Combine ThoughtSpot with Amazon Redshift utilizing AWS IAM Id Middle

Amazon Redshift is a quick, scalable, and totally managed cloud information warehouse that permits you to course of and run your complicated SQL analytics workloads on structured and semi-structured information. Tens of 1000’s of consumers use Amazon Redshift to course of massive quantities of information, modernize their information analytics workloads, and supply insights for his or her enterprise customers.

The mixture of Amazon Redshift and ThoughtSpot’s AI-powered analytics service allows organizations to remodel their uncooked information into actionable insights with unprecedented pace and effectivity. By way of this collaboration, Amazon Redshift now helps AWS IAM Id Middle integration with ThoughtSpot, enabling seamless and safe information entry with streamlined authentication and authorization workflows. This single sign-on (SSO) integration is out there throughout ThoughtSpot’s cloud panorama and can be utilized for each embedded and standalone analytics implementations.

Previous to the IAM Id Middle integration, ThoughtSpot customers didn’t have native connectivity to combine Amazon Redshift with their identification suppliers (IdPs), which might present unified governance and identification propagation throughout a number of AWS providers like AWS Lake Formation and Amazon Easy Storage Service (Amazon S3).

Now, ThoughtSpot customers can natively connect with Amazon Redshift utilizing the IAM Id Middle integration, which streamlines information analytics entry administration whereas sustaining strong safety. By configuring Amazon Redshift as an AWS managed utility, organizations profit from SSO capabilities with trusted identification propagation and a trusted token issuer (TTI). The IAM Id Middle integration with Amazon Redshift supplies centralized consumer administration, robotically synchronizing entry permissions with organizational modifications—whether or not workers be part of, transition roles, or go away the group. The answer makes use of Amazon Redshift role-based entry management options that align with IdP teams synced in IAM Id Middle. Organizations can additional improve their safety posture through the use of Lake Formation to outline granular entry management permissions on catalog assets for IdP identities. From a compliance and safety standpoint, the mixing presents complete audit trails by logging end-user identities each in Amazon Redshift and AWS CloudTrail, offering visibility into information entry patterns and consumer actions.

Dime Dimovski, a Knowledge Warehousing Architect at Merck, shares:

“The latest integration of Amazon Redshift with our identification entry administration heart will considerably improve our information entry administration as a result of we are able to propagate consumer identities throughout varied instruments. Through the use of OAuth authentication from ThoughtSpot to Amazon Redshift, we’ll profit from a seamless single sign-on expertise—giving us granular entry controls in addition to the safety and effectivity we want.”

On this publish, we stroll you thru the method of organising ThoughtSpot integration with Amazon Redshift utilizing IAM Id Middle authentication. The answer supplies a safe, streamlined analytics setting that empowers your workforce to concentrate on what issues most: discovering and sharing priceless enterprise insights.

Resolution overview

The next diagram illustrates the structure of the ThoughtSpot SSO integration with Amazon Redshift, IAM Id Middle, and your IdP.

The answer contains the next steps:

1. The consumer configures ThoughtSpot to entry Amazon Redshift utilizing IAM Id Middle.
2. When a consumer makes an attempt to check in, ThoughtSpot initiates a browser-based OAuth circulate and redirects the consumer to their most popular IdP (similar to Okta or Microsoft EntraID) sign-in web page to enter their credentials.
3. Following profitable authentication, IdP points authentication tokens (ID and entry token) to ThoughtSpot.
4. The Amazon Redshift driver then makes a name to the Amazon Redshift enabled AWS Id Middle utility and forwards the entry token.
5. Amazon Redshift passes the token to IAM Id Middle for validation.
6. IAM Id Middle first validates the token utilizing the OpenID Join (OIDC) discovery connection to the TTI and returns an IAM Id Middle generated entry token for a similar consumer. The TTI lets you use trusted identification propagation with purposes that authenticate exterior of AWS. Within the previous determine, the IdP authorization server is the TTI.
7. Amazon Redshift makes use of IAM Id Middle APIs to acquire the consumer and group membership data from AWS Id Middle.
8. The ThoughtSpot consumer can now join with Amazon Redshift and entry information based mostly on the consumer and group membership returned from IAM Id Middle.

