Important Considerations<\/strong><\/p>\n\n\n\n
- \n
- This connector supports additional Constant Attributes that are sent in the assertion. E.g., Amazon supports\u00a0SessionDuration<\/a>\u00a0in order to allow up to 12 hour sessions before logout. By default, the connector template contains this additional attribute where the Name is \u00a0https:\/\/aws.amazon.com\/SAML\/Attributes\/SessionDuration<\/kbd>\u00a0and the Value in seconds must be between 15 minutes and 12 hours; e.g., for 15 minutes, enter a value of 900.\u00a0<\/li>\n<\/ul>\n\n\n\n
Additional Considerations<\/strong><\/p>\n\n\n\n
Before you begin to set up SSO with Amazon Redshift, decide on names for the resources involved in setup. <\/p>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nAll names need to be lowercase. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- In JumpCloud, you should have a name(s) for:\n
- \n
- Users who need access to Redshift. <\/li>\n\n\n\n
- A User Group Name.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
- \n
- Usernames for users need to be all lowercase.<\/li>\n\n\n\n
- The user group name in JumpCloud needs to match the DB Group Name in Redshift. <\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- In AWS, prepare a name for:\n
- \n
- The IAM IdP Name. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- In Redshift, plan names for:\n
- \n
- The Cluster Name. <\/li>\n\n\n\n
- DB Name. <\/li>\n\n\n\n
- A master user name (some_admin)<\/li>\n\n\n\n
- A master user password (save creds so we can login to the db directly to setup the dbgroup)<\/li>\n\n\n\n
- A DB Group Name. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
The DB Group Name needs to match the JumpCloud User Group name. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Learn more about the AWS side of this process<\/a>.<\/p>\n\n\n\n
Creating a new JumpCloud Application Integration<\/strong><\/h2>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to\u00a0USER AUTHENTICATION\u00a0<\/strong>>\u00a0SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Click + Add New Application<\/strong>.<\/li>\n\n\n\n
- Type the name of the application in the Search <\/strong>field and select it.<\/li>\n\n\n\n
- Click Next<\/strong>.<\/li>\n\n\n\n
- In the Display Label<\/strong>, type your name for the application. Optionally, you can enter a Description<\/strong>, adjust the User Portal Image and choose to hide or Show in User Portal<\/strong>.<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
If this is a Bookmark Application, enter your sign-in URL in the Bookmark URL<\/strong> field.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Optionally, expand Advanced Settings<\/strong> to specify a value for the SSO IdP URL<\/strong>. If no value is entered, it will default to https:\/\/sso.jumpcloud.com\/saml2\/<applicationname><\/kbd>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\")
<\/p><\/div>Warning:<\/strong> \nThe SSO IdP URL<\/strong> is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click Save Application<\/strong>.<\/li>\n\n\n\n
- If successful, click:\n
- \n
- Configure Application<\/strong> and go to the next section <\/li>\n\n\n\n
- Close<\/strong> to configure your new application at a later time <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
Configuring the SSO Integration<\/strong><\/h2>\n\n\n\n
To configure JumpCloud 1 <\/strong><\/h3>\n\n\n\n
Create a Group of Users<\/strong><\/h4>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Select Groups.<\/strong><\/li>\n\n\n\n
- Click (+<\/strong>).<\/li>\n\n\n\n
- In the Details<\/strong> tab, enter a name for the user group. It needs to match the RedShift DB group name.<\/li>\n\n\n\n
- Select the Users<\/strong> tab to add users to the group. <\/li>\n\n\n\n
- Click save<\/strong> and keep the Admin Portal open. <\/li>\n<\/ol>\n\n\n\n
Set Up the SAML Application<\/strong><\/h4>\n\n\n\n
- \n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the SSO<\/strong> tab.<\/li>\n\n\n\n
- Add or change any attributes.<\/li>\n\n\n\n
- In the User Groups<\/strong> tab, select the User Group you created in the previous section.<\/li>\n\n\n\n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Download the JumpCloud metadata<\/strong> file<\/strong><\/h4>\n\n\n\n
