Combine ThoughtSpot with Amazon Redshift utilizing AWS IAM Identification Heart

Amazon Redshift is a quick, scalable, and totally managed cloud knowledge warehouse that lets you course of and run your complicated SQL analytics workloads on structured and semi-structured knowledge. Tens of 1000’s of shoppers use Amazon Redshift to course of giant quantities of information, modernize their knowledge analytics workloads, and supply insights for his or her enterprise customers.

The mix of Amazon Redshift and ThoughtSpot’s AI-powered analytics service allows organizations to remodel their uncooked knowledge into actionable insights with unprecedented pace and effectivity. Via this collaboration, Amazon Redshift now helps AWS IAM Identification Heart integration with ThoughtSpot, enabling seamless and safe knowledge entry with streamlined authentication and authorization workflows. This single sign-on (SSO) integration is out there throughout ThoughtSpot’s cloud panorama and can be utilized for each embedded and standalone analytics implementations.

Previous to the IAM Identification Heart integration, ThoughtSpot customers didn’t have native connectivity to combine Amazon Redshift with their id suppliers (IdPs), which may present unified governance and id propagation throughout a number of AWS companies like AWS Lake Formation and Amazon Easy Storage Service (Amazon S3).

Now, ThoughtSpot customers can natively connect with Amazon Redshift utilizing the IAM Identification Heart integration, which streamlines knowledge analytics entry administration whereas sustaining strong safety. By configuring Amazon Redshift as an AWS managed software, organizations profit from SSO capabilities with trusted id propagation and a trusted token issuer (TTI). The IAM Identification Heart integration with Amazon Redshift supplies centralized person administration, routinely synchronizing entry permissions with organizational adjustments—whether or not staff be part of, transition roles, or depart the group. The answer makes use of Amazon Redshift role-based entry management options that align with IdP teams synced in IAM Identification Heart. Organizations can additional improve their safety posture through the use of Lake Formation to outline granular entry management permissions on catalog sources for IdP identities. From a compliance and safety standpoint, the mixing gives complete audit trails by logging end-user identities each in Amazon Redshift and AWS CloudTrail, offering visibility into knowledge entry patterns and person actions.

Dime Dimovski, a Knowledge Warehousing Architect at Merck, shares:

“The latest integration of Amazon Redshift with our id entry administration middle will considerably improve our knowledge entry administration as a result of we will propagate person identities throughout varied instruments. By utilizing OAuth authentication from ThoughtSpot to Amazon Redshift, we are going to profit from a seamless single sign-on expertise—giving us granular entry controls in addition to the safety and effectivity we’d like.”

On this publish, we stroll you thru the method of organising ThoughtSpot integration with Amazon Redshift utilizing IAM Identification Heart authentication. The answer supplies a safe, streamlined analytics surroundings that empowers your crew to deal with what issues most: discovering and sharing beneficial enterprise insights.

Answer overview

The next diagram illustrates the structure of the ThoughtSpot SSO integration with Amazon Redshift, IAM Identification Heart, and your IdP.

The answer consists of the next steps:

1. The person configures ThoughtSpot to entry Amazon Redshift utilizing IAM Identification Heart.
2. When a person makes an attempt to check in, ThoughtSpot initiates a browser-based OAuth movement and redirects the person to their most well-liked IdP (equivalent to Okta or Microsoft EntraID) sign-in web page to enter their credentials.
3. Following profitable authentication, IdP points authentication tokens (ID and entry token) to ThoughtSpot.
4. The Amazon Redshift driver then makes a name to the Amazon Redshift enabled AWS Identification Heart software and forwards the entry token.
5. Amazon Redshift passes the token to IAM Identification Heart for validation.
6. IAM Identification Heart first validates the token utilizing the OpenID Join (OIDC) discovery connection to the TTI and returns an IAM Identification Heart generated entry token for a similar person. The TTI lets you use trusted id propagation with functions that authenticate outdoors of AWS. Within the previous determine, the IdP authorization server is the TTI.
7. Amazon Redshift makes use of IAM Identification Heart APIs to acquire the person and group membership info from AWS Identification Heart.
8. The ThoughtSpot person can now join with Amazon Redshift and entry knowledge based mostly on the person and group membership returned from IAM Identification Heart.

