Combine Tableau and PingFederate with Amazon Redshift utilizing AWS IAM Id Middle

The collection of posts on single sign-on to Amazon Redshift with AWS IAM Id Middle (successor to AWS Single Signal-On) integration continues from our prior publish.

On this publish, we define a complete information for establishing single sign-on from Tableau desktop to Amazon Redshift utilizing integration with IAM Id Middle and PingFederate because the identification supplier (IdP) with an LDAP primarily based knowledge retailer, AWS Listing Service for Microsoft Energetic Listing.

Conditions

It is best to have the next stipulations:

1. A PingFederate account that has an lively subscription. You want an admin function to arrange the applying on PingFederate. In the event you’re new to PingFederate, you’ll be able to attain out to Ping Id Gross sales.
2. A working PingFederate server.
3. Amazon Redshift Serverless workgroup or a provisioned Amazon Redshift knowledge warehouse.
4. Obtain and set up the newest Redshift ODBC 2.X driver.
5. Obtain and set up Tableau Desktop 2024.1 or later
6. Set up Tableau Server 2023.3.9 or later. For Tableau Server set up, see Set up and Configure Tableau Server.

Answer overview

PingFederate occasion connects to IAM Id Middle utilizing SAML. The customers and teams in PingFederate are synced to IAM Id Middle utilizing an open commonplace SCIM. After you arrange SAML and SCIM, it is possible for you to to allow single sign-on to Amazon Redshift from the AWS Administration Console utilizing Amazon Redshift Question Editor v2. That is achieved by creating an Id Middle software within the Amazon Redshift console.

To allow single sign-on to Amazon Redshift from outdoors of AWS utilizing a third-party shopper like Tableau, you arrange a trusted token issuer token change utilizing OIDC commonplace.

Determine 1 : Answer overview for Tableau integration with Amazon Redshift utilizing IAM Id Middle and Ping Federate

The workflow, proven within the previous determine, contains the next steps:

1. The consumer configures Tableau to entry Amazon Redshift utilizing IAM Id Middle authentication.
2. On a consumer sign-in try, Tableau initiates a browser-based OAuth move and redirects the consumer to the PingFederate check in web page to enter the sign-in credentials. Password validation is finished in opposition to the AWS Managed Microsoft AD knowledge retailer.
3. On profitable authentication, PingFederate points an authentication token (ID and entry token) to Tableau.
4. The Amazon Redshift driver then makes a name to the Amazon Redshift-enabled Id Middle software and forwards the entry token.
5. Amazon Redshift passes the token to Id Middle and requests an entry token.
6. Id Middle verifies the token utilizing the OIDC discovery connection to the trusted token issuer and returns an Id Middle-generated entry token for a similar consumer. Within the previous determine, trusted token issuer (TTI) is the PingFederate server that Id Middle trusts to supply tokens that third-party purposes like Tableau use to name AWS companies.
7. Amazon Redshift then makes use of the token to acquire the consumer and group membership data from Id Middle.
8. Tableau consumer will be capable to join with Amazon Redshift and entry knowledge primarily based on the consumer and group membership returned from Id Middle. The consumer and group settings within the LDAP-based AWS Managed Microsoft AD knowledge retailer for PingFederate are propagated to identification middle utilizing SCIM protocol for outbound provisioning.

Walkthrough

On this walkthrough, you’ll use the next steps to construct the answer:

1. SAML and SCIM arrange between PingFederate and IAM Id Middle
2. Connect with Amazon Redshift utilizing Question Editor v2
3. Configure identification federation from a third-party shopper
   1. Create an entry token supervisor and entry token mapping
   2. Create an OIDC coverage
   3. Create an OAuth shopper
   4. Arrange a PingFederate Authorization Server
   5. Coverage Contract Grant Mapping
   6. Accumulate PingFederate data
   7. Arrange a trusted token issuer in IAM Id Middle
   8. Arrange shopper connections and trusted token issuers in Amazon Redshift
   9. Configure Tableau OAuth config recordsdata for PingFederate to combine with Amazon Redshift utilizing IAM Id Middle
   10. Set up a Tableau OAuth config file on a shopper machine for Tableau Desktop
   11. Set up a Tableau OAuth config file for a web site on Tableau Server or Tableau Cloud
   12. Federate to Amazon Redshift from Tableau Desktop utilizing Id Middle
   13. Federate to Amazon Redshift from Tableau Server utilizing Id Middle authentication

