create Provider<\/strong>.<\/li>\n\n\n\n
- In Provider Type<\/strong>, select SAML<\/strong>.<\/li>\n\n\n\n
- For Provider Name<\/strong>, enter a name of your choice.<\/em><\/li>\n\n\n\n
- Select Choose File<\/strong>, then upload the metadata file you downloaded from JumpCloud.<\/li>\n\n\n\n
- Select Next Step<\/strong>.<\/li>\n\n\n\n
- On the next screen, select Create<\/strong>.<\/li>\n\n\n\n
- Select the identity provider you created in steps 5-6. <\/li>\n\n\n\n
- Download the metadata XML file to the local machine. <\/li>\n<\/ol>\n\n\n\n
To configure JumpCloud 2<\/strong><\/h3>\n\n\n\n
- \n
- In the JumpCloud Admin Portal, open the AWS Redshift SSO connector you configured. <\/li>\n\n\n\n
- For Service Provider Metadata File<\/strong>, upload the file you downloaded from AWS. <\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
To configure AWS 2<\/strong><\/h3>\n\n\n\n
Create a Security Group<\/strong><\/h4>\n\n\n\n
- \n
- Go to the AWS management console.<\/li>\n\n\n\n
- In the main console, go to All Services<\/strong>, under Compute<\/strong>, select EC2<\/strong>.<\/li>\n\n\n\n
- In the left hand navigation, under Network & Security<\/strong>, select Security Groups<\/strong>.<\/li>\n\n\n\n
- Click Create security group<\/strong>. <\/li>\n\n\n\n
- For Security group name<\/strong>, enter a name of your choice. <\/li>\n\n\n\n
- Under Inbound rules<\/strong>, click Add rule<\/strong>.<\/li>\n\n\n\n
- For Type<\/strong>, select Redshift<\/strong>.<\/li>\n\n\n\n
- For source, enter the internal IP of the VPN you’re connected to, or its subnet address. <\/li>\n\n\n\n
- Skip Outbound rules<\/strong> and Tags<\/strong>, then click Create security group<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Create an Access Policy<\/strong><\/h4>\n\n\n\n
- \n
- In the AWS Management console, click Services<\/strong>, then select IAM<\/strong> under Security, Identity, & Compliance<\/strong>. <\/li>\n\n\n\n
- Under Access Management<\/strong> on the left-hand side, select Policies<\/strong>.<\/li>\n\n\n\n
- Click Create policy<\/strong>. <\/li>\n\n\n\n
- Select the\u00a0JSON\u00a0<\/strong>tab, and overwrite it with the following:<\/li>\n<\/ol>\n\n\n\n
\n{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Version”: “2012-10-17”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Statement”: [
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Sid”: “AllowGetClusterCreds”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Effect”: “Allow”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Action”: “redshift:GetClusterCredentials”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Resource”: [
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“arn:aws:redshift:REGION:ACCOUNT_NUMBER:dbuser:testcluster\/${redshift:DbUser}”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“arn:aws:redshift:REGION:ACCOUNT_NUMBER:dbname:testcluster\/testdb”
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0]
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Sid”: “AllowCreateClusterUser”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Effect”: “Allow”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Action”: “redshift:CreateClusterUser”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Resource”: “arn:aws:redshift:REGION:ACCOUNT_NUMBER:dbuser:testcluster\/${redshift:DbUser}”
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Sid”: “AllowJoinGroup”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Effect”: “Allow”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Action”: “redshift:JoinGroup”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Resource”: “arn:aws:redshift:REGION:ACCOUNT_NUMBER:dbgroup:testcluster\/redshift_dbgroup”
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0]
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/p>\n<\/div><\/div>\n\n\n\n<\/p><\/div>Note:<\/strong> \nMake sure to replace ACCOUNT_NUMBER<\/kbd> with your AWS account number. See Prerequisites on where to find this. For REGION<\/kbd>, replace it with the region that the Redshift is being deployed or is already in.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click Review policy<\/strong>. <\/li>\n\n\n\n
- For name, enter the name of your choice.<\/li>\n\n\n\n
- Click, Create policy<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Create a Role <\/strong><\/h4>\n\n\n\n
- \n
- In the AWS Management console, click Services<\/strong>, then select IAM<\/strong> under Security, Identity, & Compliance<\/strong>. <\/li>\n\n\n\n
- Under Access Management<\/strong> on the left-hand side, select Roles<\/strong>.<\/li>\n\n\n\n
- Click Create role<\/strong>.<\/li>\n\n\n\n
- For Select type of trust entity<\/strong>, select SAML 2.0 federation<\/strong>. <\/li>\n\n\n\n
- In SAML provider<\/strong>, select the identity provider you created in Configure AWS 1<\/a>.<\/em><\/li>\n\n\n\n
- Choose Allow programmatic access only<\/strong>.<\/li>\n\n\n\n
- For
- Under Access Management<\/strong> on the left-hand side, select Roles<\/strong>.<\/li>\n\n\n\n
- Under Access Management<\/strong> on the left-hand side, select Policies<\/strong>.<\/li>\n\n\n\n
- In the left hand navigation, under Network & Security<\/strong>, select Security Groups<\/strong>.<\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
- On the left hand side nav, select Identity Providers<\/strong>.<\/li>\n\n\n\n
- Select the SSO <\/strong>tab and click Export Metadata<\/strong>.<\/li>\n\n\n\n
- Select the SSO<\/strong> tab.<\/li>\n\n\n\n
- Select Groups.<\/strong><\/li>\n\n\n\n
- Close<\/strong> to configure your new application at a later time <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
- If successful, click:\n
- Click Save Application<\/strong>.<\/li>\n\n\n\n
- Go to\u00a0USER AUTHENTICATION\u00a0<\/strong>>\u00a0SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- In AWS, prepare a name for:\n
- In JumpCloud, you should have a name(s) for:\n
- This connector supports additional Constant Attributes that are sent in the assertion. E.g., Amazon supports\u00a0SessionDuration<\/a>\u00a0in order to allow up to 12 hour sessions before logout. By default, the connector template contains this additional attribute where the Name is \u00a0https:\/\/aws.amazon.com\/SAML\/Attributes\/SessionDuration<\/kbd>\u00a0and the Value in seconds must be between 15 minutes and 12 hours; e.g., for 15 minutes, enter a value of 900.\u00a0<\/li>\n<\/ul>\n\n\n\n