Combine Tableau and PingFederate with Amazon Redshift utilizing AWS IAM Id Middle

The collection of posts on single sign-on to Amazon Redshift with AWS IAM Id Middle (successor to AWS Single Signal-On) integration continues from our prior publish.

On this publish, we define a complete information for establishing single sign-on from Tableau desktop to Amazon Redshift utilizing integration with IAM Id Middle and PingFederate because the id supplier (IdP) with an LDAP primarily based information retailer, AWS Listing Service for Microsoft Energetic Listing.

Conditions

You must have the next stipulations:

1. A PingFederate account that has an lively subscription. You want an admin position to arrange the applying on PingFederate. For those who’re new to PingFederate, you possibly can attain out to Ping Id Gross sales.
2. A working PingFederate server.
3. Amazon Redshift Serverless workgroup or a provisioned Amazon Redshift information warehouse.
4. Obtain and set up the newest Redshift ODBC 2.X driver.
5. Obtain and set up Tableau Desktop 2024.1 or later
6. Set up Tableau Server 2023.3.9 or later. For Tableau Server set up, see Set up and Configure Tableau Server.

Resolution overview

PingFederate occasion connects to IAM Id Middle utilizing SAML. The customers and teams in PingFederate are synced to IAM Id Middle utilizing an open normal SCIM. After you arrange SAML and SCIM, it is possible for you to to allow single sign-on to Amazon Redshift from the AWS Administration Console utilizing Amazon Redshift Question Editor v2. That is achieved by creating an Id Middle software within the Amazon Redshift console.

To allow single sign-on to Amazon Redshift from outdoors of AWS utilizing a third-party consumer like Tableau, you arrange a trusted token issuer token alternate utilizing OIDC normal.

Determine 1 : Resolution overview for Tableau integration with Amazon Redshift utilizing IAM Id Middle and Ping Federate

The workflow, proven within the previous determine, consists of the next steps:

1. The consumer configures Tableau to entry Amazon Redshift utilizing IAM Id Middle authentication.
2. On a consumer sign-in try, Tableau initiates a browser-based OAuth circulation and redirects the consumer to the PingFederate sign up web page to enter the sign-in credentials. Password validation is completed in opposition to the AWS Managed Microsoft AD information retailer.
3. On profitable authentication, PingFederate points an authentication token (ID and entry token) to Tableau.
4. The Amazon Redshift driver then makes a name to the Amazon Redshift-enabled Id Middle software and forwards the entry token.
5. Amazon Redshift passes the token to Id Middle and requests an entry token.
6. Id Middle verifies the token utilizing the OIDC discovery connection to the trusted token issuer and returns an Id Middle-generated entry token for a similar consumer. Within the previous determine, trusted token issuer (TTI) is the PingFederate server that Id Middle trusts to offer tokens that third-party functions like Tableau use to name AWS companies.
7. Amazon Redshift then makes use of the token to acquire the consumer and group membership info from Id Middle.
8. Tableau consumer will be capable of join with Amazon Redshift and entry information primarily based on the consumer and group membership returned from Id Middle. The consumer and group settings within the LDAP-based AWS Managed Microsoft AD information retailer for PingFederate are propagated to id middle utilizing SCIM protocol for outbound provisioning.

Walkthrough

On this walkthrough, you’ll use the next steps to construct the answer:

1. SAML and SCIM arrange between PingFederate and IAM Id Middle
2. Hook up with Amazon Redshift utilizing Question Editor v2
3. Configure id federation from a third-party consumer
   1. Create an entry token supervisor and entry token mapping
   2. Create an OIDC coverage
   3. Create an OAuth consumer
   4. Arrange a PingFederate Authorization Server
   5. Coverage Contract Grant Mapping
   6. Gather PingFederate info
   7. Arrange a trusted token issuer in IAM Id Middle
   8. Arrange consumer connections and trusted token issuers in Amazon Redshift
   9. Configure Tableau OAuth config recordsdata for PingFederate to combine with Amazon Redshift utilizing IAM Id Middle
   10. Set up a Tableau OAuth config file on a consumer machine for Tableau Desktop
   11. Set up a Tableau OAuth config file for a website on Tableau Server or Tableau Cloud
   12. Federate to Amazon Redshift from Tableau Desktop utilizing Id Middle
   13. Federate to Amazon Redshift from Tableau Server utilizing Id Middle authentication

SAML and SCIM arrange between PingFederate and IAM Id Middle

IAM Id Middle integration with PingFederate begins with SAML arrange adopted by SCIM.