SAML and SCIM arrange between PingFederate and IAM Id Middle

IAM Id Middle integration with PingFederate begins with SAML arrange adopted by SCIM.

1. Arrange SAML 2.0 for SP Connection of sort Browser SSO (single sign-on) in PingFederate.
2. Arrange SCIM 2.0 for outbound provisioning. It can sync the customers and teams created in an LDAP primarily based knowledge retailer like AWS managed Microsoft AD for PingFederate to the customers and teams in IAM Id Middle.

The implementation for the cloud primarily based IdP possibility PingOne just isn’t in scope of this publish and follows steps just like these described in Combine IdP with Amazon Redshift Question Editor v2 utilizing AWS IAM Id Middle for seamless Single Signal-On.

Additional particulars of SAML and SCIM arrange are as follows.

• 1. Set up PingFederate Server.
  2. Arrange IAM Id middle integration by following the Ping documentation together with the obtain for Id Middle integration recordsdata.
     1. Deploy the combination recordsdata to your PingFederate set up.
     2. Allow provisioning and configure IdP Browser SSO (SAML connection). (You’ll be able to implement Browser SSO connection solely utilizing IAM Id Middle metadata file.)
        1. Beneath System > Server > Protocol Settings > Federation Information BASE_URL subject, use the publicly accessible totally certified area identify of the PingFederate server.
        2. Create an LDAP primarily based knowledge retailer (the identify used on this instance is AWSManagedMSAD) as a result of SCIM 2.0 protocol for outbound provisioning solely works with LDAP primarily based knowledge shops with PingFederate. If you’re utilizing a cloud-based answer like PinOne, you’ll be able to arrange outbound provisioning in PingOne itself. Thus for this writing, we have now used AWS Managed Microsoft AD as a knowledge retailer created utilizing AWS Listing Service.
        3. Create a password credential validator (identify used on this instance is awsmanagedmsadpassval) and IdP adapters (identify used on this instance is awsmanagedmsadadapter) in your knowledge retailer as relevant.
        4. Create an SP connection of sort Browser SSO utilizing the sp-saml-metadata.xml file as defined in making a provisioning connection.
     3. Export SAML metadata from PingFederate.
     4. Register PingFederate as an IdP in Id Middle.
     5. Navigate again to the connection saved in step b, and configure outbound provisioning.
  3. Allow provisioning in IAM Id Middle by following step 1 within the documentation.
  4. Then, configure provisioning in PingFederate by following step 2 within the documentation.
  5. Optionally, you’ll be able to configure and cross consumer attributes from PingFederate for entry management in Id Middle.

Subsequent, connect with Amazon Redshift utilizing its native question editor, Question Editor v2, to validate AWS companies’ connectivity utilizing IAM Id Middle.

Connect with Amazon Redshift utilizing Question Editor v2

Full the Walkthrough part of IAM Id Middle integration with Amazon Redshift, which is able to arrange your Amazon Redshift connectivity with Question Editor v2.

In the event you want additional assist with SAML and SCIM arrange, and connecting to Amazon Redshift utilizing Question Editor v2, you may as well comply with step-by-step guided demo video single sign-on to Amazon Redshift with IAM IDC integration utilizing PingFederate with AWS Managed MSAD Demo

Configure identification federation from a third-party shopper

Configure identification federation enabled by IAM Id Middle from IdP PingFederate to the service supplier Amazon Redshift utilizing an exterior shopper like Tableau. The next steps within the PingFederate admin console and Id Middle information you thru the identification federation course of.