On this publish, you’ll use the next steps to construct the answer:

1. Arrange an OIDC software.
2. Arrange a TTI in IAM Identification Heart.
3. Arrange shopper connections and TTIs in Amazon Redshift.
4. Federate to Amazon Redshift from ThoughtSpot utilizing IAM Identification Heart.

Conditions

Earlier than you start implementing the answer, you need to have the next in place:

Arrange an OIDC software

On this part, we’ll present you the step-by-step course of to arrange an OIDC software utilizing each Okta and EntraID because the id suppliers.

Arrange an Okta OIDC software

Full the next steps to arrange an Okta OIDC software:

1. Check in to your Okta group as a person with administrative privileges.
2. On the admin console, beneath Functions within the navigation pane, select Functions.
3. Select Create App Integration.
4. Choose OIDC – OpenID Join for Signal-in technique and Internet Software for Software sort.
5. Select Subsequent.
   
6. On the Common tab, present the next info:
   1. For App integration identify, enter a reputation to your app integration. For instance, ThoughtSpot_Redshift_App.
   2. For Grant sort, choose Authorization Code and Refresh Token.
   3. For Signal-in redirect URIs, select Add URI and together with the default URI, add the URI https:///callosum/v1/connection/generateTokens. The sign-in redirect URI is the place Okta sends the authentication response and ID token for the sign-in request. The URIs should be absolute URIs.
   4. For Signal-out redirect URIs, hold the default worth as http://localhost:8080.
   5. Skip the Trusted Origins part and for Assignments, choose Skip group project for now.
   6. Select Save.
7. Select the Assignments tab after which select Assign to Teams. On this instance, we’re assigning awssso-finance and awssso-sales.
8. Select Finished.
   
   

Arrange an EntraID OIDC software

To create your EntraID software, comply with these steps:

1. Check in to the Microsoft Entra admin middle as Cloud Software Administrator (or greater stage of entry).
2. Browse to App registrations beneath Handle, and select New registration.
3. Enter a reputation for the applying. For instance, ThoughtSpot-OIDC-App.
4. Choose a supported account sort, which determines who can use the applying. For this instance, choose the primary choice within the listing.
5. Beneath Redirect URI, select Internet for the kind of software you need to create. Enter the URI the place the entry token is distributed to. Your redirect URL shall be within the format https:///callosum/v1/connection/generateTokens.
6. Select Register.
   
7. Within the navigation pane, select Certificates & secrets and techniques.
8. Select New shopper secret.
9. Enter an outline and choose an expiration for the key or specify a customized lifetime. For this instance, hold the Microsoft really useful default expiration worth of 6 months.
10. Select Add.
11. Copy the key worth.

The key worth will solely be offered one time; after you could’t learn it. Make sure that to repeat it now. For those who fail to reserve it, you need to generate a brand new shopper secret.

12. Within the navigation pane, beneath Handle, select Expose an API.

For those who’re organising for the primary time, you possibly can see Add to the fitting of the applying ID URI.

13. Select Save.
14. After the applying ID URI is ready up, select Add a scope.
15. For Scope identify, enter a reputation. For instance, redshift_login.
16. For Admin consent show identify, enter a show identify. For instance, redshift_login.
17. For Admin consent description, enter an outline of the scope.
18. Select Add scope.
    
19. Within the navigation pane, select API permissions.
20. Select Add a permission and select Microsoft Graph.
21. Select Delegated Permission.
22. Beneath OpenId permissions, select e-mail, offlines_access, openid, and profile, and select Add permissions.
    

Arrange a TTI in IAM Identification Heart

Assuming you might have accomplished the stipulations, you’ll set up your IdP as a TTI in your delegated administration account. To create a TTI, confer with How you can add a trusted token issuer to the IAM Identification Heart console. On this publish, we stroll by means of the steps to arrange a TTI for each Okta and EntraID.

Arrange a TTI for Okta

To get the issuer URL from Okta, full the next steps:

1. Check in as an admin to Okta and navigate to Safety after which to API.
2. Select Default on the Authorization Servers tab and replica the Issuer
   url.
   