1. Arrange SAML 2.0 for SP Connection of kind Browser SSO (single sign-on) in PingFederate.
2. Arrange SCIM 2.0 for outbound provisioning. It would sync the customers and teams created in an LDAP primarily based information retailer like AWS managed Microsoft AD for PingFederate to the customers and teams in IAM Id Middle.

The implementation for the cloud primarily based IdP possibility PingOne isn’t in scope of this publish and follows steps just like these described in Combine IdP with Amazon Redshift Question Editor v2 utilizing AWS IAM Id Middle for seamless Single Signal-On.

Additional particulars of SAML and SCIM arrange are as follows.

• 1. Set up PingFederate Server.
  2. Arrange IAM Id middle integration by following the Ping documentation together with the obtain for Id Middle integration recordsdata.
     1. Deploy the combination recordsdata to your PingFederate set up.
     2. Allow provisioning and configure IdP Browser SSO (SAML connection). (You possibly can implement Browser SSO connection solely utilizing IAM Id Middle metadata file.)
        1. Below System > Server > Protocol Settings > Federation Information BASE_URL subject, use the publicly accessible absolutely certified area title of the PingFederate server.
        2. Create an LDAP primarily based information retailer (the title used on this instance is AWSManagedMSAD) as a result of SCIM 2.0 protocol for outbound provisioning solely works with LDAP primarily based information shops with PingFederate. In case you are utilizing a cloud-based resolution like PinOne, you possibly can arrange outbound provisioning in PingOne itself. Thus for this writing, we’ve used AWS Managed Microsoft AD as a knowledge retailer created utilizing AWS Listing Service.
        3. Create a password credential validator (title used on this instance is awsmanagedmsadpassval) and IdP adapters (title used on this instance is awsmanagedmsadadapter) to your information retailer as relevant.
        4. Create an SP connection of kind Browser SSO utilizing the sp-saml-metadata.xml file as defined in making a provisioning connection.
     3. Export SAML metadata from PingFederate.
     4. Register PingFederate as an IdP in Id Middle.
     5. Navigate again to the connection saved in step b, and configure outbound provisioning.
  3. Allow provisioning in IAM Id Middle by following step 1 within the documentation.
  4. Then, configure provisioning in PingFederate by following step 2 within the documentation.
  5. Optionally, you possibly can configure and move consumer attributes from PingFederate for entry management in Id Middle.

Subsequent, connect with Amazon Redshift utilizing its native question editor, Question Editor v2, to validate AWS companies’ connectivity utilizing IAM Id Middle.

Hook up with Amazon Redshift utilizing Question Editor v2

Full the Walkthrough part of IAM Id Middle integration with Amazon Redshift, which can arrange your Amazon Redshift connectivity with Question Editor v2.

For those who want additional assist with SAML and SCIM arrange, and connecting to Amazon Redshift utilizing Question Editor v2, it’s also possible to comply with step-by-step guided demo video single sign-on to Amazon Redshift with IAM IDC integration utilizing PingFederate with AWS Managed MSAD Demo

Configure id federation from a third-party consumer

Configure id federation enabled by IAM Id Middle from IdP PingFederate to the service supplier Amazon Redshift utilizing an exterior consumer like Tableau. The next steps within the PingFederate admin console and Id Middle information you thru the id federation course of.

Create an entry token supervisor and entry token mapping

To map PingFederate attributes to OAuth entry tokens and OpenID Join ID (OIDC) tokens, create an entry token supervisor and token mapping. For full particulars and arrange primarily based in your safety wants, see Token mapping in PingFederate, which explains entry token administration intimately. Full the next steps to create a token supervisor.