Create an entry token supervisor and entry token mapping

To map PingFederate attributes to OAuth entry tokens and OpenID Join ID (OIDC) tokens, create an entry token supervisor and token mapping. For full particulars and arrange primarily based in your safety wants, see Token mapping in PingFederate, which explains entry token administration intimately. Full the next steps to create a token supervisor.

1. Within the PingFederate administrative console, go to Purposes > OAuth > Entry Token Administration, and select Create New Occasion.
2. In Sort tab,
   1. Enter an Occasion Identify and Occasion ID of your alternative, for instance TrustedTokenIssuerMgr.
   2. Choose the Sort from drop down checklist as JSON Net Tokens, generally known as JWT.
   3. Go away Guardian occasion as None and select Subsequent.
3. In Occasion configuration tab,
   1. Beneath Certificates, choose Add a brand new row to ‘Certificates’, choose the certificates for token supervisor from the drop-down checklist, enter a Key ID similar to certkey, and select Replace underneath Motion. You’ll be able to create a brand new certificates by navigating to Safety > Certificates & Key Administration > Signing & Decryption Keys & Certificates > Create New.
   2. Choose Use Centralized Signing Key.
   3. In JWS Algorithm, choose RSA utilizing SHA-256.
   4. Choose Allow Token Revocation. Go away all the pieces else as default and select Subsequent.
4. Beneath Session Validation tab,
   1. Choose Embrace Session Identifier in Entry Token.
   2. Choose Examine for legitimate authentication session.
   3. Go away different decisions as is and select Subsequent.
5. Within the Entry Token Attribute Contract tab, go away the Topic Attribute Identify because the e default and proceed to Lengthen the Contract so as to add the next attribute and values.
   1. Enter aud, go away multi-value unchecked. Select Add underneath Motion.
   2. Repeat the identical to enter e mail, exp, iss, sub. When accomplished, select Subsequent.
6. On every of Useful resource URIs and Entry Management tabs, go away as is and select Subsequent.
7. On the Abstract tab, evaluate your adjustments and select Save. An occasion identify with the identify you supplied, like TrustedTokenIssuerMgr seems in Purposes > Oauth > Entry Token Administration.

Determine 2 : Entry Token Administration Configuration Abstract

8. Navigate to Purposes > OAuth > Entry Token Mappings, choose the default Context and Entry Token Supervisor, TrustedTokenIssuerMgr that was created within the earlier step. Select Add Mapping.
9. Go away Attribute Sources & Person Lookup as is and select Subsequent.
10. Beneath Contract Success tab,
    1. For Contract aud, choose Textual content from the Supply, and enter the Worth as AWSIdentityCenter.
    2. For Contract e mail, choose Persistent Grant from the Supply, and Worth as e mail.
    3. For Contract exp, choose Persistent Grant from the Supply, and Worth as EXPIRES_AT.
    4. For Contract iss, choose Textual content from the Supply, and enter your base URL because the Worth, like https://yourwebsite.area.com, the identical as in System > Server > Protocol Settings > BASE URL.
    5. For Attribute Contract sub, choose Persistent Grant from the Supply, and Worth as USER_KEY.
    6. Select on Subsequent.
11. Go away Issuance Standards as is and select Subsequent.
12. On the Abstract tab, evaluate all of your adjustments and select Save. A brand new default Context with Entry Token Supervisor if TrustedTokenIssuerMgr seems in Purposes > OAuth > Entry Token Mappings.

Determine 3: Entry Token Mappings Abstract

Create an OIDC coverage

For full particulars and arrange primarily based in your safety wants, see to Open ID join (OIDC) coverage administration in PingFederate. Full the next steps to arrange an OIDC coverage.