3. Within the Map attributes part, select which IdP attributes correspond to Identification Heart attributes. For instance, within the following screenshot, we mapped Okta’s Topic attribute to the E mail attribute in IAM Identification Heart.
4. Select Create trusted token issuer.
   

Arrange a TTI for EntraID

Full the next steps to arrange a TTI for EntraID:

1. To search out out which token your software is utilizing, beneath Handle, select Manifest.
2. Find the accessTokenAcceptedVersion parameter: null or 1 point out v1.0 tokens, and 2 signifies v2.0 tokens.
   
   

Subsequent, you should discover the tenant ID worth from EntraID.

3. Go to the EntraID software, select Overview, and a brand new web page will seem containing the Necessities
4. You could find the tenant ID worth as proven within the following screenshot. For those who’re utilizing the v1.0 token, the issuer URL shall be https://sts.home windows.internet//. For those who’re utilizing the v2.0 token, the issuer URL shall be https://login.microsoftonline.com//v2.0.
   
5. For Map attributes, the next instance makes use of Different, the place we’re specifying the person principal identify (upn) because the IdP attribute to map with E mail from the IAM id Heart attribute.
6. Select Create trusted token issuer.
   

Arrange shopper connections and TTIs in Amazon Redshift

On this step, you configure the Amazon Redshift functions that change externally generated tokens to make use of the TTI you created within the earlier step. Additionally, the viewers declare (or aud declare) out of your IdP should be specified. You might want to gather the viewers worth from the respective IdP.

Purchase the viewers worth from Okta

To accumulate the viewers worth from Okta, full the next steps:

1. Check in as an admin to Okta and navigate to Safety after which to API.
2. Select Default on the Authorization Servers tab and replica the Viewers worth.
   

Purchase the viewers worth from EntraID

Equally, to get the viewers worth EntraID, full the next steps:

1. Go to the EntraID software, select Overview, and a brand new web page will seem containing the Necessities
2. You could find the viewers worth (Software ID URI) as proven within the following screenshot.
   

Configure the applying

After you gather the viewers worth from the respective IdP, you should configure the Amazon Redshift software within the member account the place the Amazon Redshift cluster or serverless occasion exists.

1. Select IAM Identification Heart connection within the navigation pane on the Amazon Redshift console.
2. Select the Amazon Redshift software that you just created as a part of the stipulations.
3. Select the Shopper connections tab and select Edit.
4. Select Sure beneath Configure shopper connections that use third-party IdPs.
5. Choose the verify field for Trusted token issuer that you just created within the earlier part.
6. For Aud declare, enter the viewers declare worth beneath Configure chosen trusted token issuers.
7. Select Save.

Your IAM Identification Heart, Amazon Redshift, and IdP configuration is full. Subsequent, you should configure ThoughtSpot.

Federate to Amazon Redshift from ThoughtSpot utilizing IAM Identification Heart

Full the next steps in ThoughtSpot to federate with Amazon Redshift utilizing IAM Identification Heart authentication:

1. Check in to ThoughtSpot cloud.
2. Select Knowledge within the high navigation bar.
3. Open the Connections tab within the navigation pane, and choose the Redshift

Alternatively, you possibly can select Create new within the navigation pane, select Connection, and choose the Redshift tile.