1. Within the PingFederate administrative console, go to Purposes > OAuth > Entry Token Administration, and select Create New Occasion.
2. In Sort tab,
   1. Enter an Occasion Identify and Occasion ID of your selection, for instance TrustedTokenIssuerMgr.
   2. Choose the Sort from drop down checklist as JSON Internet Tokens, generally referred to as JWT.
   3. Go away Mother or father occasion as None and select Subsequent.
3. In Occasion configuration tab,
   1. Below Certificates, choose Add a brand new row to ‘Certificates’, choose the certificates for token supervisor from the drop-down checklist, enter a Key ID equivalent to certkey, and select Replace underneath Motion. You possibly can create a brand new certificates by navigating to Safety > Certificates & Key Administration > Signing & Decryption Keys & Certificates > Create New.
   2. Choose Use Centralized Signing Key.
   3. In JWS Algorithm, choose RSA utilizing SHA-256.
   4. Choose Allow Token Revocation. Go away the whole lot else as default and select Subsequent.
4. Below Session Validation tab,
   1. Choose Embody Session Identifier in Entry Token.
   2. Choose Examine for legitimate authentication session.
   3. Go away different selections as is and select Subsequent.
5. Within the Entry Token Attribute Contract tab, go away the Topic Attribute Identify because the e default and proceed to Lengthen the Contract so as to add the next attribute and values.
   1. Enter aud, go away multi-value unchecked. Select Add underneath Motion.
   2. Repeat the identical to enter e mail, exp, iss, sub. When accomplished, select Subsequent.
6. On every of Useful resource URIs and Entry Management tabs, go away as is and select Subsequent.
7. On the Abstract tab, overview your adjustments and select Save. An occasion title with the title you offered, like TrustedTokenIssuerMgr seems in Purposes > Oauth > Entry Token Administration.

Determine 2 : Entry Token Administration Configuration Abstract

8. Navigate to Purposes > OAuth > Entry Token Mappings, choose the default Context and Entry Token Supervisor, TrustedTokenIssuerMgr that was created within the earlier step. Select Add Mapping.
9. Go away Attribute Sources & Person Lookup as is and select Subsequent.
10. Below Contract Achievement tab,
    1. For Contract aud, choose Textual content from the Supply, and enter the Worth as AWSIdentityCenter.
    2. For Contract e mail, choose Persistent Grant from the Supply, and Worth as e mail.
    3. For Contract exp, choose Persistent Grant from the Supply, and Worth as EXPIRES_AT.
    4. For Contract iss, choose Textual content from the Supply, and enter your base URL because the Worth, like https://yourwebsite.area.com, the identical as in System > Server > Protocol Settings > BASE URL.
    5. For Attribute Contract sub, choose Persistent Grant from the Supply, and Worth as USER_KEY.
    6. Select on Subsequent.
11. Go away Issuance Standards as is and select Subsequent.
12. On the Abstract tab, overview all of your adjustments and select Save. A brand new default Context with Entry Token Supervisor if TrustedTokenIssuerMgr seems in Purposes > OAuth > Entry Token Mappings.

Determine 3: Entry Token Mappings Abstract

Create an OIDC coverage

For full particulars and arrange primarily based in your safety wants, see to Open ID join (OIDC) coverage administration in PingFederate. Full the next steps to arrange an OIDC coverage.

1. Within the PingFederate administrative console, go to Purposes > OAuth > OpenID Join Coverage Administration, and select Add Coverage.
2. Within the Handle Coverage tab,
   1. Enter the Coverage ID and Identify of your selection, for instance OIDCPolicy.
   2. Choose the Entry Token Supervisor from drop down checklist created within the earlier part—TrustedTokenIssuerMgr.
   3. Choose Embody Session Identifier in ID Token
   4. Choose Embody Person Information in ID Token
   5. Choose Return ID Token on Refresh Grant
   6. Go away others as is and select Subsequent.
3. Within the Attribute Contract tab, maintain solely the required attributes in prolonged contract and delete the others.
   1. Go away the sub attribute underneath Attribute Contract as is.
   2. Below Lengthen the contract, select delete for all attributes besides e mail. select Subsequent.
4. Within the Attribute Scopes tab,
   1. Choose openid from the Scope checklist.
   2. Choose e mail from Attributes.
   3. Select Add from Actions. Select Subsequent.
5. Go away Attribute Sources & Person Lookup as is and select Subsequent.
6. In Contract Achievement tab,
   1. For Attribute Contract e mail, choose Persistent Grant from the Supply, and Worth as e mail.
   2. For Attribute Contract sub, choose Persistent Grant from the Supply, and Worth as USER_KEY.
   3. Select Subsequent.
7. Go away Issuance Standards as is and select Subsequent.
8. On the Abstract tab, overview your adjustments and select Save. A coverage ID with the title you offered, like OIDCPolicy, seems in Purposes > Oauth > OpenID Join Coverage Administration.