1. Within the PingFederate administrative console, go to Purposes > OAuth > OpenID Join Coverage Administration, and select Add Coverage.
2. Within the Handle Coverage tab,
   1. Enter the Coverage ID and Identify of your alternative, for instance OIDCPolicy.
   2. Choose the Entry Token Supervisor from drop down checklist created within the earlier part—TrustedTokenIssuerMgr.
   3. Choose Embrace Session Identifier in ID Token
   4. Choose Embrace Person Information in ID Token
   5. Choose Return ID Token on Refresh Grant
   6. Go away others as is and select Subsequent.
3. Within the Attribute Contract tab, preserve solely the required attributes in prolonged contract and delete the others.
   1. Go away the sub attribute underneath Attribute Contract as is.
   2. Beneath Lengthen the contract, select delete for all attributes besides e mail. select Subsequent.
4. Within the Attribute Scopes tab,
   1. Choose openid from the Scope checklist.
   2. Choose e mail from Attributes.
   3. Select Add from Actions. Select Subsequent.
5. Go away Attribute Sources & Person Lookup as is and select Subsequent.
6. In Contract Success tab,
   1. For Attribute Contract e mail, choose Persistent Grant from the Supply, and Worth as e mail.
   2. For Attribute Contract sub, choose Persistent Grant from the Supply, and Worth as USER_KEY.
   3. Select Subsequent.
7. Go away Issuance Standards as is and select Subsequent.
8. On the Abstract tab, evaluate your adjustments and select Save. A coverage ID with the identify you supplied, like OIDCPolicy, seems in Purposes > Oauth > OpenID Join Coverage Administration.

Determine 4 : OpenID Join Coverage Administration Abstract

Create OAuth shopper

For full particulars and arrange primarily based in your safety wants, see configure an OAuth shopper in PingFederate, which explains every subject intimately. Full the next steps to create an OAuth shopper.

1. Within the PingFederate administrative console, go to Purposes > OAuth > Purchasers, and select Add Shopper.
2. Within the Shopper ID subject, enter a singular, immutable shopper ID. We use tableauredshiftpingfed because the identify on this instance.
3. Enter a Identify and Description for the shopper.
4. Choose a Shopper Authentication technique. You’ll be able to choose from None, Shopper TLS Certificates, Non-public Key JWT, or Shopper Secret. For this situation, choose Shopper Secret. Select Generate Secret to create a brand new one or use choose Change secret to create your individual.
5. Go away Request object signing algorithm set to Permit Any. You’ll be able to override to make use of the algorithm of your alternative if wanted.
6. Within the Redirect URIs subject, add every of the next values.
   1. http://localhost:8080/authorization-code/callback
   2. http://localhost:55556/Callback
   3. http://localhost:55557/Callback
   4. http://localhost:55558/Callback
   5. http://localhost/auth/add_oauth_token
7. Choose Limit widespread scopes. Limit scopes by deciding on the checkboxes for e mail, offline_access, openid, and profile as required.
8. In Brand URL, optionally enter the URL for brand you need to show on the Person Grant Authorization and Revocation pages.
9. Within the Allowed Grant Sorts checklist, you’ll be able to select from an inventory of authorization choices. On this instance, choose Authorization code. Optionally, you’ll be able to choose Implicit, Refresh Token, and Shopper Credentials.
10. Beneath Default entry token supervisor, choose the entry token supervisor TrustedTokenIssuerMgr created within the earlier part.
11. Choose the Limit field for Limit to default entry token supervisor.
12. Customise Persistent grants max lifetime to match your necessities. Set it to 12 hours for this instance through the use of the third radio button.
13. For Openid join, select your most popular ID token signing algorithm. Choose RSA utilizing SHA-256 for this instance. Optionally, for Coverage you’ll be able to select the OIDC coverage created within the earlier part.
14. Go away the remaining settings as default and select Save.

Determine 5 : OAuth Shopper Configuration

The Tableau Desktop redirect URLs ought to at all times use localhost. The next instance, additionally use localhost for the Tableau Server hostname to simplify testing in a take a look at surroundings. For this setup, you also needs to entry the server at localhost within the browser. In a manufacturing surroundings, or Tableau Cloud, you must use the total hostname that your customers will use to entry Tableau on the net, together with HTTPS. If you have already got an surroundings with HTTPS configured, you’ll be able to skip the localhost configuration and use the total hostname from the beginning.

Arrange a PingFederate authorization server

For full particulars and arrange primarily based in your safety wants, see PingFederate authorization server settings in PingFederate. Full the next steps to configure an authorization server.

1. Within the PingFederate administrative console, go to System > OAuth Settings > Authorization Server Settings, and make following adjustments.
2. Go away the preliminary configurations as default and scroll all the way down to Persistent Grant Prolonged Attributes, add Attribute e mail.
3. For OAuth Administrative Net Companies Settings, in Password Credential Validator, choose awsmanagedmsadpassval that you simply created within the SAML and SCIM arrange part.
4. For Persistent Grant Administration API,
   1. In Entry Token Supervisor, choose the TrustedTokenIssuerMgr created earlier.
   2. In Required Scope, choose openid.
5. Go away remaining the settings as default and select Save.

Determine 6 : PingFederate Authorization Server Setting

Coverage contract grant mapping

For full particulars and arrange primarily based in your safety wants, see Grant contract mapping in PingFederate. For this illustration, we arrange a coverage contract grant mapping for authentication in a three-step course of.

Step 1: Create a coverage contract

1. Within the PingFederate administrative console, go to Authentication > Insurance policies > Coverage Contracts, and select Create New Contract.
2. In Contract Information tab, enter a reputation. For this instance, we use OIDCPolicyContract.
3. In Contract Attributes tab, select Lengthen the Contract so as to add e mail attribute.
4. Overview and select Save.

Determine 7 : Coverage Contract Abstract

Step 2: Add authentication coverage

1. Within the PingFederate administrative console, go to Authentication > Insurance policies > Insurance policies, and select Add Coverage.
2. Enter a coverage identify. On this instance, we use OAuthOIDCPolicy.
3. Within the Coverage drop down, choose IdP Adapter and choose the awsmanagedmsadadapter that you simply created within the SAML and SCIM arrange part.
4. Set FAIL to Completed and underneath SUCCESS, choose Coverage Contracts from the drop-down menu and choose the OIDCPolicyContract created in step 1. Select Completed.

Determine 8 : Authentication Coverage Configuration

Step 3: Coverage contract grant mapping

1. Within the PingFederate administrative console, go to Authentication > OAuth > Coverage Contract Grant Mapping, and underneath Mappings, choose OIDCPolicyContract created in Step1 and select Add Mapping.
2. On the Attribute Sources & Person Lookup tab, select Subsequent.
3. Within the Contract Success tab,
   1. For Contract USER_KEY, decide Authentication Coverage Contract from the Supply, and Worth as topic.
   2. For Contract USER_NAME, decide Authentication Coverage Contract from the Supply, and Worth as topic.
   3. For Contract e mail, decide Authentication Coverage Contract from the Supply, and Worth as e mail.
   4. Select Subsequent.
4. Go away Issuance Standards as is, evaluate and select Save.

Determine 9 : Coverage Contract Grant Mapping Abstract

Accumulate PingFederate data

To configure your PingFederate with IAM Id Middle and Amazon Redshift, accumulate the next parameters. In the event you don’t have these parameters, contact your PingFederate admin.

1. Issuer URL, auth URL (authUri), and token URL (tokenUri).

You may get these values from the OIDC IdP URL: https://pingfedserver.instance.com/.well-known/openid-configuration. Open this URL in an online browser, changing pingfedserver.instance.com along with your IdP server identify.

