Connect to Redshift using Microsoft Azure Active Directory SSO with MFA


To successfully connect to Redshift using Azure AD MFA, please complete the following prerequisites:

  1. Set up an Azure Enterprise application with MFA capability enabled
  2. Set up the IAM provider and roles

For instructions, see:

Connecting to Amazon Redshift

  1. Navigate to the Database Explorer panel and select Redshift item from the dropdown:


  2. Download the latest version of Amazon Redshift JDBC driver, enter the Host value and set the following connection properties:
    Authentication = Identity Provider Federation
    Identity Provider = Microsoft Azure Active Directory (Azure AD)
    Authentication Method = MFA


  3. Fill in the Azure AD IdP Tenant field with the value of your IdP tenant, and the Azure AD Client ID field with the value of your application client ID:


  4. Populate the other fields if desired.

Connection Properties


The host name of the Amazon Redshift server to connect to.


The port of the Amazon Redshift server to connect to, the default port is 5439.

SSL Mode

Use this property to specify how the driver validates certificates when TLS/SSL is enabled, Prefer or Require if the latest driver version is used.

Listen Port

The port used by an IdP (identity provider), the default is 7890.
IdP SSO Response Timeout - The amount of time, in seconds, that the driver waits for the SAML response from the identity provider when using the SAML or Azure AD services through a browser plugin. The default is 60.

DB User

The user ID to use with your Amazon Redshift account. You can use an ID that doesn't currently exist if you have enabled the AutoCreate property.

DB Groups

A comma-separated list of existing database group names that DBUser joins for the current session.

Preferred Role

The IAM role that you want to assume during the connection to Amazon Redshift.

Azure AD IdP Tenant

The Azure AD tenant ID for your Amazon Redshift application (the tenant name of your company configured on your IdP (Azure)).

Azure AD Client ID

The client ID to use when authenticating the connection using the Azure AD service (the client ID with hyphens of the Amazon Redshift application you created when setting up your Azure SSO configurations).


The name of the database to connect to.

Connection timeout (sec)

The timeout value to use for socket connect operations. If the time required to establish an Amazon Redshift connection exceeds this value, the connection is considered unavailable. The timeout is specified in seconds. A value of 0 means that no timeout is specified.


Once the connection is created, click the 'Test' button to check if it is configured correctly. If so, the driver will open the default browser with the SSO sign-in page:


After you sign in, you’re redirected to localhost with a success message:


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request