Determine 4 : OpenID Join Coverage Administration Abstract

Create OAuth consumer

For full particulars and arrange primarily based in your safety wants, see configure an OAuth consumer in PingFederate, which explains every subject intimately. Full the next steps to create an OAuth consumer.

1. Within the PingFederate administrative console, go to Purposes > OAuth > Purchasers, and select Add Consumer.
2. Within the Consumer ID subject, enter a singular, immutable consumer ID. We use tableauredshiftpingfed because the title on this instance.
3. Enter a Identify and Description for the consumer.
4. Choose a Consumer Authentication methodology. You possibly can choose from None, Consumer TLS Certificates, Personal Key JWT, or Consumer Secret. For this situation, choose Consumer Secret. Select Generate Secret to create a brand new one or use choose Change secret to create your individual.
5. Go away Request object signing algorithm set to Permit Any. You possibly can override to make use of the algorithm of your selection if wanted.
6. Within the Redirect URIs subject, add every of the next values.
   1. http://localhost:8080/authorization-code/callback
   2. http://localhost:55556/Callback
   3. http://localhost:55557/Callback
   4. http://localhost:55558/Callback
   5. http://localhost/auth/add_oauth_token
7. Choose Limit widespread scopes. Limit scopes by deciding on the checkboxes for e mail, offline_access, openid, and profile as required.
8. In Brand URL, optionally enter the URL for emblem you need to show on the Person Grant Authorization and Revocation pages.
9. Within the Allowed Grant Varieties checklist, you possibly can select from a listing of authorization choices. On this instance, choose Authorization code. Optionally, you possibly can choose Implicit, Refresh Token, and Consumer Credentials.
10. Below Default entry token supervisor, choose the entry token supervisor TrustedTokenIssuerMgr created within the earlier part.
11. Choose the Limit field for Limit to default entry token supervisor.
12. Customise Persistent grants max lifetime to match your necessities. Set it to 12 hours for this instance by utilizing the third radio button.
13. For Openid join, select your most well-liked ID token signing algorithm. Choose RSA utilizing SHA-256 for this instance. Optionally, for Coverage you possibly can select the OIDC coverage created within the earlier part.
14. Go away the remaining settings as default and select Save.

Determine 5 : OAuth Consumer Configuration

The Tableau Desktop redirect URLs ought to at all times use localhost. The next instance, additionally use localhost for the Tableau Server hostname to simplify testing in a check setting. For this setup, you also needs to entry the server at localhost within the browser. In a manufacturing setting, or Tableau Cloud, it is best to use the complete hostname that your customers will use to entry Tableau on the net, together with HTTPS. If you have already got an setting with HTTPS configured, you possibly can skip the localhost configuration and use the complete hostname from the beginning.

Arrange a PingFederate authorization server

For full particulars and arrange primarily based in your safety wants, see PingFederate authorization server settings in PingFederate. Full the next steps to configure an authorization server.

1. Within the PingFederate administrative console, go to System > OAuth Settings > Authorization Server Settings, and make following adjustments.
2. Go away the preliminary configurations as default and scroll right down to Persistent Grant Prolonged Attributes, add Attribute e mail.
3. For OAuth Administrative Internet Companies Settings, in Password Credential Validator, choose awsmanagedmsadpassval that you just created within the SAML and SCIM arrange part.
4. For Persistent Grant Administration API,
   1. In Entry Token Supervisor, choose the TrustedTokenIssuerMgr created earlier.
   2. In Required Scope, choose openid.
5. Go away remaining the settings as default and select Save.

Determine 6 : PingFederate Authorization Server Setting

Coverage contract grant mapping

For full particulars and arrange primarily based in your safety wants, see Grant contract mapping in PingFederate. For this illustration, we arrange a coverage contract grant mapping for authentication in a three-step course of.