The next is an instance screenshot of IdP attributes utilizing OIDC IdP URL the place:

• The issuer URL corresponds to the issuer
• The auth URL (authUri) corresponds to authorization_endpoint
• The token URL (tokenUri) corresponds to token_endpoint

Determine 10 : Screenshot of IdP Attributes

2. Viewers worth

To get the Viewers worth from PingFederate, check in as an admin to PingFederate and navigate to the next path to get the viewers worth that you simply created throughout entry token mapping creation in PingFederate:

Purposes > OAuth > Entry Token Mappings > TrustedTokenIssuerMgr → Abstract > aud

Determine 11 : Entry Token Mapping

Arrange a trusted token issuer in IAM Id Middle

Change from the PingFederate console to the IAM Id Middle console for the AWS aspect of configuration. Begin by including a trusted token issuer (TTI), which makes it doable to authorize Tableau to make requests on behalf of their customers to entry knowledge in Amazon Redshift. A TTI is an OAuth 2.0 authorization server that points tokens to purposes that provoke requests (requesting purposes). The tokens authorize these purposes to provoke requests on behalf of their customers to a receiving software (an AWS service). On this step, you create a TTI within the central administration account. To create a TTI,

1. Open the AWS Administration Console and navigate to IAM Id Middle, after which to the Settings web page.
2. Choose the Authentication tab and underneath Trusted token issuers, select Create trusted token issuer.
3. On the Arrange an exterior IdP to problem trusted tokens web page, underneath Trusted token issuer particulars, do the next:
   • For Issuer URL, enter the OIDC discovery URL of the exterior IdP that can problem tokens for trusted identification propagation. You may get issuer the URL as talked about in step 1 of the previous part Accumulate PingFederate data.
4. For Trusted token issuer identify, enter a reputation to determine this TTI in Id Middle and within the software console.
5. Beneath Map attributes, do the next:
   1. For the identification supplier attribute, choose an attribute from the checklist to map to an attribute within the Id Middle identification retailer. You’ll be able to choose E mail, Object Identifier, Topic, and Different.
   2. For Id Middle attribute, choose the corresponding attribute for the attribute mapping.
6. Beneath Tags (elective), select Add new tag, enter a price for Key, and optionally for Worth. For details about tags, see Tagging AWS IAM Id Middle sources.

The next determine exhibits the arrange for TTI:

Determine 12 : Configuring Trusted Token Issuer

Arrange shopper connections and trusted token issuers in Amazon Redshift

On this step, the Amazon Redshift purposes that change externally generated tokens should be configured to make use of the TTI you created within the earlier step. Additionally, the viewers declare (or aud declare) from PingFederate should be specified. On this instance, you’re configuring the Amazon Redshift software within the member account the place the Amazon Redshift cluster or serverless occasion exists.

1. Choose IAM Id Middle connection from the Amazon Redshift console menu.
2. Choose the Amazon Redshift software that you simply created as a part of the stipulations.
3. Choose the Shopper connections tab and select Edit.
4. Select Sure underneath Configure shopper connections that use third-party IdPs.
5. Choose the checkbox for Trusted token issuer that you simply created within the earlier part.
6. Enter the Aud declare worth underneath Configure chosen trusted token issuers. For instance, AWSIdentityCenter. You may get the viewers worth from the PingFederate path: Purposes > OAuth > Entry Token Mappings > TrustedTokenIssuerMgr > Abstract > aud.
7. Select Save.

Determine 13 : Configure Viewers Worth in Amazon Redshift

At this level, your IAM Id Middle, Amazon Redshift, and PingFederate configuration are full. Subsequent, it’s essential to configure Tableau.

Configure Tableau OAuth config recordsdata for PingFederate to combine with Amazon Redshift utilizing IAM Id Middle

This XML file used on this part shall be used for all of the Tableau merchandise like Tableau Desktop, Server and Cloud.

To combine Tableau with Amazon Redshift utilizing IAM Id Middle, it’s essential to use a customized XML file. On this step, you’ll use the next XML and substitute the values beginning with a $ signal and highlighted in daring. The remainder of the values may be saved as it’s or you’ll be able to modify them primarily based in your particular wants. For detailed data on every of the weather within the file, see the Tableau documentation on GitHub.