- \n
- Find your application in the Configured Applications<\/strong> list and click anywhere in the row to reopen its configuration window.<\/li>\n\n\n\n
- Select the SSO <\/strong>tab and click Export Metadata<\/strong>.<\/li>\n\n\n\n
- The JumpCloud-<applicationname>-metadata.xml<\/strong> will be exported to your local Downloads <\/strong>folder.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\")
<\/p><\/div>Tip:<\/strong> \nMetadata can also be downloaded from the Configured Applications<\/strong> list. Search for and select the application in the list and then click Export Metadata<\/strong> in the top right corner of the window.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To configure AWS 1<\/strong><\/h3>\n\n\n\n
- \n
- Log in to the Amazon Web Services console for your organization as an administrator.<\/li>\n\n\n\n
- In the main console, go to All Services<\/strong>, under Security, Identity & Compliance<\/strong> select IAM<\/strong>.<\/li>\n\n\n\n
- On the left hand side nav, select Identity Providers<\/strong>.<\/li>\n\n\n\n
- Select Create Provider<\/strong>.<\/li>\n\n\n\n
- In Provider Type<\/strong>, select SAML<\/strong>.<\/li>\n\n\n\n
- For Provider Name<\/strong>, enter a name of your choice.<\/em><\/li>\n\n\n\n
- Select Choose File<\/strong>, then upload the metadata file you downloaded from JumpCloud.<\/li>\n\n\n\n
- Select Next Step<\/strong>.<\/li>\n\n\n\n
- On the next screen, select Create<\/strong>.<\/li>\n\n\n\n
- Select the identity provider you created in steps 5-6. <\/li>\n\n\n\n
- Download the metadata XML file to the local machine. <\/li>\n<\/ol>\n\n\n\n
To configure JumpCloud 2<\/strong><\/h3>\n\n\n\n
- \n
- In the JumpCloud Admin Portal, open the AWS Redshift SSO connector you configured. <\/li>\n\n\n\n
- For Service Provider Metadata File<\/strong>, upload the file you downloaded from AWS. <\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
To configure AWS 2<\/strong><\/h3>\n\n\n\n
Create a Security Group<\/strong><\/h4>\n\n\n\n
- \n
- Go to the AWS management console.<\/li>\n\n\n\n
- In the main console, go to All Services<\/strong>, under Compute<\/strong>, select EC2<\/strong>.<\/li>\n\n\n\n
- In the left hand navigation, under Network & Security<\/strong>, select Security Groups<\/strong>.<\/li>\n\n\n\n
- Click Create security group<\/strong>. <\/li>\n\n\n\n
- For Security group name<\/strong>, enter a name of your choice. <\/li>\n\n\n\n
- Under Inbound rules<\/strong>, click Add rule<\/strong>.<\/li>\n\n\n\n
- For Type<\/strong>, select Redshift<\/strong>.<\/li>\n\n\n\n
- For source, enter the internal IP of the VPN you’re connected to, or its subnet address. <\/li>\n\n\n\n
- Skip Outbound rules<\/strong> and Tags<\/strong>, then click Create security group<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Create an Access Policy<\/strong><\/h4>\n\n\n\n
- \n
- In the AWS Management console, click Services<\/strong>, then select IAM<\/strong> under Security, Identity, & Compliance<\/strong>. <\/li>\n\n\n\n
- Under Access Management<\/strong> on the left-hand side, select Policies<\/strong>.<\/li>\n\n\n\n
- Click Create policy<\/strong>. <\/li>\n\n\n\n
- Select the\u00a0JSON\u00a0<\/strong>tab, and overwrite it with the following:<\/li>\n<\/ol>\n\n\n\n\n
{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Version”: “2012-10-17”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Statement”: [
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Sid”: “AllowGetClusterCreds”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Effect”: “Allow”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Action”: “redshift:GetClusterCredentials”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Resource”: [
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“arn:aws:redshift:REGION:ACCOUNT_NUMBER:dbuser:testcluster\/${redshift:DbUser}”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“arn:aws:redshift:REGION:ACCOUNT_NUMBER:dbname:testcluster\/testdb”
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0]
