Configure ADFS authentication for Amazon Redshift

Atlan supports ADFS authentication for Amazon Redshift connections using ADFS (Active Directory Federation Services) as the identity provider. ADFS enables your users to authenticate using their Active Directory credentials.

Create a relying party trust in ADFS

Who can do this?

You need your ADFS administrator to complete these steps - you may not have access yourself. You also need inputs and approval from your AWS administrator.

You need to create a relying party trust in ADFS to establish a trust relationship with AWS. This enables ADFS to authenticate users for Amazon Redshift access.

To create a relying party trust, within ADFS:

1. Log in to your ADFS server and open the ADFS Management console.
2. In the left navigation pane, expand Trust Relationships and click Relying Party Trusts.
3. In the right pane, click Add Relying Party Trust to start the wizard.
4. On the Welcome page, click Start.
5. On the Select Data Source page:
   1. Select Import data about the relying party published online or on a local network.
   2. For Federation metadata address, enter https://signin.aws.amazon.com/saml-metadata.xml.
   3. Click Next to continue.
6. On the Specify Display Name page:
   1. For Display name, enter a meaningful name for the relying party trust - for example, AWS_Redshift_Atlan.
   2. (Optional) For Notes, enter a description.
   3. Click Next to continue.
7. On the Choose Access Control Policy page:
   1. Select an access control policy based on your organization's requirements - for example, Permit everyone or Permit specific groups.
   2. Click Next to continue.
8. On the Ready to Add Trust page, review your settings and click Next to continue.
9. On the Finish page, leave Configure claims issuance policy for this application checked and click Close. This opens the Edit Claim Rules dialog.

You need to configure claim rules to map Active Directory attributes to AWS SAML attributes.

Configure claim rules in ADFS

According to the AWS documentation, you need to configure four claim rules for AWS Redshift access. These rules map Active Directory attributes to AWS SAML attributes required for authentication.

Add NameId claim rule

1. In the Edit Claim Rules dialog, click Add Rule.
2. On the Select Rule Template page:
   1. For Claim rule template, select Transform an Incoming Claim.
   2. Click Next to continue.
3. On the Edit Rule - NameId page:
   1. For Claim rule name, enter NameId.
   2. For Incoming claim name, select Windows Account Name.
   3. For Outgoing claim name, select Name ID.
   4. For Outgoing name ID format, select Persistent Identifier.
   5. Select Pass through all claim values.
   6. Click Finish to add the rule.

Add RoleSessionName claim rule

1. On the Edit Claim Rules page, click Add Rule.
2. On the Select Rule Template page:
   1. For Claim rule template, select Send LDAP Attributes as Claims.
   2. Click Next to continue.
3. On the Configure Rule page:
   1. For Claim rule name, enter RoleSessionName.
   2. For Attribute store, select Active Directory.
   3. For LDAP Attribute, select Email Addresses.
   4. For Outgoing Claim Type, select https://aws.amazon.com/SAML/Attributes/RoleSessionName.
   5. Click Finish to add the rule.

Add get AD groups claim rule

1. On the Edit Claim Rules page, click Add Rule.
2. On the Select Rule Template page:
   1. For Claim rule template, select Send Claims Using a Custom Rule.
   2. Click Next to continue.
3. On the Edit Rule - Get AD Groups page:
   1. For Claim rule name, enter Get AD Groups.
   2. For Custom rule, enter the following:

      c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://temp/variable"), query = ";tokenGroups;{0}", param = c.Value);

   3. Click Finish to add the rule.

Add Roles claim rule

This rule maps Active Directory groups to AWS IAM roles. Your AD groups must be named with the AWS- prefix (for example, AWS-RedshiftRole), and this rule strips the prefix and maps them to AWS roles.

1. On the Edit Claim Rules page, click Add Rule.
2. On the Select Rule Template page:
   1. For Claim rule template, select Send Claims Using a Custom Rule.
   2. Click Next to continue.
3. On the Edit Rule - Roles page:
   1. For Claim rule name, enter Roles.
   2. For Custom rule, enter the following (replace the account ID and SAML provider name with your values):

      c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"] => issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-", "arn:aws:iam::123456789012:saml-provider/ADFS,arn:aws:iam::123456789012:role/ADFS-"));

      Note: Replace 123456789012 with your AWS account ID and ADFS with your SAML provider name. The format maps AD groups like AWS-RedshiftRole to arn:aws:iam::123456789012:role/ADFS-RedshiftRole,arn:aws:iam::123456789012:saml-provider/ADFS.
   3. Click Finish to add the rule.
4. Click OK to close the Edit Claim Rules dialog.