4. Create a reputation to your connection and an outline (elective), then select Proceed.
5. Beneath Authentication Kind, select AWS IDC OAuth and enter following particulars:
   1. For Host, enter the Redshift endpoint. For instance, test-cluster.ab6yejheyhgf.us-east-1.redshift.amazonaws.com.
   2. For Port, enter 5439.
   3. For OAuth Shopper ID, enter the shopper ID from the IdP OIDC software.
   4. For OAuth Shopper Secret, enter the shopper secret from the IdP OIDC software.
   5. For Scope, enter the scope from the IdP software:
      • For Okta, use openid offline_access openid profile. You should utilize the Okta scope values shared earlier as is on ThoughtSpot. You’ll be able to modify the scope in accordance with your necessities.
      • For EntraID, use the API scope and API permissions. For instance, api://1230a234-b456-7890-99c9-a12345bcc123/redshift_login offline_access.
   6. For API scope worth, go to the OIDC software, and beneath Handle, select Expose an API to amass the worth.
   7. For API permissions, go to the OIDC software, and beneath Handle, select API permissions to amass the permissions.
   8. For Auth Url, enter the authorization endpoint URI:
      • For Okta use https:// /oauth2/default/v1/authorize. For instance, https://prod-1234567.okta.com/oauth2/default/v1/authorize.
      • For EntraID, use https://login.microsoftonline.com//oauth2/v2.0/authorize. For instance, https://login.microsoftonline.com/e12a1ab3-1234-12ab-12b3-1a5012221d12/oauth2/v2.0/authorize.
   9. For Entry token Url, enter the token endpoint URI:
      • For Okta, use https:///oauth2/default/v1/token. For instance, https://prod-1234567.okta.com/oauth2/default/v1/token.
      • For EntraID, use https://login.microsoftonline.com//oauth2/v2.0/token. For instance, https://login.microsoftonline.com/e12a1ab3-1234-12ab-12b3-1a5012221d12/oauth2/v2.0/token.
   10. For AWS Identification Namespace, enter the namespace configured in your Amazon Redshift IAM Identification Heart software. The default worth is AWSIDC except beforehand personalized. For this instance, we use awsidc.
   11. For Database, enter the database identify you need to join. For instance, dev.
6. Select Proceed.
7. Enter your IdP person credentials within the browser pop-up window.

The next screenshot illustrates the ThoughtSpot integration with Amazon Redshift utilizing Okta because the IdP.

The next screenshot reveals the ThoughtSpot integration with Amazon Redshift utilizing EntraID because the IdP.

Upon a profitable authentication, you can be redirected again to ThoughtSpot and logged in as an IAM Identification Heart authenticated person.

Congratulations! You’ve logged in by means of IAM Identification Heart and Amazon Redshift, and also you’re able to dive into your knowledge evaluation with ThoughtSpot.

Clear up

Full the next steps to wash up your sources:

1. Delete the IdP functions that you just created to combine with IAM Identification Heart.
2. Delete the IAM Identification Heart configuration.
3. Delete the Amazon Redshift software and the Amazon Redshift provisioned cluster or serverless occasion that you just created for testing.
4. Delete the IAM function and IAM coverage that you just created for IAM Identification Heart and Amazon Redshift integration.
5. Delete the permission set from IAM Identification Heart that you just created for Amazon Redshift Question Editor V2 within the administration account.
6. Delete the ThoughtSpot connection to combine with Amazon Redshift utilizing AWS IDC OAuth.

Conclusion

On this publish, we explored tips on how to combine ThoughtSpot with Amazon Redshift utilizing IAM Identification Heart. The method consisted of registering an OIDC software, organising an IAM Identification Heart TTI, and at last configuring ThoughtSpot for IAM Identification Heart authentication. This setup creates a sturdy and safe analytics surroundings that streamlines knowledge entry for enterprise customers.

For added steering and detailed documentation, confer with the next key sources:

Concerning the authors

Maneesh Sharma is a Senior Database Engineer at AWS with greater than a decade of expertise designing and implementing large-scale knowledge warehouse and analytics options. He collaborates with varied Amazon Redshift Companions and clients to drive higher integration.

BP Yau is a Sr Companion Options Architect at AWS. His function is to assist clients architect huge knowledge options to course of knowledge at scale. Earlier than AWS, he helped Amazon.com Provide Chain Optimization Applied sciences migrate its Oracle knowledge warehouse to Amazon Redshift and construct its subsequent era huge knowledge analytics platform utilizing AWS applied sciences.

Ali Alladin is the Senior Director of Product Administration and Companion Options at ThoughtSpot. On this function, Ali oversees Cloud Engineering and Operations, making certain seamless integration and optimum efficiency of ThoughtSpot’s cloud-based companies. Moreover, Ali spearheads the event of AI-powered options in augmented and embedded analytics, collaborating intently with expertise companions to drive innovation and ship cutting-edge analytics capabilities. With a sturdy background in product administration and a eager understanding of AI applied sciences, Ali is devoted to pushing the boundaries of what’s potential within the analytics area, serving to organizations harness the complete potential of their knowledge.

Debu Panda is a Senior Supervisor, Product Administration at AWS. He’s an trade chief in analytics, software platform, and database applied sciences, and has greater than 25 years of expertise within the IT world.