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Sid”: “AllowCreateClusterUser”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Effect”: “Allow”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Action”: “redshift:CreateClusterUser”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Resource”: “arn:aws:redshift:REGION:ACCOUNT_NUMBER:dbuser:testcluster\/${redshift:DbUser}”
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Sid”: “AllowJoinGroup”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Effect”: “Allow”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Action”: “redshift:JoinGroup”,
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0“Resource”: “arn:aws:redshift:REGION:ACCOUNT_NUMBER:dbgroup:testcluster\/redshift_dbgroup”
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0]
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/p>\n<\/div><\/div>\n\n\n\n<\/p><\/div>Note:<\/strong> \nMake sure to replace ACCOUNT_NUMBER<\/kbd> with your AWS account number. See Prerequisites on where to find this. For REGION<\/kbd>, replace it with the region that the Redshift is being deployed or is already in.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click Review policy<\/strong>. <\/li>\n\n\n\n
- For name, enter the name of your choice.<\/li>\n\n\n\n
- Click, Create policy<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Create a Role <\/strong><\/h4>\n\n\n\n
- \n
- In the AWS Management console, click Services<\/strong>, then select IAM<\/strong> under Security, Identity, & Compliance<\/strong>. <\/li>\n\n\n\n
- Under Access Management<\/strong> on the left-hand side, select Roles<\/strong>.<\/li>\n\n\n\n
- Click Create role<\/strong>.<\/li>\n\n\n\n
- For Select type of trust entity<\/strong>, select SAML 2.0 federation<\/strong>. <\/li>\n\n\n\n
- In SAML provider<\/strong>, select the identity provider you created in Configure AWS 1<\/a>.<\/em><\/li>\n\n\n\n
- Choose Allow programmatic access only<\/strong>.<\/li>\n\n\n\n
- For Attribute<\/strong>, select SAML:aud<\/kbd><\/strong>.<\/li>\n\n\n\n
- For Value<\/strong>, enter http:\/\/localhost:7890\/redshift\/<\/kbd>. The resulting Trusted Entity<\/strong> should look like:<\/li>\n<\/ol>\n\n\n\n
{<\/p>\n\n\n\n
“Version”: “2012-10-17”,<\/p>\n\n\n\n
“Statement”: [<\/p>\n\n\n\n
{<\/p>\n\n\n\n
“Effect”: “Allow”,<\/p>\n\n\n\n
“Principal”: {<\/p>\n\n\n\n
“Federated”: “arn:aws:iam::ACCOUNT_NUMBER:saml-provider\/redshift-sso”<\/p>\n\n\n\n
},<\/p>\n\n\n\n
“Action”: “sts:AssumeRoleWithSAML”,<\/p>\n\n\n\n
“Condition”: {<\/p>\n\n\n\n
“StringEquals”: {<\/p>\n\n\n\n
“SAML:aud”: “http:\/\/localhost:7890\/redshift\/””<\/p>\n\n\n\n
}<\/p>\n\n\n\n
}<\/p>\n\n\n\n
}<\/p>\n\n\n\n
]<\/p>\n\n\n\n
}<\/p>\n\n\n\n
- \n
- Click Next: Permissions<\/strong>. <\/li>\n\n\n\n
- Attach the policy you created in Create an Access Policy<\/a>.<\/li>\n\n\n\n
- Select Next: Review<\/strong>.<\/li>\n\n\n\n
- Define a Role Name<\/strong>. <\/li>\n\n\n\n
- Select Create role<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Create a Subnet Group in Redshift<\/strong><\/h4>\n\n\n\n
- \n
- In the AWS Management console, click Services<\/strong>, then select Amazon Redshift<\/strong> under Database.<\/strong> <\/li>\n\n\n\n
- In the left-hand navigation, select CONFIG<\/strong>, then select Subnet groups<\/strong>.<\/li>\n\n\n\n
- Click Create cluster subnet group<\/strong>.<\/li>\n\n\n\n
- For name, enter the name of your choice.<\/li>\n\n\n\n
- For VPC, select the VPC that contains the subnets that you want to include.<\/li>\n\n\n\n
- Select AZ and associated subnets<\/strong>. Make sure you select the same subnet that\u2019s associated with the VPN. You can also select to add all the subnets for the VPC.<\/li>\n\n\n\n
- Click Create cluster subnet group<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Create a Cluster in Redshift<\/strong><\/h4>\n\n\n\n
- \n
- In the AWS Management console, click Services<\/strong>, then select Amazon Redshift<\/strong> under Database<\/strong>. <\/li>\n\n\n\n
- In the left-hand navigation, select CLUSTERS<\/strong>, then click Create cluster<\/strong>. <\/li>\n\n\n\n
- For cluster identifier, enter the name of your choice.<\/em><\/li>\n\n\n\n
- Select the Node type, then enter the number of nodes. <\/li>\n\n\n\n
