Unable to make a JDBC connection to AWS Redshift using Azure AD/SAML

Suraj Padinjarute 1 Reputation point
2020-04-11T02:29:46.877+00:00

Hello Team,

I am configuring SAML connections using Azure AD to connect to AWS.I used the below doc to do the same.

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial

It works from the console.

However, when i try to connect to the AWS resource using a jdbc client( SQL workbench) it throws me the below error

[JDBC Driver]SAML error: invalid_grant: AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxxxx' named 'Amazon Web Services (AWS)'. Send an interactive authorization request for this user and resource. Trace ID: ffa472c9-7f1a-4efa-9e50-720d368b0000 Correlation ID: 42dce0a0-fb56-4a30-89c8-96b35e3b2776 Timestamp: 2020-04-11 02:26:10Z

I am the global admin of the account. I have given the admin consent to the enterprise application as well. Still getting the same error. I also followed the below doc to know more on the admin consent stuff.

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow

Any help is deeply appreciated.

I am using the RedshiftJDBC42-1.2.41.1065.jar driver

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,698 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,461 Reputation points Microsoft Employee
    2020-06-25T21:21:37.483+00:00

    If this is a registered application, you can have an admin consent to the app.

    Go to Azure Active Directory within the Azure portal.

    • Go to Application registrations.
    • Select the Application based on the App-Id.
    • Go to Required permissions (or API permissions).
    • Click Grant permissions.

    If this is not a application registered within the organization tenant and this is a third-party app, have the admin try the consent URL:
    https://login.microsoftonline.com/{tenant-id}/oauth2/authorize?client_id={app-id}&redirect_uri={redirect-uri}&response_type=code&prompt=admin_consent

    Example:
    https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/authorize?client_id=b0540121-bbe2-462d-8bba-81f79f961a53&redirect_uri="https://app.contoso.com/callback"&response_type=code&prompt=admin_consent

    I hope this helps!

    If any reply/answer helped resolve your question, please remember to "mark as answer" so that others in the community facing similar issues can easily find the solution.