Step 1: Create a coverage contract

1. Within the PingFederate administrative console, go to Authentication > Insurance policies > Coverage Contracts, and select Create New Contract.
2. In Contract Information tab, enter a reputation. For this instance, we use OIDCPolicyContract.
3. In Contract Attributes tab, select Lengthen the Contract so as to add e mail attribute.
4. Evaluation and select Save.

Determine 7 : Coverage Contract Abstract

Step 2: Add authentication coverage

1. Within the PingFederate administrative console, go to Authentication > Insurance policies > Insurance policies, and select Add Coverage.
2. Enter a coverage title. On this instance, we use OAuthOIDCPolicy.
3. Within the Coverage drop down, choose IdP Adapter and choose the awsmanagedmsadadapter that you just created within the SAML and SCIM arrange part.
4. Set FAIL to Finished and underneath SUCCESS, choose Coverage Contracts from the drop-down menu and choose the OIDCPolicyContract created in step 1. Select Finished.

Determine 8 : Authentication Coverage Configuration

Step 3: Coverage contract grant mapping

1. Within the PingFederate administrative console, go to Authentication > OAuth > Coverage Contract Grant Mapping, and underneath Mappings, choose OIDCPolicyContract created in Step1 and select Add Mapping.
2. On the Attribute Sources & Person Lookup tab, select Subsequent.
3. Within the Contract Achievement tab,
   1. For Contract USER_KEY, choose Authentication Coverage Contract from the Supply, and Worth as topic.
   2. For Contract USER_NAME, choose Authentication Coverage Contract from the Supply, and Worth as topic.
   3. For Contract e mail, choose Authentication Coverage Contract from the Supply, and Worth as e mail.
   4. Select Subsequent.
4. Go away Issuance Standards as is, overview and select Save.

Determine 9 : Coverage Contract Grant Mapping Abstract

Gather PingFederate info

To configure your PingFederate with IAM Id Middle and Amazon Redshift, gather the next parameters. For those who don’t have these parameters, contact your PingFederate admin.

1. Issuer URL, auth URL (authUri), and token URL (tokenUri).

You will get these values from the OIDC IdP URL: https://pingfedserver.instance.com/.well-known/openid-configuration. Open this URL in an internet browser, changing pingfedserver.instance.com along with your IdP server title.

The next is an instance screenshot of IdP attributes utilizing OIDC IdP URL the place:

• The issuer URL corresponds to the issuer
• The auth URL (authUri) corresponds to authorization_endpoint
• The token URL (tokenUri) corresponds to token_endpoint

Determine 10 : Screenshot of IdP Attributes

2. Viewers worth

To get the Viewers worth from PingFederate, sign up as an admin to PingFederate and navigate to the next path to get the viewers worth that you just created throughout entry token mapping creation in PingFederate:

Purposes > OAuth > Entry Token Mappings > TrustedTokenIssuerMgr → Abstract > aud

Determine 11 : Entry Token Mapping

Arrange a trusted token issuer in IAM Id Middle

Swap from the PingFederate console to the IAM Id Middle console for the AWS facet of configuration. Begin by including a trusted token issuer (TTI), which makes it doable to authorize Tableau to make requests on behalf of their customers to entry information in Amazon Redshift. A TTI is an OAuth 2.0 authorization server that points tokens to functions that provoke requests (requesting functions). The tokens authorize these functions to provoke requests on behalf of their customers to a receiving software (an AWS service). On this step, you create a TTI within the central administration account. To create a TTI,

1. Open the AWS Administration Console and navigate to IAM Id Middle, after which to the Settings web page.
2. Choose the Authentication tab and underneath Trusted token issuers, select Create trusted token issuer.
3. On the Arrange an exterior IdP to subject trusted tokens web page, underneath Trusted token issuer particulars, do the next:
   • For Issuer URL, enter the OIDC discovery URL of the exterior IdP that may subject tokens for trusted id propagation. You will get issuer the URL as talked about in step 1 of the previous part Gather PingFederate info.
4. For Trusted token issuer title, enter a reputation to establish this TTI in Id Middle and within the software console.
5. Below Map attributes, do the next:
   1. For the id supplier attribute, choose an attribute from the checklist to map to an attribute within the Id Middle id retailer. You possibly can choose Electronic mail, Object Identifier, Topic, and Different.
   2. For Id Middle attribute, choose the corresponding attribute for the attribute mapping.
6. Below Tags (elective), select Add new tag, enter a price for Key, and optionally for Worth. For details about tags, see Tagging AWS IAM Id Middle assets.

