SSO with Amazon Redshift for Data Product Chat

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Users can chat with a data product built on an Amazon Redshift data source after you configure SSO authentication with AWS Identity and Access Management (IAM). Alation uses SAML 2.0 to authenticate each user from the catalog. It then uses the AWS Security Token Service (STS) AssumeRoleWithSAML API to obtain temporary credentials on the user’s behalf.

In this topic:

• Prerequisites

• Step 1: Create an Authentication Application for Alation in the IdP

• Step 2: Create an Identity Provider in AWS

• Step 3: Create IAM Roles and Configure Trust Relationships

• Step 4: Configure SAML Attributes in the Authentication Application

• Step 5: Assign Users

• Step 6: Create an Authentication Configuration in Alation

• Step 7: Configure SSO Authentication for the Data Product

• Step 8: Connect and Test the SSO Authentication

Prerequisites

Before you begin, confirm the following:

• AWS STS is enabled in the AWS region where your Redshift cluster is located. Alation uses the AssumeRoleWithSAML endpoint of the AWS STS API to request temporary credentials.

• Your identity provider (IdP) meets all of these requirements:

  • Is SAML 2.0-compliant.

  • Supports HTTP-Redirect Binding for SAML requests.

  • Allows you to configure AWS IAM roles for federated users.

  • Can include the SAML attributes https://aws.amazon.com/SAML/Attributes/Role and https://aws.amazon.com/SAML/Attributes/RoleSessionName in its assertion response.

• Each Alation user who needs to access Redshift data through Data Product Chat exists in the IdP user directory.

• You have the Server Admin role in Alation.

Step 1: Create an Authentication Application for Alation in the IdP

In your IdP, create a new authentication application for Alation. Use the following information when configuring the application.

ACS endpoint

Use the following URL as the Assertion Consumer Service (ACS) endpoint:

<base_url>/api/v2/auth/callback/

Where <base_url> is the base URL of your Alation instance.

Metadata

After creating the application, download its metadata.xml file. You will upload this file to AWS in Step 2.

Note

You don’t have to add SAML attributes to the application at this stage. You will configure the required attributes in Step 4.

Step 2: Create an Identity Provider in AWS

1. In the AWS Management Console, go to IAM.

2. Select Identity providers and click Add provider.

3. Set Provider type to SAML.

4. Enter a name for the provider and upload the metadata.xml file you downloaded in Step 1.

5. Click Add provider.

6. Open the newly created identity provider and note down the SSO service location URL. You will paste this URL into Alation in Step 6.

Step 3: Create IAM Roles and Configure Trust Relationships

Users who access Redshift from Alation must assume an IAM role. Every role they can assume must have the identity provider you created in Step 2 set as a Trusted Entity.

• If the required IAM roles already exist: in AWS IAM, open the identity provider you created in Step 2, click Assign role, and select the roles users will need.

• If the required IAM roles do not exist: create the roles in AWS IAM. For each role, open its Trust relationships and add the identity provider from Step 2 as the Trusted Entity.

Note down the ARN of each role and the ARN of the identity provider. You will need these values in Step 4.

Step 4: Configure SAML Attributes in the Authentication Application

In your IdP, open the authentication application you created in Step 1 and add the following SAML attributes:

Required SAML Attributes

Attribute	Value
https://aws.amazon.com/SAML/Attributes/Role	<RoleARN>,<PrincipalARN>
https://aws.amazon.com/SAML/Attributes/RoleSessionName	A unique identifier for the user, such as an IdP username or email address.

Where:

• <RoleARN> is the ARN of the IAM role the user will assume.

• <PrincipalARN> is the ARN of the identity provider you created in Step 2.

Separate the two ARN values in the Role attribute with a comma and no spaces, for example:

arn:aws:iam::123456789012:role/analyst,arn:aws:iam::123456789012:saml-provider/my_provider

Important

To assign multiple roles to users, use the syntax your IdP accepts for specifying multiple attribute values.

Step 5: Assign Users

In your IdP, assign users to the authentication application for Alation. Assign the users who need to access Redshift data through Data Product Chat. When these users authenticate from Alation, they are granted the IAM role specified in the https://aws.amazon.com/SAML/Attributes/Role attribute.

Step 6: Create an Authentication Configuration in Alation

1. Log in to Alation as a Server Admin.

2. Click the Settings icon in the upper right to open Admin Settings.

3. Go to Server Admin > Authentication and scroll down to the Authentication Configuration Methods for External Systems section.

4. Click the Add Configuration dropdown and select AWS IAM.

5. On the Authentication Configuration Methods for External Systems page, fill in the following fields:

   Authentication Configuration Fields

   Field	Description
   Config Name	Enter a unique, meaningful name for this configuration.
   STS Duration	Enter the duration of the STS token in seconds. Accepted values range from 900 (15 minutes) to 43200 (12 hours).
   Region	Select the AWS region where your Redshift cluster is located.
   Redirect URL	Paste the SSO service location URL you noted in Step 2.

   Note

   The remaining fields on this page are not required for Amazon Redshift SSO authentication and can be left default or blank.

6. Save the configuration.

Step 7: Configure SSO Authentication for the Data Product

Note

This step is performed by the Data Product Admin.

1. Navigate to Data Products App from the left-side navigation.

2. Select My Data Products.

3. In the Data Products list, locate the Redshift data product and click its name to open it.

4. Select the Settings tab.

5. Under Chat Configuration, expand Configure Connection.

6. Under Authentication Method, select AWS IAM: AWS IAM authentication.

7. From the list of available authentication configurations, select the configuration you created in Step 6: Create an Authentication Configuration in Alation.

Note

The chat authentication configuration applies to the data product as a whole and is not specific to any version. The setting takes effect immediately when you select it (no separate save action is required).

Step 8: Connect and Test the SSO Authentication

Once the authentication configuration is complete:

1. Navigate to Data Products App from the left-side navigation.

2. Select My Data Products.

3. Click a data product’s name to open it.

4. Click the Chat button on the top right.

5. Click the connection indicator Missing connection.

6. Select Continue with SSO.

7. Your identity provider’s login page appears. Enter your SSO credentials to complete the authentication.

8. After successful authentication, the Chat is ready for you to ask questions about the dataset.

9. Type your question at the bottom of the panel and click the Send icon.

Related Topics

• Configure Chat with Data Product

• Troubleshoot SSO Authentication with Amazon Data Sources