You may get authUri and tokenUri as talked about in step 1 of previous part, Accumulate PingFederate data.

  redshift
  custom_redshift_pingfed
  
  
  http://localhost:55556/Callback
  http://localhost:55557/Callback
  http://localhost:55558/Callback
  https://.com/as/authorization.oauth2
  https://.com/as/token.oauth2
  openid
  e mail
  profile
  offline_access
  
    
      OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL
      true
    
    
      OAUTH_CAP_PKCE_REQUIRES_CODE_CHALLENGE_METHOD
      true
    
    
      OAUTH_CAP_REQUIRE_PKCE
      true
    
    
      OAUTH_CAP_SUPPORTS_STATE
      true
    
    
      OAUTH_CAP_CLIENT_SECRET_IN_URL_QUERY_PARAM
      true
    
    
      OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN
      true
    
  
  
    
      ACCESSTOKEN
      access_token
    
    
      REFRESHTOKEN
      refresh_token
    
    
      id-token
      id_token
    
    
      access-token-issue-time
      issued_at
    
    
      access-token-expires-in
      expires_in
    
    
      username
      e mail
    
  

The next is the instance XML:

  redshift
  custom_redshift_pingfed
  tableauredshiftpingfed
  
  http://localhost:55556/Callback
  http://localhost:55557/Callback
  http://localhost:55558/Callback
  https://pingfedserver.instance.com/as/authorization.oauth2
  https://pingfedserver.instance.com/as/token.oauth2
  openid
  e mail
  profile
  offline_access
  
    
      OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL
      true
    
    
      OAUTH_CAP_PKCE_REQUIRES_CODE_CHALLENGE_METHOD
      true
    
    
      OAUTH_CAP_REQUIRE_PKCE
      true
    
    
      OAUTH_CAP_SUPPORTS_STATE
      true
    
    
      OAUTH_CAP_CLIENT_SECRET_IN_URL_QUERY_PARAM
      true
    
    
      OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN
      true
    
  
  
    
      ACCESSTOKEN
      access_token
    
    
      REFRESHTOKEN
      refresh_token
    
    
      id-token
      id_token
    
    
      access-token-issue-time
      issued_at
    
    
      access-token-expires-in
      expires_in
    
    
      username
      e mail
    
  

Set up Tableau OAuth config file on a shopper machine for Tableau Desktop

After the XML configuration file is created, it needs to be copied to a selected location for use by Amazon Redshift Connector from Tableau Desktop. Save the previous file as .xml and reserve it underneath DocumentsMy Tableau RepositoryOAuthConfigs.

Word: At the moment this integration just isn’t supported in macOS as a result of the Amazon Redshift ODBC 2.X Driver just isn’t supported but for MAC.

Set up Tableau OAuth config file for a web site on Tableau Server or Tableau Cloud

To combine with Amazon Redshift utilizing IAM Id Middle authentication, it’s essential to set up the Tableau OAuth config file in Tableau Server or Tableau Cloud.

1. Check in to the Tableau Server or Tableau Cloud utilizing admin credentials.
2. Navigate to Settings.
3. Go to OAuth Purchasers Registry and choose Add OAuth Shopper.
4. Select the next settings:
   1. Connection sort: Choose Amazon Redshift.
   2. OAuth Supplier: Choose Custom_IdP.
   3. Shopper ID: Enter your IdP shopper ID worth.
   4. Shopper Secret: Enter your shopper secret worth.
   5. Redirect URL: Enter the worth as http://localhost/auth/add_oauth_token. On this publish, we’re utilizing localhost for testing within the native surroundings. It is best to ideally use the total hostname with https.
   6. Select OAuth Config File: Choose the XML file that you simply configured in Configure Tableau Desktop.
   7. Choose Add OAuth Shopper and select Save.