The next determine exhibits the arrange for TTI:

Determine 12 : Configuring Trusted Token Issuer

Arrange consumer connections and trusted token issuers in Amazon Redshift

On this step, the Amazon Redshift functions that alternate externally generated tokens should be configured to make use of the TTI you created within the earlier step. Additionally, the viewers declare (or aud declare) from PingFederate should be specified. On this instance, you’re configuring the Amazon Redshift software within the member account the place the Amazon Redshift cluster or serverless occasion exists.

1. Choose IAM Id Middle connection from the Amazon Redshift console menu.
2. Choose the Amazon Redshift software that you just created as a part of the stipulations.
3. Choose the Consumer connections tab and select Edit.
4. Select Sure underneath Configure consumer connections that use third-party IdPs.
5. Choose the checkbox for Trusted token issuer that you just created within the earlier part.
6. Enter the Aud declare worth underneath Configure chosen trusted token issuers. For instance, AWSIdentityCenter. You will get the viewers worth from the PingFederate path: Purposes > OAuth > Entry Token Mappings > TrustedTokenIssuerMgr > Abstract > aud.
7. Select Save.

Determine 13 : Configure Viewers Worth in Amazon Redshift

At this level, your IAM Id Middle, Amazon Redshift, and PingFederate configuration are full. Subsequent, that you must configure Tableau.

Configure Tableau OAuth config recordsdata for PingFederate to combine with Amazon Redshift utilizing IAM Id Middle

This XML file used on this part will likely be used for all of the Tableau merchandise like Tableau Desktop, Server and Cloud.

To combine Tableau with Amazon Redshift utilizing IAM Id Middle, that you must use a customized XML file. On this step, you’ll use the next XML and exchange the values beginning with a $ signal and highlighted in daring. The remainder of the values may be saved as it’s or you possibly can modify them primarily based in your particular wants. For detailed info on every of the weather within the file, see the Tableau documentation on GitHub.

You will get authUri and tokenUri as talked about in step 1 of previous part, Gather PingFederate info.

<?xml model="1.0" encoding="utf-8"?>
<pluginOAuthConfig>
  <dbclass>redshift</dbclass>
  <oauthConfigId>custom_redshift_pingfed</oauthConfigId>
  <clientIdDesktop></clientIdDesktop>
  <clientSecretDesktop></clientSecretDesktop>
  <redirectUrisDesktop>http://localhost:55556/Callback</redirectUrisDesktop>
  <redirectUrisDesktop>http://localhost:55557/Callback</redirectUrisDesktop>
  <redirectUrisDesktop>http://localhost:55558/Callback</redirectUrisDesktop>
  <authUri>https://.com/as/authorization.oauth2</authUri>
  <tokenUri>https://.com/as/token.oauth2</tokenUri>
  <scopes>openid</scopes>
  <scopes>e mail</scopes>
  <scopes>profile</scopes>
  <scopes>offline_access</scopes>
  <capabilities>
    <entry>
      <key>OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL</key>
      <worth>true</worth>
    </entry>
    <entry>
      <key>OAUTH_CAP_PKCE_REQUIRES_CODE_CHALLENGE_METHOD</key>
      <worth>true</worth>
    </entry>
    <entry>
      <key>OAUTH_CAP_REQUIRE_PKCE</key>
      <worth>true</worth>
    </entry>
    <entry>
      <key>OAUTH_CAP_SUPPORTS_STATE</key>
      <worth>true</worth>
    </entry>
    <entry>
      <key>OAUTH_CAP_CLIENT_SECRET_IN_URL_QUERY_PARAM</key>
      <worth>true</worth>
    </entry>
    <entry>
      <key>OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN</key>
      <worth>true</worth>
    </entry>
  </capabilities>
  <accessTokenResponseMaps>
    <entry>
      <key>ACCESSTOKEN</key>
      <worth>access_token</worth>
    </entry>
    <entry>
      <key>REFRESHTOKEN</key>
      <worth>refresh_token</worth>
    </entry>
    <entry>
      <key>id-token</key>
      <worth>id_token</worth>
    </entry>
    <entry>
      <key>access-token-issue-time</key>
      <worth>issued_at</worth>
    </entry>
    <entry>
      <key>access-token-expires-in</key>
      <worth>expires_in</worth>
    </entry>
    <entry>
      <key>username</key>
      <worth>e mail</worth>
    </entry>
  </accessTokenResponseMaps>
</pluginOAuthConfig>