Important:

• Create Active Directory groups with the AWS- prefix (for example, AWS-RedshiftRole) that correspond to the IAM roles you want to use.
• Create corresponding IAM roles in AWS with names that match your AD group names (with the AWS- prefix replaced by your SAML provider prefix). For example, if your AD group is AWS-RedshiftRole, create an IAM role named ADFS-RedshiftRole (or update the custom rule to match your naming convention).
• For more detailed information about ADFS configuration, see the AWS documentation on setting up ADFS with Amazon Redshift.

You need the ADFS federation metadata to configure ADFS as the identity provider in AWS.

Export ADFS federation metadata

To export the ADFS federation metadata:

1. In the AD FS Management console, in the left navigation pane, click Service.
2. In the right pane, under Endpoints, click Metadata.
3. Copy the metadata URL - for example, https://adfs.example.com/FederationMetadata/2007-06/FederationMetadata.xml.
4. Open this URL in a web browser and save the XML file. Alternatively, you can access it directly from the ADFS server.
5. Save this file to use for configuring the identity provider in AWS.

Configure identity provider in AWS for ADFS

Who can do this?

You need your AWS administrator to complete these steps - you may not have access yourself. You also need inputs and approval from your ADFS administrator.

You need to establish a trust relationship between ADFS as the identity provider and AWS. You also need to create a role that ADFS can use to access Amazon Redshift and assign required permissions to that role.

Create an identity provider

To create an identity provider, within AWS:

1. Sign in to the AWS Management Console and open the AWS Identity and Access Management (IAM) console.
2. From the left menu of your AWS Identity and Access Management (IAM) console, click Identity providers and then click the Add provider button.
3. In the Add an Identity provider dialog, enter the following details:
   1. For Provider type, select SAML.
   2. For Provider name, enter a name for the identity provider - for example, ADFS_AtlanSSO.
   3. Under Metadata document, you can either:
      • Click Choose file and upload the federation metadata XML file you exported from ADFS.
      • Or click Metadata document URL and enter the federation metadata URL from ADFS - for example, https://adfs.example.com/FederationMetadata/2007-06/FederationMetadata.xml.
   4. At the bottom of the dialog, click Add provider to add ADFS as the identity provider in AWS.

Once you have configured ADFS as the identity provider in AWS, you need to create one or more roles for ADFS to access Amazon Redshift. You can create multiple roles to provide different levels of access or to support different user groups.

Create a role

To create a role, within AWS:

1. Sign in to the AWS Management Console and open the AWS Identity and Access Management (IAM) console.
2. From the left menu of your AWS Identity and Access Management (IAM) console, click Roles, and then from the top right, click the Create role button.
3. On the Create role page, enter the following details:
   1. For Select trusted entity, under Trusted entity type, click SAML 2.0 federation. Under SAML 2.0 federation, enter the following details:
      1. For SAML 2.0-based provider, select the identity provider you created in AWS - for example, ADFS_AtlanSSO.
      2. Click Allow programmatic access only.
      3. For the Attribute dropdown, select SAML:aud.
      4. For Value, enter https://signin.aws.amazon.com/saml.
      5. Click Next to continue.
   2. For Add permissions, click Next to proceed to the next step.
   3. For Name, review, and create, under Role details, enter the following details:
      1. For Role name, enter a name for the role - for example, ADFS-RedshiftRole1 or ADFS-AtlanSSO_role.
      2. (Optional) For Description, enter a description for the new role.
   4. Click Create role to finish role setup. This creates a new role for ADFS to access Amazon Redshift.

Repeat this process to create additional roles if you want to provide multiple role options for users during BYOC authentication. Each role can have different permissions or be mapped to different Active Directory groups.

Once you have created the roles for ADFS to access Amazon Redshift, you need to assign permissions to each role.

Create a policy

You need to create an access policy and assign the following required permissions to the newly created role:

• CreateClusterUser
• JoinGroup
• GetClusterCredentials

To create a policy, within AWS:

1. Sign in to the AWS Management Console and open the AWS Identity and Access Management (IAM) console.
2. From the left menu of your AWS Identity and Access Management (IAM) console, click Roles and then search for and select the role you created in the previous step - for example, ADFS_AtlanSSO_role.
3. On the newly created role page, to the right of Permission policies, click Add permissions, and then from the dropdown, click Create inline policy.
4. On the Create policy page, you need to assign the following permissions for Redshift - GetClusterCredentials, JoinGroup, and CreateClusterUser. Repeat the steps below to assign each permission:
   1. For Specify permissions, under Select a service, search for and select Redshift. Under Redshift, enter the following details:
      1. For Allowed actions, search for and select a permission - for example, GetClusterCredentials.
      2. For Resources, click All.
      3. Click Next to proceed.
   2. For Review and create, under Policy name, enter a name for the newly created policy - for example, ADFS_AtlanSSO_rolepolicy.

