To successfully connect to Redshift using Azure AD MFA, please complete the following prerequisites:
- Set up an Azure Enterprise application with MFA capability enabled
- Set up the IAM provider and roles
For instructions, see:
- Federate access to Amazon Redshift using the JDBC browser plugin for Single Sign-on authentication with Microsoft Azure Active Directory
- Federating Amazon Redshift Access with Microsoft Azure AD
Connecting to Amazon Redshift
- Navigate to the Database Explorer panel and select Redshift item from the dropdown:
- Download the latest version of Amazon Redshift JDBC driver, enter the Host value and set the following connection properties:
Authentication = Identity Provider Federation
Identity Provider = Microsoft Azure Active Directory (Azure AD)
Authentication Method = MFA
- Fill in the Azure AD IdP Tenant field with the value of your IdP tenant, and the Azure AD Client ID field with the value of your application client ID:
- Populate the other fields if desired.
The host name of the Amazon Redshift server to connect to.
The port of the Amazon Redshift server to connect to, the default port is 5439.
Use this property to specify how the driver validates certificates when TLS/SSL is enabled, Prefer or Require if the latest driver version is used.
The port used by an IdP (identity provider), the default is 7890.
IdP SSO Response Timeout - The amount of time, in seconds, that the driver waits for the SAML response from the identity provider when using the SAML or Azure AD services through a browser plugin. The default is 60.
The user ID to use with your Amazon Redshift account. You can use an ID that doesn't currently exist if you have enabled the AutoCreate property.
A comma-separated list of existing database group names that DBUser joins for the current session.
The IAM role that you want to assume during the connection to Amazon Redshift.
Azure AD IdP Tenant
The Azure AD tenant ID for your Amazon Redshift application (the tenant name of your company configured on your IdP (Azure)).
Azure AD Client ID
The client ID to use when authenticating the connection using the Azure AD service (the client ID with hyphens of the Amazon Redshift application you created when setting up your Azure SSO configurations).
The name of the database to connect to.
Connection timeout (sec)
The timeout value to use for socket connect operations. If the time required to establish an Amazon Redshift connection exceeds this value, the connection is considered unavailable. The timeout is specified in seconds. A value of 0 means that no timeout is specified.
Once the connection is created, click the 'Test' button to check if it is configured correctly. If so, the driver will open the default browser with the SSO sign-in page:
After you sign in, you’re redirected to localhost with a success message: