将亚马逊红移和思想点结合起来，将您的原始数据转换为可行的见解

Amazon Redshift和Thoughtspot的AI驱动分析服务的这种结合使组织能够将其原始数据转换为可行的见解

This post shows how to integrate ThoughtSpot with Amazon Redshift using the IAM Identity Center authentication. The combination of Amazon Redshift and ThoughtSpot’s AI-powered analytics service enables organizations to transform their raw data into actionable insights with unprecedented speed and efficiency.

这篇文章展示了如何使用IAM身份中心身份验证将思想点与Amazon Redshift集成。 Amazon Redshift和Thoughtspot的AI驱动分析服务的结合使组织能够以前所未有的速度和效率将其原始数据转换为可行的见解。

Tens of thousands of customers use Amazon Redshift to process large amounts of data, modernize their data analytics workloads, and provide insights for their business users.

成千上万的客户使用Amazon Redshift处理大量数据，使其数据分析工作负载现代化并为其业务用户提供见解。

To streamline this integration even further, Amazon Redshift now supports AWS IAM Identity Center integration with ThoughtSpot. This single sign-on (SSO) integration spans ThoughtSpot’s entire cloud landscape and can be used for both embedded and standalone analytics implementations.

为了进一步简化这种集成，Amazon Redshift现在支持AWS IAM身份中心与Thoughtspot的集成。这个单个登录（SSO）集成跨越了思想点的整个云景观，可用于嵌入式和独立的分析实现。

Prior to the IAM Identity Center integration, ThoughtSpot users didn’t have native connectivity to integrate Amazon Redshift with their identity providers (IdPs), which can provide unified governance and identity propagation across multiple AWS services like AWS Lake Formation and Amazon Simple Storage Service (Amazon S3).

在进行IAM身份中心集成之前，ThoughtSpot用户没有本机连接性可以将Amazon RedShift与其身份提供商（IDP）集成在一起，该公司可以在AWS Lake Formation和Amazon Simple Storage Service等多个AWS服务中提供统一的治理和身份传播（Amazon S3）。

Now, ThoughtSpot users can natively connect to Amazon Redshift using the IAM Identity Center integration, which streamlines data analytics access management while maintaining robust security. By configuring Amazon Redshift as an AWS managed application, organizations benefit from SSO capabilities with trusted identity propagation and a trusted token issuer (TTI). The IAM Identity Center integration with Amazon Redshift provides centralized user management, automatically synchronizing access permissions with organizational changes—whether employees join, transition roles, or leave the organization. The solution uses Amazon Redshift role-based access control features that align with IdP groups synced in IAM Identity Center. Organizations can further enhance their security posture by using Lake Formation to define granular access control permissions on catalog resources for IdP identities. From a compliance and security standpoint, the integration offers comprehensive audit trails by logging end-user identities both in Amazon Redshift and AWS CloudTrail, providing visibility into data access patterns and user activities.

现在，ThoughtSpot用户可以使用IAM身份中心集成将其内在连接到Amazon Redshift，该集成简化了数据分析访问管理，同时保持了强大的安全性。通过将Amazon Redshift配置为AWS托管应用程序，组织从具有可信赖的身份传播和受信任的令牌发行人（TTI）的SSO功能中受益。 IAM身份中心与Amazon RedShift的集成提供集中式的用户管理，自动将访问权限与组织变更同步 - 员工是否加入，过渡角色或离开组织。该解决方案使用基于Amazon Redshift角色的访问控制功能，该功能与IAM身份中心同步的IDP组对齐。组织可以通过使用湖泊组来定义IDP身份目录资源上的颗粒状访问控制权限，从而进一步增强其安全姿势。从合规性和安全的角度来看，集成通过在Amazon Redshift和AWS CloudTrail中记录最终用户身份来提供全面的审计跟踪，从而为数据访问模式和用户活动提供了可见性。

Dime Dimovski, a Data Warehousing Architect at Merck, shares:

默克公司的数据仓库建筑师Dime Dimovski分享：

“The recent integration of Amazon Redshift with our identity access management center will significantly enhance our data access management because we can propagate user identities across various tools. By using OAuth authentication from ThoughtSpot to Amazon Redshift, we will benefit from a seamless single sign-on experience—giving us granular access controls as well as the security and efficiency we need.”

“亚马逊红移与我们的身份访问管理中心的最新集成将显着增强我们的数据访问管理，因为我们可以在各种工具上传播用户身份。通过使用从思想点到亚马逊红移的Oauth身份验证，我们将从无缝的单个签名体验中受益，即美国粒状访问控制，以及我们需要的安全和效率。”

In this post, we walk you through the process of setting up ThoughtSpot integration with Amazon Redshift using IAM Identity Center authentication. The solution provides a secure, streamlined analytics environment that empowers your team to focus on what matters most: discovering and sharing valuable business insights.

在这篇文章中，我们将使用IAM身份中心身份验证来介绍与Amazon Redshift建立思想点集成的过程。该解决方案提供了一个安全，简化的分析环境，使您的团队能够专注于最重要的事情：发现和共享有价值的业务见解。

Solution overview

解决方案概述

The following diagram illustrates the architecture of the ThoughtSpot SSO integration with Amazon Redshift, IAM Identity Center, and your IdP.

下图说明了与Amazon Redshift，IAM身份中心和您的IDP集成的思想点SSO集成的体系结构。

The solution includes the following steps:

解决方案包括以下步骤：

In this post, you will use the following steps to build the solution:

在这篇文章中，您将使用以下步骤来构建解决方案：

Prerequisites

先决条件

Before you begin implementing the solution, you must have the following in place:

在开始实施解决方案之前，您必须拥有以下内容：

Set up an OIDC application

设置OIDC应用程序

In this section, we’ll show you the step-by-step process to set up an OIDC application using both Okta and EntraID as the identity providers.

在本节中，我们将向您展示使用OKTA和Entraid作为身份提供者设置OIDC应用程序的分步过程。

Set up an Okta OIDC application

设置Okta OIDC应用程序

Complete the following steps to set up an Okta OIDC application:

完成以下步骤设置Okta OIDC应用程序：

Set up an EntraID OIDC application

设置Entraid OIDC应用程序

To create your EntraID application, follow these steps:

要创建您的入口应用程序，请遵循以下步骤：

The secret value will only be presented one time; after that you can’t read it. Make sure to copy it now. If you fail to save it, you must generate a new client secret.

秘密价值只会出现一次；之后，您无法阅读。确保立即复制。如果您无法保存它，则必须生成一个新的客户端秘密。

If you’re setting up for the first time, you can see Add to the right of the application ID URI.

如果您是第一次设置，则可以在应用程序ID URI的右侧添加。

Set up a TTI in IAM Identity Center

在IAM身份中心建立一个TTI

Assuming you have completed the prerequisites, you will establish your IdP as a TTI in your delegated administration account. To create a TTI, refer to How to add a trusted token issuer to the IAM Identity Center console. In this post, we walk through the steps to set up a TTI for both Okta and EntraID.

假设您已经完成了先决条件，则将您的IDP确定为授权管理帐户中的TTI。要创建TTI，请参阅如何将受信任的令牌发行人添加到IAM身份中心控制台。在这篇文章中，我们浏览步骤，为Okta和Entraid设置TTI。

Set up a TTI for Okta

为Okta设置TTI

To get the issuer URL from Okta, complete the following steps:

要从Okta获取发行人URL，请完成以下步骤：

Set up a TTI for EntraID

为入口设置TTI

Complete the following steps to set up a TTI for EntraID:

完成以下步骤，以设置进入tti的TTI：

Next, you need to find the tenant ID value from EntraID.

接下来，您需要从Entraid找到房客ID值。

Set up client connections and TTIs in Amazon Redshift

在Amazon RedShift中设置客户端连接和TTI

In this step, we configure the Amazon Redshift applications that exchange externally generated tokens to use the TTI you created in the previous step. Also, the audience claim (or aud claim) from your IdP must be specified. You need to collect the audience value from the respective IdP.

在此步骤中，我们配置了Amazon Redshift应用程序，这些应用程序交换外部生成的令牌以使用您在上一步中创建的TTI。另外，必须指定IDP的受众索赔（或AUD索赔）。您需要从相应的IDP收集受众价值。

Acquire the audience value from Okta

从Okta获取观众价值

To acquire the audience value from Okta, complete the following steps:

要从Okta获取受众价值，请完成以下步骤：

Acquire the audience value from EntraID

从Entraid获取观众价值

Similarly, to get the audience value EntraID, complete the following steps:

同样，要获得受众价值进入，请完成以下步骤：

Configure the application

配置应用程序

After you collect the audience value from the respective IdP, you need to configure the

从相应的IDP收集受众值后，您需要配置