Okta credentials - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Okta credentials

A SAML-based authentication mechanism that enables authentication to Athena using the Okta identity provider. This method assumes that a federation has already been set up between Athena and Okta.

Credentials provider

The credentials provider that will be used to authenticate requests to Amazon. Set the value of this parameter to Okta.

Parameter name Alias Parameter type Default value Value to use
CredentialsProvider AWSCredentialsProviderClass (deprecated) Required none Okta

User

The email address of the Okta user to use for authentication with Okta.

Parameter name Alias Parameter type Default value
User UID (deprecated) Required none

Password

The password for the Okta user.

Parameter name Alias Parameter type Default value
Password PWD (deprecated) Required none

Okta host name

The URL for your Okta organization. You can extract the idp_host parameter from the Embed Link URL in your Okta application. For steps, see Retrieve ODBC configuration information from Okta. The first segment after https://, up to and including okta.com, is your IdP host (for example, trial-1234567.okta.com for a URL that starts with https://trial-1234567.okta.com).

Parameter name Alias Parameter type Default value
OktaHostName IdP_Host (deprecated) Required none

Okta application ID

The two-part identifier for your application. You can extract the application ID from the Embed Link URL in your Okta application. For steps, see Retrieve ODBC configuration information from Okta. The application ID is the last two segments of the URL, including the forward slash in the middle. The segments are two 20-character strings with a mix of numbers and upper and lowercase letters (for example, Abc1de2fghi3J45kL678/abc1defghij2klmNo3p4).

Parameter name Alias Parameter type Default value
OktaAppId App_ID (deprecated) Required none

Okta application name

The name of your Okta application.

Parameter name Alias Parameter type Default value
OktaAppName App_Name (deprecated) Required none

Okta MFA type

If you have set up Okta to require multi-factor authentication (MFA), you need to specify the Okta MFA type and additional parameters depending on the second factor that you want to use.

Okta MFA type is the second authentication factor type (after the password) to use to authenticate with Okta. Supported second factors include push notifications delivered through the Okta Verify app and temporary one-time passwords (TOTPs) generated by Okta Verify, Google Authenticator, or sent through SMS. Individual organization security policies determine whether or not MFA is required for user login.

Parameter name Alias Parameter type Default value Possible values
OktaMfaType okta_mfa_type (deprecated) Required, if Okta is set up to require MFA none oktaverifywithpush, oktaverifywithtotp, googleauthenticator, smsauthentication

Okta phone number

The phone number to which Okta will send a temporary one-time password using SMS when the smsauthentication MFA type is chosen. The phone number must be a US or Canadian phone number.

Parameter name Alias Parameter type Default value
OktaPhoneNumber okta_phone_number (deprecated) Required, if OktaMfaType is smsauthentication none

Okta MFA wait time

The duration, in seconds, to wait for the user to acknowledge a push notification from Okta before the driver throws a timeout exception.

Parameter name Alias Parameter type Default value
OktaMfaWaitTime okta_mfa_wait_time (deprecated) Optional 60

Preferred role

The Amazon Resource Name (ARN) of the role to assume. For information about ARN roles, see AssumeRole in the Amazon Security Token Service API Reference.

Parameter name Alias Parameter type Default value
PreferredRole preferred_role (deprecated) Optional none

Role session duration

The duration, in seconds, of the role session. For more information, see AssumeRole in the Amazon Security Token Service API Reference.

Parameter name Alias Parameter type Default value
RoleSessionDuration Duration (deprecated) Optional 3600

Lake Formation enabled

Specifies whether to use the AssumeDecoratedRoleWithSAML Lake Formation API action to retrieve temporary IAM credentials instead of the AssumeRoleWithSAML Amazon STS API action.

Parameter name Alias Parameter type Default value
LakeFormationEnabled none Optional FALSE