On this publish, you’ll use the next steps to construct the answer:

1. Arrange an OIDC utility.
2. Arrange a TTI in IAM Id Middle.
3. Arrange consumer connections and TTIs in Amazon Redshift.
4. Federate to Amazon Redshift from ThoughtSpot utilizing IAM Id Middle.

Conditions

Earlier than you start implementing the answer, you should have the next in place:

Arrange an OIDC utility

On this part, we’ll present you the step-by-step course of to arrange an OIDC utility utilizing each Okta and EntraID because the identification suppliers.

Arrange an Okta OIDC utility

Full the next steps to arrange an Okta OIDC utility:

1. Sign up to your Okta group as a consumer with administrative privileges.
2. On the admin console, beneath Purposes within the navigation pane, select Purposes.
3. Select Create App Integration.
4. Choose OIDC – OpenID Join for Signal-in methodology and Net Utility for Utility kind.
5. Select Subsequent.
   
6. On the Common tab, present the next data:
   1. For App integration title, enter a reputation to your app integration. For instance, ThoughtSpot_Redshift_App.
   2. For Grant kind, choose Authorization Code and Refresh Token.
   3. For Signal-in redirect URIs, select Add URI and together with the default URI, add the URI https:///callosum/v1/connection/generateTokens. The sign-in redirect URI is the place Okta sends the authentication response and ID token for the sign-in request. The URIs have to be absolute URIs.
   4. For Signal-out redirect URIs, hold the default worth as http://localhost:8080.
   5. Skip the Trusted Origins part and for Assignments, choose Skip group project for now.
   6. Select Save.
7. Select the Assignments tab after which select Assign to Teams. On this instance, we’re assigning awssso-finance and awssso-sales.
8. Select Completed.
   
   

Arrange an EntraID OIDC utility

To create your EntraID utility, observe these steps:

1. Sign up to the Microsoft Entra admin heart as Cloud Utility Administrator (or larger degree of entry).
2. Browse to App registrations beneath Handle, and select New registration.
3. Enter a reputation for the appliance. For instance, ThoughtSpot-OIDC-App.
4. Choose a supported account kind, which determines who can use the appliance. For this instance, choose the primary possibility within the listing.
5. Underneath Redirect URI, select Net for the kind of utility you need to create. Enter the URI the place the entry token is distributed to. Your redirect URL will likely be within the format https:///callosum/v1/connection/generateTokens.
6. Select Register.
   
7. Within the navigation pane, select Certificates & secrets and techniques.
8. Select New consumer secret.
9. Enter an outline and choose an expiration for the key or specify a customized lifetime. For this instance, hold the Microsoft advisable default expiration worth of 6 months.
10. Select Add.
11. Copy the key worth.

The key worth will solely be offered one time; after which you can’t learn it. Be certain that to repeat it now. If you happen to fail to put it aside, you should generate a brand new consumer secret.

12. Within the navigation pane, beneath Handle, select Expose an API.

If you happen to’re organising for the primary time, you possibly can see Add to the suitable of the appliance ID URI.

13. Select Save.
14. After the appliance ID URI is about up, select Add a scope.
15. For Scope title, enter a reputation. For instance, redshift_login.
16. For Admin consent show title, enter a show title. For instance, redshift_login.
17. For Admin consent description, enter an outline of the scope.
18. Select Add scope.
    
19. Within the navigation pane, select API permissions.
20. Select Add a permission and select Microsoft Graph.
21. Select Delegated Permission.
22. Underneath OpenId permissions, select electronic mail, offlines_access, openid, and profile, and select Add permissions.
    

Arrange a TTI in IAM Id Middle

Assuming you’ve gotten accomplished the conditions, you’ll set up your IdP as a TTI in your delegated administration account. To create a TTI, check with Methods to add a trusted token issuer to the IAM Id Middle console. On this publish, we stroll by the steps to arrange a TTI for each Okta and EntraID.

Arrange a TTI for Okta

To get the issuer URL from Okta, full the next steps:

1. Sign up as an admin to Okta and navigate to Safety after which to API.
2. Select Default on the Authorization Servers tab and duplicate the Issuer
   url.
   