Retrieve identity provider and role ARNs

Once you have configured ADFS as the identity provider and created roles in AWS, you need the identity provider ARN and role ARNs for further configuration.

To retrieve the identity provider and role ARNs, within AWS:

1. Sign in to the AWS Management Console and open the AWS Identity and Access Management (IAM) console.
2. From the left menu of your AWS Identity and Access Management (IAM) console:
   1. Click Identity providers and then select the identity provider you created:
      1. On the identity provider page, under ARN, click the clipboard icon to copy the identity provider ARN value and store it in a secure location.
   2. Click Roles and then select each role you created:
      1. On each role page, under ARN, click the clipboard icon to copy the role ARN value and store it in a secure location.
      2. Repeat this step for all roles you want to make available to users during BYOC authentication.

Note: You can configure multiple IAM roles for ADFS authentication. Users can select from these roles when authenticating through BYOC. Each role must have the required Redshift permissions (GetClusterCredentials, JoinGroup, CreateClusterUser).

Verify claim rules configuration

After creating the claim rules, verify that they're configured correctly:

1. In the AD FS Management console, in the left navigation pane, expand Trust Relationships and click Relying Party Trusts.
2. Select the relying party trust you created - for example, AWS_Redshift_Atlan.
3. In the right pane, click Edit Claim Issuance Policy.
4. Verify that all four claim rules are present:
   • NameId
   • RoleSessionName
   • Get AD Groups
   • Roles
5. Make sure the Roles claim rule includes the correct AWS account ID and SAML provider name.

Note: If you need to update the Roles claim rule with your actual AWS account ID and SAML provider ARN after creating the IAM identity provider and roles, you can edit the Roles rule and update the ARN values in the custom rule expression.

You need the ADFS server hostname (IdP host) for configuring SSO authentication in Atlan. The hostname is typically the FQDN of your ADFS server - for example, adfs.example.com.

Configure ADFS authentication in Atlan

Who can do this?

You need to be a connection admin in Atlan to complete these steps. You also need inputs and approval from your ADFS and AWS administrators.

Once you have configured ADFS and AWS, you can enable ADFS authentication for your Amazon Redshift users to query data and view sample data in Atlan.

To configure ADFS authentication on an Amazon Redshift connection, from Atlan:

1. From the left menu of any screen, click Assets.
2. From the Assets page, click the Connector filter, and from the dropdown, select Redshift.
3. From the pills below the search bar at the top of the screen, click Connection.
4. From the list of results, select an Amazon Redshift connection to enable ADFS authentication.
5. From the sidebar on the right, next to Connection settings, click Edit.
6. In the Connection settings dialog:
   • Under Allow query, for Authentication type, click SSO authentication to enforce SSO credentials for querying data:
     • For SSO authentication, enter the following details:

       1. For SSO Authentication Type, select ADFS (Active Directory Federation Services).

       2. For IDP host, enter the ADFS server hostname (FQDN) - for example, adfs.example.com.

       3. For Preferred Role (AWS Role ARN), enter one or more role ARNs retrieved from AWS. You can add multiple role ARNs by entering each ARN and pressing Enter. For example:

          • arn:aws:iam::123456789012:role/ADFS-RedshiftRole1
          • arn:aws:iam::123456789012:role/ADFS-RedshiftRole2
          • arn:aws:iam::123456789012:role/ADFS-RedshiftRole3

          Users can select from these available roles when authenticating through BYOC (Bring Your Own Credentials). If multiple roles are provided, users must select their preferred role during authentication.

   • Under Display sample data, for Source preview, click AD FS authentication to enforce SSO credentials for viewing sample data:
     • If AD FS authentication is enabled for querying data, the same connection details is reused for viewing sample data.
     • If a different authentication method is enabled for querying data, enter the AD FS configuration details as described earlier.
7. (Optional) Toggle on Enable data policies created at source to apply for querying in Atlan to apply any data policies and user permissions at source to querying data and viewing sample data in Atlan. If toggled on, any existing data policies on the connection in Atlan is deactivated and creation of new data policies is disabled.
8. At the bottom right of the Connection settings dialog, click Update.

Your users can now run queries and view sample data using their SSO credentials! 🎉

ADFS Role Selection

When users authenticate with ADFS credentials through BYOC (Bring Your Own Credentials), they see a dropdown to select from the available role ARNs you configured. If multiple roles are configured, users must select their preferred role.