Determine 14: Create an OAuth connection in Tableau Server or Cloud

Federate to Amazon Redshift from Tableau Desktop utilizing IAM Id Middle

Now, you’re prepared to attach from Tableau and federated sign-in utilizing IAM Id Middle authentication. On this step, you’ll create a Tableau Desktop report and publish it to Tableau Server.

1. Open Tableau Desktop.
2. Select Amazon Redshift Connector and enter the next values:
   1. Server: Enter the identify of the server that hosts the database and the identify of the database you need to connect with.
   2. Port: Enter 5439.
   3. Database: Enter your database identify. On this instance, we use dev.
   4. Authentication: Choose OAuth.
   5. Federation Sort: Choose Id Middle
   6. Id Middle Namespace: You’ll be able to go away this clean.
   7. OAuth Supplier: This worth ought to mechanically be pulled out of your configured XML. Will probably be the worth from the aspect oauthConfigId.
   8. Choose checkbox for Require SSL.
3. Select Signal-In.
4. A browser pop-up will provoke the place you’ll enter your IdP credentials.

Determine 15: Tableau Desktop OAuth connection

5. When authentication is profitable, you will note the message Tableau created this window to authenticate. It’s now secure to shut it.

Determine 16: Profitable authentication utilizing Tableau

Congratulations! You might be signed in utilizing the IAM Id Middle integration with Amazon Redshift and are able to discover and analyze your knowledge utilizing Tableau Desktop.

Determine 17: Profitable connection utilizing Tableau Desktop

The next is a screenshot from Amazon Redshift system desk (sys_query_history) displaying that consumer Ethan from PingFederate is accessing the gross sales report.

Determine 18: Person audit in sys_query_history

Now you’ll be able to create your individual Tableau Report on the desktop model and publish it to your Tableau Server. For the subsequent part, you create and publish a report named Account Stage Gross sales.

Federate to Amazon Redshift from Tableau Server utilizing IAM Id Middle authentication

After you could have revealed the report from Tableau Desktop to Tableau Server, check in as non-admin consumer and think about the revealed report utilizing IAM Id Middle authentication.

1. Check in to the Tableau Server web site as a non-admin consumer.
2. Navigate to Discover and go to the folder the place your revealed report is saved.
3. Choose the report and select Signal In.

Determine 19: Signal In Immediate on Tableau Cloud/Server

4. Enter your PingFederate credentials to the browser pop-up to authenticate.
5. After profitable authentication, you’ll be able to entry the info and create reviews.

Determine 20: Tableau report

Clear up

Full the next steps to wash up your sources:

1. Delete the IdP purposes that you simply created to combine with IAM Id Middle.
2. Delete Id Middle configuration.
3. Delete the Amazon Redshift software and the Amazon Redshift provisioned cluster or Serverless occasion that you simply created for testing.
4. Delete the IAM function and IAM coverage that you simply created for Id Middle and Amazon Redshift integration.
5. Delete the permission set from Id Middle that you simply created for Amazon Redshift Question Editor v2 within the administration account.
6. Clear up sources associated to PingFederate.

Conclusion

This publish lined streamlining entry administration for knowledge analytics through the use of Tableau’s functionality to assist single sign-on primarily based on the OAuth 2.0 and OIDC protocol. This setup facilitates federated consumer authentication, the place consumer identities from an exterior identification supplier like PingFederate are trusted and propagated to Amazon Redshift. You walked by means of the steps to configure Tableau Desktop and Tableau Server to combine seamlessly with Amazon Redshift utilizing AWS IAM Id Middle for single sign-on. By harnessing this integration of a third-party IdP with IAM Id Middle, analysts can securely entry Amazon Redshift knowledge sources inside Tableau with out managing separate database credentials.

Study extra about Amazon Redshift integration with IAM Id Middle utilizing PingFederate as an identification supplier by visiting the next sources.

In regards to the authors