Microsoft Entra ID authentication

The driver supports Microsoft Entra ID (Entra ID) authentication (formerly known as Azure Active Directory authentication). Entra ID authentication is an alternative to PostgreSQL authentication that allows administrators to centrally manage user permissions to their data stores. The driver supports the following methods of Entra ID authentication:

• User and password authentication: The driver authenticates using your Entra ID user name and password.

• Service principal authentication: The driver authenticates using the object (principal) ID of the logical server and the client secret of your Azure application.

When Entra ID authentication is enabled (AuthenticationMethod=13 | 36), the driver enables TLS/SSL encryption (EncryptionMethod=1) for the connection. Any value specified for the Encryption Method option is ignored when using Entra ID authentication.

User and password authentication

To use user and password authentication with Entra ID:

• Specify values for minimum required options for establishing a connection:
  • Set the Host Name (HostName) option to specify either the IP address in IPv4 or IPv6 format, or the server name for your Azure server. For example, my_server.postgres.database.azure.com.
  • Set the Port Number (PortNumber) option to specify the TCP port of the primary database server that is listening for connections to the database.
  • Set Database (Database) option to specify the name of the database to which you want to connect.
  • If using data sources, set the Data Source Name (DataSourceName) to specify the name of your data source.
• Set the Authentication Method (AuthenticationMethod) option to 13 (Entra ID Password).
• Set the Azure Tenant ID (AzureTenantID) option to specify the Azure Tenant ID associated with your PostgreSQL server.
• Set the User Name (LogonID) option to specify your Entra ID username using the userid@domain.com format.
• Set the Password (Password) option to specify your Entra ID password.
• Optionally, set the Trust Store (Truststore) connection option to specify the absolute path of the digital certificate file for the root CA certificates. The driver requires these certificates to maintain a secure connection.
• Optionally, set the Host Name In Certificate (HostNameInCertificate) option to specify the host name for TLS/SSL certificate validation. For example, *.postgres.database.azure.com.

For example, the following is a DSN-less connection string with only the required options for making a connection using Entra ID authentication with user name and password:

DRIVER=DataDirect 8.0 PostgreSQL Wire Protocol;AuthenticationMethod=13;
AzureTenantID=1234-abcd-5678-efgh;Database=MyDB;
HostName=myserver.postgres.database.azure.com;PortNumber=1433;
LogonID=test@domain.com;Password=secret;

The following example demonstrates a data source definition in the odbc.ini file with only the required options for making a connection using Entra ID authentication with user name and password:

[PostgreSQL Wire Protocol]
Driver=ODBCHOME/lib/xxpsql28.yy
...
AuthenticationMethod=13
...
AzureTenantID=1234-abcd-5678-efgh
...
Database=MyDB
...
HostName=myserver.postgres.database.azure.com
...
LogonID=test@domain.com
...
Password=secret
...
PortNumber=1433
...
ValidateServerCertificate=1
...

DRIVER={DataDirect 8.0 PostgreSQL Wire Protocol};AuthenticationMethod=36;
AzureTenantID=1234-abcd-5678-efghDatabase=MyDB;
HostName=myserver.postgres.database.azure.com;PortNumber=1433;
LogonID=1234abcd-1234-abcd-1234-abcd1234abcd;
Password=ABcdEFg/hiJkLmNOPqR01stUvWxyzYx2wvUTsrQpO=;

[PostgreSQL Wire Protocol]
Driver=ODBCHOME/lib/ivpsql28.so
Description=DataDirect 8.0 PostgreSQL Wire Protocol
...
AuthenticationMethod=36
...

...
Database=MyDB
...
HostName=myserver.postgres.database.azure.com
...
LogonID=789f8b4c-7a4a-445d-6oe9-7bec14625645
...
Password=ABcdEFg/hiJkLmNOPqR01stUvWxyzYx2wvUTsrQpO=
...
PortNumber=1433
...