3. Within the Map attributes part, select which IdP attributes correspond to Id Middle attributes. For instance, within the following screenshot, we mapped Okta’s Topic attribute to the E-mail attribute in IAM Id Middle.
4. Select Create trusted token issuer.
   

Arrange a TTI for EntraID

Full the next steps to arrange a TTI for EntraID:

1. To search out out which token your utility is utilizing, beneath Handle, select Manifest.
2. Find the accessTokenAcceptedVersion parameter: null or 1 point out v1.0 tokens, and 2 signifies v2.0 tokens.
   
   

Subsequent, you should discover the tenant ID worth from EntraID.

3. Go to the EntraID utility, select Overview, and a brand new web page will seem containing the Necessities
4. Yow will discover the tenant ID worth as proven within the following screenshot. If you happen to’re utilizing the v1.0 token, the issuer URL will likely be https://sts.home windows.web//. If you happen to’re utilizing the v2.0 token, the issuer URL will likely be https://login.microsoftonline.com//v2.0.
   
5. For Map attributes, the next instance makes use of Different, the place we’re specifying the consumer principal title (upn) because the IdP attribute to map with E-mail from the IAM identification Middle attribute.
6. Select Create trusted token issuer.
   

Arrange consumer connections and TTIs in Amazon Redshift

On this step, you configure the Amazon Redshift purposes that trade externally generated tokens to make use of the TTI you created within the earlier step. Additionally, the viewers declare (or aud declare) out of your IdP have to be specified. You should accumulate the viewers worth from the respective IdP.

Purchase the viewers worth from Okta

To amass the viewers worth from Okta, full the next steps:

1. Sign up as an admin to Okta and navigate to Safety after which to API.
2. Select Default on the Authorization Servers tab and duplicate the Viewers worth.
   

Purchase the viewers worth from EntraID

Equally, to get the viewers worth EntraID, full the next steps:

1. Go to the EntraID utility, select Overview, and a brand new web page will seem containing the Necessities
2. Yow will discover the viewers worth (Utility ID URI) as proven within the following screenshot.
   

Configure the appliance

After you accumulate the viewers worth from the respective IdP, you should configure the Amazon Redshift utility within the member account the place the Amazon Redshift cluster or serverless occasion exists.

1. Select IAM Id Middle connection within the navigation pane on the Amazon Redshift console.
2. Select the Amazon Redshift utility that you simply created as a part of the conditions.
3. Select the Consumer connections tab and select Edit.
4. Select Sure beneath Configure consumer connections that use third-party IdPs.
5. Choose the verify field for Trusted token issuer that you simply created within the earlier part.
6. For Aud declare, enter the viewers declare worth beneath Configure chosen trusted token issuers.
7. Select Save.

Your IAM Id Middle, Amazon Redshift, and IdP configuration is full. Subsequent, you should configure ThoughtSpot.

Federate to Amazon Redshift from ThoughtSpot utilizing IAM Id Middle

Full the next steps in ThoughtSpot to federate with Amazon Redshift utilizing IAM Id Middle authentication:

1. Sign up to ThoughtSpot cloud.
2. Select Knowledge within the prime navigation bar.
3. Open the Connections tab within the navigation pane, and choose the Redshift

Alternatively, you possibly can select Create new within the navigation pane, select Connection, and choose the Redshift tile.