The next is the instance XML:

<?xml model="1.0" encoding="utf-8"?>
<pluginOAuthConfig>
  <dbclass>redshift</dbclass>
  <oauthConfigId>custom_redshift_pingfed</oauthConfigId>
  <clientIdDesktop>tableauredshiftpingfed</clientIdDesktop>
  <clientSecretDesktop></clientSecretDesktop>
  <redirectUrisDesktop>http://localhost:55556/Callback</redirectUrisDesktop>
  <redirectUrisDesktop>http://localhost:55557/Callback</redirectUrisDesktop>
  <redirectUrisDesktop>http://localhost:55558/Callback</redirectUrisDesktop>
  <authUri>https://pingfedserver.instance.com/as/authorization.oauth2</authUri>
  <tokenUri>https://pingfedserver.instance.com/as/token.oauth2</tokenUri>
  <scopes>openid</scopes>
  <scopes>e mail</scopes>
  <scopes>profile</scopes>
  <scopes>offline_access</scopes>
  <capabilities>
    <entry>
      <key>OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL</key>
      <worth>true</worth>
    </entry>
    <entry>
      <key>OAUTH_CAP_PKCE_REQUIRES_CODE_CHALLENGE_METHOD</key>
      <worth>true</worth>
    </entry>
    <entry>
      <key>OAUTH_CAP_REQUIRE_PKCE</key>
      <worth>true</worth>
    </entry>
    <entry>
      <key>OAUTH_CAP_SUPPORTS_STATE</key>
      <worth>true</worth>
    </entry>
    <entry>
      <key>OAUTH_CAP_CLIENT_SECRET_IN_URL_QUERY_PARAM</key>
      <worth>true</worth>
    </entry>
    <entry>
      <key>OAUTH_CAP_SUPPORTS_GET_USERINFO_FROM_ID_TOKEN</key>
      <worth>true</worth>
    </entry>
  </capabilities>
  <accessTokenResponseMaps>
    <entry>
      <key>ACCESSTOKEN</key>
      <worth>access_token</worth>
    </entry>
    <entry>
      <key>REFRESHTOKEN</key>
      <worth>refresh_token</worth>
    </entry>
    <entry>
      <key>id-token</key>
      <worth>id_token</worth>
    </entry>
    <entry>
      <key>access-token-issue-time</key>
      <worth>issued_at</worth>
    </entry>
    <entry>
      <key>access-token-expires-in</key>
      <worth>expires_in</worth>
    </entry>
    <entry>
      <key>username</key>
      <worth>e mail</worth>
    </entry>
  </accessTokenResponseMaps>
</pluginOAuthConfig>

Set up Tableau OAuth config file on a consumer machine for Tableau Desktop

After the XML configuration file is created, it must be copied to a particular location for use by Amazon Redshift Connector from Tableau Desktop. Save the previous file as .xml and put it aside underneath DocumentsMy Tableau RepositoryOAuthConfigs.

Observe: At the moment this integration isn’t supported in macOS as a result of the Amazon Redshift ODBC 2.X Driver isn’t supported but for MAC.

Set up Tableau OAuth config file for a website on Tableau Server or Tableau Cloud

To combine with Amazon Redshift utilizing IAM Id Middle authentication, that you must set up the Tableau OAuth config file in Tableau Server or Tableau Cloud.