- Enter the following information for Database Configurations<\/strong>:\n
- \n
- Database name<\/strong>: the name of your choice<\/em>.<\/li>\n\n\n\n
- Database port<\/strong>: 5493<\/em><\/li>\n\n\n\n
- Master username<\/strong>: a master username of your choice<\/em><\/li>\n\n\n\n
- Master password<\/strong>: a master password of your choice. <\/em>Note<\/strong>: Save these credentials for Create the DB Group<\/a>, in Configure the SQL Client. <\/li>\n<\/ol>\n<\/li>\n\n\n\n
- In Additional configurations<\/strong>, turn off Use defaults<\/strong>, then select Network and security<\/strong>.<\/li>\n\n\n\n
- For Virtual private cloud<\/strong>, select the VPC you selected for the Redshift Subnet Group<\/a>.<\/li>\n\n\n\n
- For VPC security group<\/strong>, select the security group you created in Create a Security Group<\/a>. <\/li>\n\n\n\n
- For Cluster subnet group<\/strong>, select the subnet group you created in Create a Subnet Group<\/a>. <\/li>\n\n\n\n
- Select AZ <\/strong>or No Preference<\/strong>. <\/li>\n\n\n\n
- For Enhanced VPC routing<\/strong>, select disabled<\/strong>, then for Publicly accessible<\/strong> select No<\/strong>.<\/li>\n\n\n\n
- Expand Database configurations<\/strong>.<\/li>\n\n\n\n
- Select a Parameter group<\/strong> and the Encryption<\/strong>. <\/li>\n\n\n\n
- Configure settings for Maintenance<\/strong>, Monitoring<\/strong>, and Backup<\/strong> according to your preferences. <\/li>\n\n\n\n
- Click Create cluster<\/strong>. <\/li>\n\n\n\n
- In the Clusters list view<\/strong>, select the cluster you just created. <\/li>\n\n\n\n
- Under General information, copy the JDBC URL<\/strong>. It looks like this: jdbc:redshift:\/\/testcluster.XXXXXXXXXX.REGION.redshift.amazonaws.com:5439\/testdb<\/li>\n<\/ol>\n\n\n\n
Configure the SQL Client <\/strong><\/h4>\n\n\n\n
In the SQL Client, you have three phases to complete:<\/p>\n\n\n\n
Set up Redshift with the SQL Client<\/strong><\/h5>\n\n\n\n
- \n
- Download the Redshift JDBC driver. It needs to be 1.2.41 or higher with SDK: https:\/\/s3.amazonaws.com\/redshift-downloads\/drivers\/jdbc\/1.2.41.1065\/RedshiftJDBC42-1.2.41.1065.jar<\/a><\/li>\n\n\n\n
- Download and run SQL Workbench. It requires Java 8 or later and you can use any JDBC tool: https:\/\/www.sql-workbench.eu\/downloads.html<\/a><\/li>\n\n\n\n
- Unzip and run sqlworkbench.jar.<\/li>\n\n\n\n
- In the Connection Window, select Manage Drivers<\/strong>, then select Amazon Redshift<\/strong>.<\/li>\n\n\n\n
- Select RedshiftJDBC42-1.2.41.1065.jar<\/strong> for the driver. <\/li>\n\n\n\n
- For Class Name<\/strong>, select com.amazon.redshift.jdbc.Driver<\/strong>. <\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
Later versions of the Redshift JDBC driver might have the Class Name as com.amazon.redshift.jdbc42.Driver. See https:\/\/docs.aws.amazon.com\/redshift\/latest\/mgmt\/configure-jdbc-connection.html<\/a> for more information.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click OK<\/strong>. <\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
The Redshift cluster is local to the VPC and uses a VPN access to connect the VPC to the redshift JDBC url that maps to a private IP. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Create the DB Group<\/strong><\/h5>\n\n\n\n
- \n
- Connect directly to the Cluster with the master username and password you created in Create a Cluster in Redshift<\/a> to create the DB Group<\/strong>.<\/li>\n\n\n\n
- In the Connection Window, enter the following information:\n
- \n
- For Driver<\/strong>, select Amazon Redshift.<\/li>\n\n\n\n
- For URL<\/strong>, enter the JDBC URL you copied in step 17 of Create a Cluster in Redshift.<\/li>\n\n\n\n
- For username<\/strong>, enter the master username that you created in steps 5c-5d of Create a Cluster in Redshift. <\/li>\n\n\n\n
- For password<\/strong>, enter the master password that you created in steps 5c-5d of Create a Cluster in Redshift. <\/li>\n<\/ol>\n<\/li>\n\n\n\n
- For Extended Properties, enter:\n
- \n
- For login_url<\/strong> enter https:\/\/sso.jumpcloud.com\/saml2\/redshift-sso<\/em>.<\/li>\n\n\n\n
- For Plugin_name<\/strong> enter com.amazon.redshift.plugin.BrowserSamlCredentialsProvider<\/em>.<\/li>\n\n\n\n