4. Create a reputation to your connection and an outline (non-compulsory), then select Proceed.
5. Underneath Authentication Sort, select AWS IDC OAuth and enter following particulars:
   1. For Host, enter the Redshift endpoint. For instance, test-cluster.ab6yejheyhgf.us-east-1.redshift.amazonaws.com.
   2. For Port, enter 5439.
   3. For OAuth Consumer ID, enter the consumer ID from the IdP OIDC utility.
   4. For OAuth Consumer Secret, enter the consumer secret from the IdP OIDC utility.
   5. For Scope, enter the scope from the IdP utility:
      • For Okta, use openid offline_access openid profile. You should use the Okta scope values shared earlier as is on ThoughtSpot. You may modify the scope in response to your necessities.
      • For EntraID, use the API scope and API permissions. For instance, api://1230a234-b456-7890-99c9-a12345bcc123/redshift_login offline_access.
   6. For API scope worth, go to the OIDC utility, and beneath Handle, select Expose an API to amass the worth.
   7. For API permissions, go to the OIDC utility, and beneath Handle, select API permissions to amass the permissions.
   8. For Auth Url, enter the authorization endpoint URI:
      • For Okta use https:// /oauth2/default/v1/authorize. For instance, https://prod-1234567.okta.com/oauth2/default/v1/authorize.
      • For EntraID, use https://login.microsoftonline.com//oauth2/v2.0/authorize. For instance, https://login.microsoftonline.com/e12a1ab3-1234-12ab-12b3-1a5012221d12/oauth2/v2.0/authorize.
   9. For Entry token Url, enter the token endpoint URI:
      • For Okta, use https:///oauth2/default/v1/token. For instance, https://prod-1234567.okta.com/oauth2/default/v1/token.
      • For EntraID, use https://login.microsoftonline.com//oauth2/v2.0/token. For instance, https://login.microsoftonline.com/e12a1ab3-1234-12ab-12b3-1a5012221d12/oauth2/v2.0/token.
   10. For AWS Id Namespace, enter the namespace configured in your Amazon Redshift IAM Id Middle utility. The default worth is AWSIDC until beforehand custom-made. For this instance, we use awsidc.
   11. For Database, enter the database title you need to join. For instance, dev.
6. Select Proceed.
7. Enter your IdP consumer credentials within the browser pop-up window.

The next screenshot illustrates the ThoughtSpot integration with Amazon Redshift utilizing Okta because the IdP.

The next screenshot reveals the ThoughtSpot integration with Amazon Redshift utilizing EntraID because the IdP.

Upon a profitable authentication, you may be redirected again to ThoughtSpot and logged in as an IAM Id Middle authenticated consumer.

Congratulations! You’ve logged in by IAM Id Middle and Amazon Redshift, and also you’re able to dive into your information evaluation with ThoughtSpot.

Clear up

Full the next steps to scrub up your assets:

1. Delete the IdP purposes that you simply created to combine with IAM Id Middle.
2. Delete the IAM Id Middle configuration.
3. Delete the Amazon Redshift utility and the Amazon Redshift provisioned cluster or serverless occasion that you simply created for testing.
4. Delete the IAM function and IAM coverage that you simply created for IAM Id Middle and Amazon Redshift integration.
5. Delete the permission set from IAM Id Middle that you simply created for Amazon Redshift Question Editor V2 within the administration account.
6. Delete the ThoughtSpot connection to combine with Amazon Redshift utilizing AWS IDC OAuth.

Conclusion

On this publish, we explored the right way to combine ThoughtSpot with Amazon Redshift utilizing IAM Id Middle. The method consisted of registering an OIDC utility, organising an IAM Id Middle TTI, and eventually configuring ThoughtSpot for IAM Id Middle authentication. This setup creates a strong and safe analytics setting that streamlines information entry for enterprise customers.

For extra steering and detailed documentation, check with the next key assets:

Concerning the authors

Maneesh Sharma is a Senior Database Engineer at AWS with greater than a decade of expertise designing and implementing large-scale information warehouse and analytics options. He collaborates with varied Amazon Redshift Companions and clients to drive higher integration.

BP Yau is a Sr Companion Options Architect at AWS. His function is to assist clients architect massive information options to course of information at scale. Earlier than AWS, he helped Amazon.com Provide Chain Optimization Applied sciences migrate its Oracle information warehouse to Amazon Redshift and construct its subsequent technology massive information analytics platform utilizing AWS applied sciences.

Ali Alladin is the Senior Director of Product Administration and Companion Options at ThoughtSpot. On this function, Ali oversees Cloud Engineering and Operations, guaranteeing seamless integration and optimum efficiency of ThoughtSpot’s cloud-based providers. Moreover, Ali spearheads the event of AI-powered options in augmented and embedded analytics, collaborating carefully with know-how companions to drive innovation and ship cutting-edge analytics capabilities. With a strong background in product administration and a eager understanding of AI applied sciences, Ali is devoted to pushing the boundaries of what’s potential within the analytics house, serving to organizations harness the total potential of their information.

Debu Panda is a Senior Supervisor, Product Administration at AWS. He’s an business chief in analytics, utility platform, and database applied sciences, and has greater than 25 years of expertise within the IT world.