1. Sign up to the Tableau Server or Tableau Cloud utilizing admin credentials.
2. Navigate to Settings.
3. Go to OAuth Purchasers Registry and choose Add OAuth Consumer.
4. Select the next settings:
   1. Connection kind: Choose Amazon Redshift.
   2. OAuth Supplier: Choose Custom_IdP.
   3. Consumer ID: Enter your IdP consumer ID worth.
   4. Consumer Secret: Enter your consumer secret worth.
   5. Redirect URL: Enter the worth as http://localhost/auth/add_oauth_token. On this publish, we’re utilizing localhost for testing within the native setting. You must ideally use the complete hostname with https.
   6. Select OAuth Config File: Choose the XML file that you just configured in Configure Tableau Desktop.
   7. Choose Add OAuth Consumer and select Save.

Determine 14: Create an OAuth connection in Tableau Server or Cloud

Federate to Amazon Redshift from Tableau Desktop utilizing IAM Id Middle

Now, you’re prepared to attach from Tableau and federated sign-in utilizing IAM Id Middle authentication. On this step, you’ll create a Tableau Desktop report and publish it to Tableau Server.

1. Open Tableau Desktop.
2. Select Amazon Redshift Connector and enter the next values:
   1. Server: Enter the title of the server that hosts the database and the title of the database you need to connect with.
   2. Port: Enter 5439.
   3. Database: Enter your database title. On this instance, we use dev.
   4. Authentication: Choose OAuth.
   5. Federation Sort: Choose Id Middle
   6. Id Middle Namespace: You possibly can go away this clean.
   7. OAuth Supplier: This worth ought to routinely be pulled out of your configured XML. Will probably be the worth from the aspect oauthConfigId.
   8. Choose checkbox for Require SSL.
3. Select Signal-In.
4. A browser pop-up will provoke the place you’ll enter your IdP credentials.

Determine 15: Tableau Desktop OAuth connection

5. When authentication is profitable, you will note the message Tableau created this window to authenticate. It’s now secure to shut it.

Determine 16: Profitable authentication utilizing Tableau

Congratulations! You might be signed in utilizing the IAM Id Middle integration with Amazon Redshift and are able to discover and analyze your information utilizing Tableau Desktop.

Determine 17: Profitable connection utilizing Tableau Desktop

The next is a screenshot from Amazon Redshift system desk (sys_query_history) exhibiting that consumer Ethan from PingFederate is accessing the gross sales report.

Determine 18: Person audit in sys_query_history

Now you possibly can create your individual Tableau Report on the desktop model and publish it to your Tableau Server. For the subsequent part, you create and publish a report named Account Stage Gross sales.

Federate to Amazon Redshift from Tableau Server utilizing IAM Id Middle authentication

After you could have printed the report from Tableau Desktop to Tableau Server, sign up as non-admin consumer and consider the printed report utilizing IAM Id Middle authentication.

1. Sign up to the Tableau Server website as a non-admin consumer.
2. Navigate to Discover and go to the folder the place your printed report is saved.
3. Choose the report and select Signal In.

Determine 19: Signal In Immediate on Tableau Cloud/Server

4. Enter your PingFederate credentials to the browser pop-up to authenticate.
5. After profitable authentication, you possibly can entry the information and create experiences.

Determine 20: Tableau report

Clear up

Full the next steps to scrub up your assets:

1. Delete the IdP functions that you just created to combine with IAM Id Middle.
2. Delete Id Middle configuration.
3. Delete the Amazon Redshift software and the Amazon Redshift provisioned cluster or Serverless occasion that you just created for testing.
4. Delete the IAM position and IAM coverage that you just created for Id Middle and Amazon Redshift integration.
5. Delete the permission set from Id Middle that you just created for Amazon Redshift Question Editor v2 within the administration account.
6. Clear up assets associated to PingFederate.

Conclusion

This publish coated streamlining entry administration for information analytics by utilizing Tableau’s functionality to help single sign-on primarily based on the OAuth 2.0 and OIDC protocol. This setup facilitates federated consumer authentication, the place consumer identities from an exterior id supplier like PingFederate are trusted and propagated to Amazon Redshift. You walked by the steps to configure Tableau Desktop and Tableau Server to combine seamlessly with Amazon Redshift utilizing AWS IAM Id Middle for single sign-on. By harnessing this integration of a third-party IdP with IAM Id Middle, analysts can securely entry Amazon Redshift information sources inside Tableau with out managing separate database credentials.

Study extra about Amazon Redshift integration with IAM Id Middle utilizing PingFederate as an id supplier by visiting the next assets.

Concerning the authors