- For idp_response_timeout<\/strong>, put 60<\/em>. <\/li>\n\n\n\n
- Select the option for Copy to system properties before connecting<\/strong>. <\/li>\n\n\n\n
- Click OK<\/strong>. <\/li>\n<\/ol>\n<\/li>\n\n\n\n
- Click OK<\/strong> again. Then you\u2019re logged into the Redshift DB directly and the top right shows the connection:<\/li>\n\n\n\n
- “Catalog=testdb, URL=jdbc:redshift:\/\/testcluster.XXXXXXXXXX.REGION.redshift.amazonaws.com<\/a>:5439\/testdb”.<\/li>\n\n\n\n
- Execute the following SQL commands to create a DB group:\n
- \n
- CREATE GROUP redshift-dbgroup;<\/li>\n\n\n\n
- Commit;\n
- \n
- Notes<\/strong>:\n
- \n
- Use GRANT with the GROUP command to add any other specific DB permissions other than the default.<\/li>\n\n\n\n
- If there are already users that exist that you want to only connect via SSO and not direct, then also execute the following command: alter user existing_user password disable. <\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n\n\n\n
- Disconnect from DB. <\/li>\n<\/ol>\n\n\n\n
Connect the Redshift DB with JumpCloud SSO<\/strong><\/h5>\n\n\n\n
- \n
- In the Connection Window enter the following information:\n
- \n
- Driver<\/strong>: Amazon Redshift<\/li>\n\n\n\n
- URL<\/strong>: jdbc:redshift:iam:\/\/testcluster.XXXXXXXXXX.REGION.redshift.amazonaws.com:5439\/testdb<\/li>\n\n\n\n
- Note<\/strong>: Notice the addition of :iam: into the original JDBC URL string<\/li>\n\n\n\n
- Username<\/strong>: <clear any user creds><\/li>\n\n\n\n
- Password<\/strong>: <clear any user creds><\/li>\n<\/ol>\n<\/li>\n\n\n\n
- Extended Properties stay the same from when you configured them in Step 3 of Create the DB Group. <\/li>\n\n\n\n
- Click OK<\/strong>.<\/li>\n\n\n\n
- You\u2019re redirected to the JumpCloud User Login screen. Complete the auth workflow. <\/li>\n\n\n\n
- After you log in, you\u2019re redirected to a local page that says, \u201cThank you for using Amazon Redshift! You can now close this window.\u201d<\/li>\n\n\n\n
- Go back to the SQL Application. You find that you are logged in to the Redshift DB with JumpCloud SSO. The top right shows your connection:\u00a0 “Catalog=testdb, URL=jdbc:redshift:iam:\/\/testcluster.XXXXXXXXXX.REGION.redshift.amazonaws.com:5439\/testdb”.<\/li>\n<\/ol>\n\n\n\n
Authorizing User SSO Access<\/strong><\/h2>\n\n\n\n
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration<\/strong> panel or from the Groups Configuration<\/strong> panel. <\/p>\n\n\n\n
To authorize user access from the Application Configuration panel<\/strong><\/h3>\n\n\n\n
- \n
- Log in to the <\/a>JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>, then select the application to which you want to authorize user access.<\/li>\n\n\n\n
- Select the User Groups<\/strong> tab. If you need to create a new group of users, see Get Started: User Groups<\/a>.<\/li>\n\n\n\n
- Select the check box next to the group of users you want to give access.<\/li>\n\n\n\n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
To learn how to authorize user access from the Groups Configuration<\/strong> panel, see Authorize Users to an SSO Application<\/a>.<\/p>\n\n\n\n
Validating SSO user authentication workflow(s)<\/strong><\/h2>\n\n\n\n
IdP-initiated<\/strong> user workflow<\/strong><\/h3>\n\n\n\n
- \n
- Access the JumpCloud User Console<\/a><\/li>\n\n\n\n
- Go to\u00a0Applications<\/strong> and click an application tile to launch it<\/li>\n\n\n\n
- JumpCloud asserts the user’s identity to the SP and is authenticated without the user having to log in to the application<\/li>\n<\/ul>\n\n\n\n
SP-initiated<\/strong> user workflow<\/strong><\/h3>\n\n\n\n
- In the Connection Window enter the following information:\n
- Notes<\/strong>:\n
- Click OK<\/strong>. <\/li>\n<\/ol>\n\n\n\n
- Optionally, expand Advanced Settings<\/strong> to specify a value for the SSO IdP URL<\/strong>. If no value is entered, it will default to https:\/\/sso.jumpcloud.com\/saml2\/<applicationname><\/kbd>.<\/li>\n<\/ol>\n\n\n\n
- In AWS, prepare a name for:\n
- In JumpCloud, you should have a name(s) for:\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\"){kind=icon}
<\/p><\/div>